Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Can't get any updates on antivirus/antispyware software

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Can't get any updates on antivirus/antispyware software

Unread postby abraxas » November 30th, 2008, 7:11 pm

I've been trying to resolve the problem with antivirus web pages being blocked. URL box says i.e. http://www.avg.com, but the page is empty and the status bar says the page loading process is done. It acts the same way from Firefox and from the IE/Avantbrowser.
I can't start Spybot S&D, and I can't get any updates on AVG, Spybot or Ad-Aware... Even HijackThis didn't want to install itself, I had to copy the HijackThis.exe from another machine and run it from the USB drive.

Here is the Hijackthis log I've created:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:37:38 PM, on 11/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\Logi_MwX.Exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\QuickTime\QTTask.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\POP Peeper\POPPeeper.exe
C:\Program Files\SpybotSD\TeaTimer.exe
C:\RocketDock\RocketDock.exe
C:\Program Files\BigFix\BigFix.exe
C:\WINDOWS\system32\sistray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\TC PowerPack\totalcmd.exe
E:\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [POP Peeper] "C:\Program Files\POP Peeper\POPPeeper.exe" -min
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\SpybotSD\TeaTimer.exe
O4 - HKCU\..\Run: [RocketDock] "C:\RocketDock\RocketDock.exe"
O4 - Startup: Yahoo! Widgets.lnk = C:\Program Files\Yahoo!\WidgetEngine\YahooWidgets.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} -
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} -
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} -
O16 - DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} -
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} -
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} -
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} -
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 4546 bytes
abraxas
Active Member
 
Posts: 10
Joined: November 30th, 2008, 6:52 pm
Advertisement
Register to Remove

Re: Can't get any updates on antivirus/antispyware software

Unread postby Carolyn » December 4th, 2008, 3:44 pm

Hello and Welcome to the forums!

My name is Carolyn and I'll be glad to help you with your computer problems. HijackThis logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that it happens.

Please do not run any other tool untill instructed to do so!
Please reply to this thread, do not start another!
Please tell me about any problems that have occurred during the fix.
Please tell me of any other symptoms you may be having as these can help also.
Please try as much as possible not to run anything while executing a fix.


If you follow these instructions, everything should go smoothly.


Do you have access to a clean computer? If you do, can you download tools from the clean computer and transfer them to the desktop of the infected computer using your USB Flash drive?
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine

Re: Can't get any updates on antivirus/antispyware software

Unread postby abraxas » December 4th, 2008, 5:00 pm

Do you have access to a clean computer? If you do, can you download tools from the clean computer and transfer them to the desktop of the infected computer using your USB Flash drive?


Thank you for taking my "case". I was getting ready to kill the XP on my "sick" laptop as soon as I come home, but I'll wait to see if we can clean it first...

Yes, I do have access to a clean machine, and I have USB Flash drive as well.
I'm currently at work, approximately 90 minutes from arriving back home. I might use this time to download tools you recommend, since I have my USB Flash drive with me.

What tools do you want me to download?

Abraxas
abraxas
Active Member
 
Posts: 10
Joined: November 30th, 2008, 6:52 pm

Re: Can't get any updates on antivirus/antispyware software

Unread postby Carolyn » December 4th, 2008, 5:24 pm

Download the tools needed to a flash drive or other removable media, and transfer them to the infected computer.

***************************************************

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.


Go to Microsoft's website => http://support.microsoft.com/kb/310994

Select the download that's appropriate for your Operating System

Image


Download the file & save it as it's originally named.


---------------------------------------------------------------------

Transfer all files you just downloaded, to the desktop of the infected computer.

--------------------------------------------------------------------


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

Image


  • Drag the setup package onto ComboFix.exe and drop it.


  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.


    Image



  • At the next prompt, click 'Yes' to run the full ComboFix scan.


  • When the tool is finished, it will produce a report for you.
Please post the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.

Note: You should be able to do these steps in Normal Mode. If the malware prevents you from doing so, please try these steps again in Safe Mode.
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine

Re: Can't get any updates on antivirus/antispyware software

Unread postby abraxas » December 4th, 2008, 8:02 pm

I'm sorry, Carolyn, but my attempt to finish those steps you suggested, was a complete disaster.
1. I've downloaded combofix.exe and the file for recovery console installation from a microsoft website and copied them to the desktop of the infected computer.
2. Dragging the microsoft file on top of the combofix.exe icon did not do a thing. I'm guessing that malware is stopping combofix.exe from launching.
3. Tried to boot into "Safe mode" or "safe mode with networking" was not a success. I tried 8 times and each time my computer got stuck on the black screen with "Safe Mode" text in each corner of the screen. To be sure it won't boot, I was waiting around 7-8 minutes each time before performing a hard turn off (holding a power button for more than 4 seconds).

This isn't going to be the smooth task, is it?

Any suggestions?
abraxas
Active Member
 
Posts: 10
Joined: November 30th, 2008, 6:52 pm

Re: Can't get any updates on antivirus/antispyware software

Unread postby Carolyn » December 5th, 2008, 8:52 am

Hang in there abraxas - this stretch of road is a little bumpy, but we will get where we need to go. ;)

Can you still boot to Normal Mode? On the assumption that you can, I am sending you a PM (Personal Message) with additional instructions.
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine

Re: Can't get any updates on antivirus/antispyware software

Unread postby abraxas » December 5th, 2008, 1:52 pm

I had to go to the Safe mode, and I was able to start ComboFix.
Here is the log:

ComboFix 08-12-04.04 - Owner 2008-12-05 11:29:46.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.749 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Downloaded Program Files\setup.inf
c:\windows\system32\dckfijcf.ini
c:\windows\system32\Drivers\TDSSmxoe.sys
c:\windows\system32\houxaybf.ini
c:\windows\system32\jtmiycqy.ini
c:\windows\system32\mcrh.tmp
c:\windows\system32\TDSScrxx.dll
c:\windows\system32\TDSSmtpe.dat
c:\windows\system32\TDSSoipu.dll
c:\windows\system32\TDSSwkod.log
c:\windows\system32\TDSSyavu.dll
c:\windows\system32\thlckmwm.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS
-------\Legacy_ZESOFT
-------\Service_TDSSserv.sys


((((((((((((((((((((((((( Files Created from 2008-11-05 to 2008-12-05 )))))))))))))))))))))))))))))))
.

2008-12-05 11:26 . 2008-12-05 11:26 <DIR> d--h----- C:\$AVG8.VAULT$
2008-12-04 23:22 . 2008-12-05 10:02 <DIR> d-------- C:\Email
2008-12-04 00:22 . 2008-12-04 00:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\AntiVir PersonalEdition Classic
2008-11-29 22:54 . 2008-11-29 22:54 <DIR> d-------- c:\program files\Lavasoft
2008-11-29 22:54 . 2008-11-29 22:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-29 22:53 . 2008-11-29 22:53 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-29 19:24 . 2008-11-29 19:27 <DIR> d-------- c:\program files\SpybotSD
2008-11-29 18:40 . 2008-11-29 18:59 <DIR> d-------- c:\windows\system32\drivers\Avg
2008-11-29 18:40 . 2008-11-29 18:40 96,520 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-11-29 18:40 . 2008-11-29 18:40 75,272 --a------ c:\windows\system32\drivers\avgtdix.sys
2008-11-29 18:40 . 2008-11-29 18:40 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-11-27 21:45 . 2008-12-05 07:43 2,271 --a------ c:\windows\system32\TDSSqxgx.dll
2008-11-26 18:07 . 2008-11-26 18:07 <DIR> d-------- c:\program files\AIDA32
2008-11-22 11:41 . 2008-11-22 11:41 <DIR> d-------- c:\temp\website
2008-11-14 20:28 . 2008-11-14 20:29 <DIR> d-------- c:\program files\GPLGS
2008-11-14 20:27 . 2008-11-14 20:27 <DIR> d-------- c:\program files\Acro Software
2008-11-14 20:27 . 2007-07-12 22:33 87,552 --a------ c:\windows\system32\cpwmon2k.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-05 14:46 --------- d-----w c:\documents and settings\Owner\Application Data\Skype
2008-12-05 12:43 --------- d-----w c:\documents and settings\Owner\Application Data\skypePM
2008-12-03 06:20 --------- d-----w c:\program files\TagRename
2008-12-03 06:19 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-11-30 03:45 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-30 00:22 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-29 23:39 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2008-11-21 12:29 --------- d-----w c:\program files\Kyodai Mahjongg
2008-11-02 20:17 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-13 13:09 --------- d-----w c:\program files\QuickTime
2008-10-13 13:08 --------- d-----w c:\program files\Common Files\Apple
2008-10-13 13:08 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-10-13 13:04 --------- d-----w c:\program files\Apple Software Update
2008-10-13 13:04 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2008-04-07 23:10 31,448 ----a-w c:\documents and settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2008-04-05 01:05 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2008-03-11 23:08 2,426 ----a-w c:\documents and settings\Owner\Application Data\wklnhst.dat
2008-03-08 18:08 0 ----a-w c:\program files\temp01
2007-06-29 18:23 774,144 ----a-w c:\program files\RngInterstitial.dll
2005-10-12 20:43 32 ----a-r c:\documents and settings\All Users\hash.dat
2003-01-15 19:19 98,304 ----a-w c:\documents and settings\Owner\WhoAreYou.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-02-13 1587512]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-02-01 21898024]
"POP Peeper"="c:\program files\POP Peeper\POPPeeper.exe" [2008-07-18 1437696]
"SpybotSD TeaTimer"="c:\program files\SpybotSD\TeaTimer.exe" [2008-07-30 1829712]
"RocketDock"="c:\rocketdock\RocketDock.exe" [2007-09-02 495616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-03-27 98304]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-03-27 499712]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2006-09-26 35328]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-29 1177368]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-01-01 180269]
"SiSPower"="SiSPower.dll" [2004-09-02 c:\windows\system32\SiSPower.dll]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-11 c:\windows\LOGI_MWX.EXE]
"SoundMan"="SOUNDMAN.EXE" [2005-04-15 c:\windows\SOUNDMAN.EXE]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk - c:\program files\BigFix\BigFix.exe [2004-10-02 1742384]
Utility Tray.lnk - c:\windows\system32\sistray.exe [2004-10-02 331776]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.X264"= x264vfw.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"BootSkin Startup Jobs"="c:\progra~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
"PhilipsDM"="c:\program files\Philips\Philips Device Manager\Bin\DeviceManager.exe"
"1A:Stardock TrayMonitor"="c:\program files\Common Files\Stardock\TrayServer.exe"
"LWBKEYBOARD"=c:\program files\MultiMedia Keyboard\MultiMedia Keyboard\1.1\KbdAp32A.exe
"LWBMOUSE"=c:\program files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"SunJavaUpdateSched"=c:\program files\Java\jre1.5.0_06\bin\jusched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Avant Browser\\avant.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\TC PowerPack\\TOTALCMD.EXE"=
"c:\\Program Files\\Kyodai Mahjongg\\kmj.exe"=
"c:\\Program Files\\The KMPlayer\\KMPlayer.exe"=
"c:\\Program Files\\Octoshape Streaming Services\\Owner\\OctoshapeClient.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-11-29 96520]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-11-29 902424]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-11-29 282904]
R2 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-11-29 75272]
R3 HSFHWSIS;HSFHWSIS;c:\windows\system32\DRIVERS\HSFHWSIS.sys [2004-10-02 193280]
S3 AMDMSRIO;AMDMSRIO;\??\c:\docume~1\Owner\LOCALS~1\Temp\Safe To Delete 3_0_4_8\AMDMSRIO.sys []
S3 SQTECH930B;USB 2.0 PC CAMERA;c:\windows\system32\Drivers\Capt930b.sys []
.
Contents of the 'Scheduled Tasks' folder

2008-12-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{E8E5DB26-6FB5-4BDC-8102-9CF22C86565A} - (no file)
HKCU-Run-MsnMsgr - c:\program files\MSN Messenger\MsnMsgr.Exe
HKLM-Run-LexStart - (no file)
Notify-WB - (no file)


.
------- Supplementary Scan -------
.
uSearch Page =
uSearch Bar =
uInternet Connection Wizard,ShellNext = iexplore
IE: &Search

O16 -: {149E45D8-163E-4189-86FC-45022AB2B6C9}

O16 -: {CC450D71-CC90-424C-8638-1F2DBAC87A54}

O16 -: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A}
FireFox -: Profile - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\e2z78wea.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.trustybox.com/search/?source ... ult-url&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - file:///c:/intranet/vesti.html
FF -: plugin - c:\documents and settings\Owner\Application Data\Mozilla\plugins\npoctoshape.dll
FF -: plugin - c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - c:\program files\Java\j2re1.4.2\bin\NPJava11.dll
FF -: plugin - c:\program files\Java\j2re1.4.2\bin\NPJava12.dll
FF -: plugin - c:\program files\Java\j2re1.4.2\bin\NPJava13.dll
FF -: plugin - c:\program files\Java\j2re1.4.2\bin\NPJava14.dll
FF -: plugin - c:\program files\Java\j2re1.4.2\bin\NPJava32.dll
FF -: plugin - c:\program files\Java\j2re1.4.2\bin\NPJPI142.dll
FF -: plugin - c:\program files\Java\j2re1.4.2\bin\NPOJI610.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npgcplug.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\NPMyrMus.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npracplug.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF -: plugin - c:\program files\Octoshape Streaming Services\Owner\octoprogram-L03-N00-U00-C00_0804080_000\npoctoshape.dll
FF -: plugin - c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-05 11:38:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\wdfmgr.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-12-05 11:46:41 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-05 16:46:28
ComboFix2.txt 2007-07-18 22:57:44

Pre-Run: 23,983,751,168 bytes free
Post-Run: 24,279,908,352 bytes free

190 --- E O F --- 2008-11-13 08:13:32



************************************
Here is a new HijackThis log, after the machine was rebooted:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:27:35 PM, on 12/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\Logi_MwX.Exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\QuickTime\QTTask.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\POP Peeper\POPPeeper.exe
C:\RocketDock\RocketDock.exe
C:\Program Files\BigFix\BigFix.exe
C:\WINDOWS\system32\sistray.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\TC PowerPack\totalcmd.exe
E:\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [POP Peeper] "C:\Program Files\POP Peeper\POPPeeper.exe" -min
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\SpybotSD\TeaTimer.exe
O4 - HKCU\..\Run: [RocketDock] "C:\RocketDock\RocketDock.exe"
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/200 ... oader5.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} -
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} -
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} -
O16 - DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} -
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} -
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} -
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} -
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

--
End of file - 4503 bytes



I was able to connect to AVG update site and download tons of updates for my antivirus. To me, it looks it worked. I'll save the celebration until Carolyn confirms if both logs look OK.
abraxas
Active Member
 
Posts: 10
Joined: November 30th, 2008, 6:52 pm

Re: Can't get any updates on antivirus/antispyware software

Unread postby Carolyn » December 5th, 2008, 4:18 pm

Hi,

That looks a whole lot better, but we need to do a little more investigating to be sure that your computer is clean.

---------------------------------------

Upload files for scanning
I'd like you to check a file/some files for malware.
c:\program files\temp01
c:\program files\RngInterstitial.dll
c:\documents and settings\Owner\WhoAreYou.exe

  • Copy/Paste the first file on the list into the white Upload a file box.
  • Click Send/Submit, and the file will upload to VirusTotal/Jotti, where it will be scanned by several anti-virus programmes.
  • After a while, a window will open, with details of what the scans found.
  • Save the complete results in a Notepad/Word document on your desktop.
  • Repeat for all files on the list.

----------------------------------------

Run a custom CFScript

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

Code: Select all
KILLALL::

File::
c:\windows\system32\TDSSqxgx.dll

Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{149E45D8-163E-4189-86FC-45022AB2B6C9}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1A1F56AA-3401-46F9-B277-D57F3421F821}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{30528230-99f7-4bb4-88d8-fa1d4f56a2ab}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{615F158E-D5CA-422F-A8E7-F6A5EED7063B}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8A94C905-FF9D-43B6-8708-F0F22D22B1CB}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CC450D71-CC90-424C-8638-1F2DBAC87A54}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{DF780F87-FF2B-4DF8-92D0-73DB16A1543A}]


Save this as CFScript.txt, in the same location as ComboFix.exe


Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


----------------------------------------

Update Java
Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
  • Download the latest version of http://java.sun.com/javase/downloads/index.jsp.
  • Scroll down to where it says Java Runtime Environment (JRE) 6 Update 11.
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.
  • Note: If you don't want the Google toolbar, make sure you uncheck the option included in the installer!

----------------------------------------


Download CCleaner from here and save it to your desktop.


Run CCleaner
CCleaner will remove everything from the temp/temporary folders but please note that it will not make back ups!
  • Before first use, select Options > Advanced and UNCHECK Only delete files in Windows Temp folder older than 48 hours
  • Then select the items you wish to clean up.
    • In the Windows Tab:
      • Clean all entries in the Internet Explorer section except Cookies
      • Clean all the entries in the Windows Explorer section
      • Clean all entries in the System section
      • Clean all entries in the Advanced section
      • Clean any others that you choose
    • In the Applications Tab:
      • Clean all except cookies in the Firefox/Mozilla section if you use it
      • Clean all in the Opera section if you use it
      • Clean Sun Java in the Internet Section
      • Clean any others that you choose
  • Click the Run Cleaner button.
  • A pop up box will appear advising this process will permanently delete files from your system.
  • Click OK and it will scan and clean your system.
  • Click exit when done.
  • If it asks you to reboot at the end, click NO
CCleaner should be run with the above settings for each User Account!

----------------------------------------

Please go to Kaspersky website and perform an online antivirus scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply.

----------------------------------------

Please post the following in your next reply:
  1. The VirusTotal Results
  2. The ComboFix log
  3. The Kaspersky log
  4. A fresh HijackThis log
  5. A description of how your computer is behaving.
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine

Re: Can't get any updates on antivirus/antispyware software

Unread postby abraxas » December 6th, 2008, 1:49 pm

Hi,
Sorry it took me so long to answer to the last post... I hate night shifts...

Here we go:
First, VirusTotal scan results:
TEMP01 file was a 0 byte size...
0 bytes size received / Se ha recibido un archivo vacio


File RngInterstitial.dll received on 12.05.2008 21:45:23 (CET)Antivirus Version Last Update Result
AhnLab-V3 2008.12.6.0 2008.12.05 -
AntiVir 7.9.0.42 2008.12.05 -
Authentium 5.1.0.4 2008.12.05 -
Avast 4.8.1281.0 2008.12.04 -
AVG 8.0.0.199 2008.12.05 -
BitDefender 7.2 2008.12.05 -
CAT-QuickHeal 10.00 2008.12.05 -
ClamAV 0.94.1 2008.12.05 -
Comodo 682 2008.12.04 -
DrWeb 4.44.0.09170 2008.12.05 -
eSafe 7.0.17.0 2008.12.04 -
eTrust-Vet 31.6.6243 2008.12.04 -
Ewido 4.0 2008.12.05 -
F-Prot 4.4.4.56 2008.12.04 -
F-Secure 8.0.14332.0 2008.12.05 -
Fortinet 3.117.0.0 2008.12.05 -
GData 19 2008.12.05 -
Ikarus T3.1.1.45.0 2008.12.05 -
K7AntiVirus 7.10.545 2008.12.05 -
Kaspersky 7.0.0.125 2008.12.05 -
McAfee 5455 2008.12.05 -
McAfee+Artemis 5455 2008.12.05 -
Microsoft 1.4205 2008.12.05 -
NOD32 3667 2008.12.05 -
Norman 5.80.02 2008.12.05 -
Panda 9.0.0.4 2008.12.05 -
PCTools 4.4.2.0 2008.12.05 -
Prevx1 V2 2008.12.05 -
Rising 21.06.43.00 2008.12.05 -
SecureWeb-Gateway 6.7.6 2008.12.05 -
Sophos 4.36.0 2008.12.05 -
Sunbelt 3.1.1832.2 2008.12.01 -
Symantec 10 2008.12.05 -
TheHacker 6.3.1.2.176 2008.12.05 -
TrendMicro 8.700.0.1004 2008.12.05 -
VBA32 3.12.8.10 2008.12.05 -
ViRobot 2008.12.5.1502 2008.12.05 -
VirusBuster 4.5.11.0 2008.12.05 -

Additional information
File size: 774144 bytes
MD5...: 77d3a60b2e838e1cc6a682bd9761da63
SHA1..: 57fd5a21e7ef01bf29c96660d9389809227e6f7f
SHA256: 4713c36b92a9ea330dbf90255e30c62ce742c1ded5664b870432bb7a5d159a83
SHA512: b9dbaa53cd93ffee6bacd684f93bc139470417ea14780d3df291ce3e5ab1b749<BR>bf334bb0e7c1401c69065d7cdd9eab3ec851767dbd57b3885f1a04976b8183c0<BR>
ssdeep: 3072:vaiGHo7I+3AbNf4p5GMU0CrXq8AeROmsDEE5sA8E:XGeHp5GMU0wtympE5s<BR>S<BR>
PEiD..: Armadillo v1.xx - v2.xx
TrID..: File type identification<BR>Win64 Executable Generic (80.9%)<BR>Win32 Executable Generic (8.0%)<BR>Win32 Dynamic Link Library (generic) (7.1%)<BR>Generic Win/DOS Executable (1.8%)<BR>DOS Executable Generic (1.8%)
PEInfo: PE Structure information<BR><BR>( base data )<BR>entrypointaddress.: 0x1000382b<BR>timedatestamp.....: 0x426ea8cc (Tue Apr 26 20:47:08 2005)<BR>machinetype.......: 0x14c (I386)<BR><BR>( 5 sections )<BR>name viradd virsiz rawdsiz ntrpy md5<BR>.text 0x1000 0x2921 0x3000 5.66 0df655d0720d3fcba24e78765e795ea9<BR>.rdata 0x4000 0xdec 0x1000 4.84 e553d093c6b7b99cc9954d3d48da7fc4<BR>.data 0x5000 0x24f0 0x1000 2.38 9c09fc1dc29ff05bdb8f4852d6bc7860<BR>.rsrc 0x8000 0xb5ad8 0xb6000 5.26 fbf6696a97bfedc8ee88c1fb374f7037<BR>.reloc 0xbe000 0xb56 0x1000 2.04 3ecb8769da3c0217a174a42ddfa590e1<BR><BR>( 6 imports ) <BR>&gt; KERNEL32.dll: MulDiv, GetPrivateProfileIntA, WinExec, GetModuleHandleA, GetPrivateProfileStringA, GetFileAttributesA, GetModuleFileNameA, FindFirstFileA, lstrcpyA, GetShortPathNameA, GetCommandLineA, WaitForMultipleObjects, InterlockedDecrement, OutputDebugStringA, CloseHandle, InterlockedIncrement, CreateProcessA, GetStartupInfoA, GetCurrentDirectoryA, WritePrivateProfileStringA, GetLastError, CreateEventA, SetFileAttributesA, FindClose<BR>&gt; USER32.dll: SetWindowTextA, SetWindowLongA, GetWindowLongA, wsprintfA, DestroyWindow, SetCursor, MessageBoxA, ReleaseDC, DialogBoxParamA, LoadStringA, GetDC, LoadImageA, DrawTextA, EndDialog, GetWindowRect, SetWindowPos, LoadCursorA, CharLowerA, GetSystemMetrics, CharNextA<BR>&gt; GDI32.dll: GetObjectA, SelectObject, GetDeviceCaps, BitBlt, DeleteObject, GetTextExtentPoint32A, CreateCompatibleDC, SetTextColor, SetBkMode, CreateFontIndirectA<BR>&gt; ADVAPI32.dll: RegDeleteValueA, RegOpenKeyA, RegQueryValueA, RegCloseKey, RegCreateKeyExA, RegSetValueExA, RegOpenKeyExA, RegQueryValueExA<BR>&gt; WINMM.dll: PlaySoundA<BR>&gt; MSVCRT.dll: _adjust_fdiv, _splitpath, __3@YAXPAX@Z, free, _onexit, _initterm, _stricmp, __dllonexit, malloc, __2@YAPAXI@Z, strstr, sprintf, __CxxFrameHandler<BR><BR>( 25 exports ) <BR>__0CInterstitial@@QAE@XZ, __1CInterstitial@@QAE@XZ, __4CInterstitial@@QAEAAV0@ABV0@@Z, _BeginGame@CInterstitial@@QAEHH@Z, _DrawLogoBtn@CInterstitial@@QAEHPAUtagDRAWITEMSTRUCT@@@Z, _EndGame@CInterstitial@@QAEHH@Z, _GetEpcotPath@CInterstitial@@QAEHXZ, _GetGameName@CInterstitial@@QAEPADXZ, _GetRealcomUrl@CInterstitial@@QAEPADXZ, _GetRegion@CInterstitial@@QAEHXZ, _GetUpsellUrl@CInterstitial@@QAEPADXZ, _LoadProfile@CInterstitial@@QAEHPAD@Z, _PlaceBitmap@CInterstitial@@QAEHPAUHWND__@@PADPAUtagPOINT@@@Z, _SetProfilePath@CInterstitial@@QAEHPAD@Z, _SetRegion@CInterstitial@@QAEHH@Z, _ShowButtonLabels@CInterstitial@@QAEXPAUHWND__@@@Z, _ShowGameName@CInterstitial@@QAEXPAUHWND__@@@Z, _ShowGamesText@CInterstitial@@QAEXPAUHWND__@@@Z, _ShowLaunchDialog@CInterstitial@@QAEXPAUHWND__@@@Z, _ShowRealGraphic@CInterstitial@@QAEXPAUHWND__@@@Z, _ShowUpsellGraphic@CInterstitial@@QAEXPAUHWND__@@@Z, _ShowUpsellText@CInterstitial@@QAEXPAUHWND__@@@Z, DllRegisterServer, DllUnRegisterServer, fnGameBeginEnd<BR>


File WhoAreYou.exe received on 12.05.2008 21:51:01 (CET)Antivirus Version Last Update Result
AhnLab-V3 2008.12.6.0 2008.12.05 -
AntiVir 7.9.0.42 2008.12.05 -
Authentium 5.1.0.4 2008.12.05 -
Avast 4.8.1281.0 2008.12.04 -
AVG 8.0.0.199 2008.12.05 -
BitDefender 7.2 2008.12.05 -
CAT-QuickHeal 10.00 2008.12.05 -
ClamAV 0.94.1 2008.12.05 -
Comodo 682 2008.12.04 -
DrWeb 4.44.0.09170 2008.12.05 -
eSafe 7.0.17.0 2008.12.04 -
eTrust-Vet 31.6.6243 2008.12.04 -
Ewido 4.0 2008.12.05 -
F-Prot 4.4.4.56 2008.12.04 -
F-Secure 8.0.14332.0 2008.12.05 -
Fortinet 3.117.0.0 2008.12.05 -
GData 19 2008.12.05 -
Ikarus T3.1.1.45.0 2008.12.05 -
K7AntiVirus 7.10.545 2008.12.05 -
Kaspersky 7.0.0.125 2008.12.05 -
McAfee 5455 2008.12.05 -
McAfee+Artemis 5455 2008.12.05 -
Microsoft 1.4205 2008.12.05 -
NOD32 3667 2008.12.05 -
Norman 5.80.02 2008.12.05 -
Panda 9.0.0.4 2008.12.05 -
PCTools 4.4.2.0 2008.12.05 -
Prevx1 V2 2008.12.05 -
Rising 21.06.43.00 2008.12.05 -
SecureWeb-Gateway 6.7.6 2008.12.05 -
Sophos 4.36.0 2008.12.05 -
Sunbelt 3.1.1832.2 2008.12.01 Trojan-Dropper.Win32.VB!cobra (v)
Symantec 10 2008.12.05 -
TheHacker 6.3.1.2.176 2008.12.05 -
TrendMicro 8.700.0.1004 2008.12.05 -
VBA32 3.12.8.10 2008.12.05 -
ViRobot 2008.12.5.1502 2008.12.05 -
VirusBuster 4.5.11.0 2008.12.05 -

Additional information
File size: 98304 bytes
MD5...: a2b65bc3b9629202d5e45a4beba3395f
SHA1..: cba30cd1e49a211365222c6c51f06efda313c173
SHA256: f2e2b33801ce459e7379ba46f34dcf4ccd49b548dffac3e38fdbb84b8fec46ce
SHA512: 980d1e6ea6714e31e1b1b724ece1522e731906a938ffab374f68fe1202fa6076<BR>6a91b4746826910366b1e8ca8ddd948346e9cd5fabe28b3a0a8b58f57d0ee5f6<BR>
ssdeep: 1536:Ky/1iNN+bD2cRP0x4jkMvw/ZgvVx6KqtcZU8Z7K4GsrmHUkN7k1i:x0l20X<BR>MY/gVxvq0ZezHU4k0<BR>
PEiD..: -
TrID..: File type identification<BR>Win32 Executable Microsoft Visual Basic 6 (96.9%)<BR>Generic Win/DOS Executable (1.5%)<BR>DOS Executable Generic (1.5%)<BR>Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information<BR><BR>( base data )<BR>entrypointaddress.: 0x401474<BR>timedatestamp.....: 0x3e256e0a (Wed Jan 15 14:19:54 2003)<BR>machinetype.......: 0x14c (I386)<BR><BR>( 3 sections )<BR>name viradd virsiz rawdsiz ntrpy md5<BR>.text 0x1000 0x14a24 0x15000 6.97 b2cf6a24338ce870936b8b3949849e8b<BR>.data 0x16000 0x2130 0x1000 0.00 620f0b67a91f7f74151bc5be745b7110<BR>.rsrc 0x19000 0xafc 0x1000 2.79 c92ffb2e6f28e478f8e6051cc7cffd7d<BR><BR>( 1 imports ) <BR>&gt; MSVBVM60.DLL: -, __vbaVarSub, __vbaVarTstGt, -, _CIcos, _adj_fptan, __vbaVarMove, __vbaStrI4, __vbaFreeVar, __vbaFreeVarList, __vbaEnd, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaStrCat, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaVarForInit, __vbaObjSet, -, _adj_fdiv_m16i, _adj_fdivr_m16i, __vbaVarTstLt, __vbaBoolVarNull, _CIsin, __vbaErase, -, __vbaVarCmpGt, __vbaChkstk, __vbaFileClose, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaStrCmp, __vbaVarTstEq, _adj_fpatan, EVENT_SINK_Release, _CIsqrt, __vbaVarAnd, EVENT_SINK_QueryInterface, __vbaVarMul, __vbaExceptHandler, __vbaInputFile, _adj_fprem, _adj_fdivr_m64, __vbaVarDiv, -, __vbaFPException, __vbaStrVarVal, __vbaI2Var, _CIlog, __vbaFileOpen, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaVarCmpLt, __vbaFreeStrList, _adj_fdivr_m32, __vbaR8Var, _adj_fdiv_r, -, __vbaI4Var, __vbaVarAdd, __vbaVarDup, __vbaVarCopy, __vbaVarTstGe, _CIatan, __vbaStrMove, _allmul, _CItan, __vbaVarForNext, _CIexp, __vbaFreeStr, __vbaFreeObj, -<BR><BR>( 0 exports ) <BR>


I'll send each log in separate posts. Hopefully, that way they will be easier to read...
abraxas
Active Member
 
Posts: 10
Joined: November 30th, 2008, 6:52 pm

Re: Can't get any updates on antivirus/antispyware software

Unread postby abraxas » December 6th, 2008, 1:51 pm

Here is the ComboFix log:

ComboFix 08-12-04.04 - Owner 2008-12-05 16:18:17.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.736 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\windows\system32\TDSSqxgx.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\TDSSqxgx.dll

.
((((((((((((((((((((((((( Files Created from 2008-11-05 to 2008-12-05 )))))))))))))))))))))))))))))))
.

2008-12-05 12:30 . 2008-12-05 12:30 <DIR> d-------- c:\windows\system32\LogFiles
2008-12-05 11:26 . 2008-12-05 16:16 <DIR> d--h----- C:\$AVG8.VAULT$
2008-12-04 23:22 . 2008-12-05 10:02 <DIR> d-------- C:\Email
2008-12-04 00:22 . 2008-12-04 00:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\AntiVir PersonalEdition Classic
2008-11-29 22:54 . 2008-11-29 22:54 <DIR> d-------- c:\program files\Lavasoft
2008-11-29 22:54 . 2008-11-29 22:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-29 22:53 . 2008-11-29 22:53 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-29 19:24 . 2008-11-29 19:27 <DIR> d-------- c:\program files\SpybotSD
2008-11-29 18:40 . 2008-12-05 12:31 <DIR> d-------- c:\windows\system32\drivers\Avg
2008-11-29 18:40 . 2008-12-05 12:32 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-11-29 18:40 . 2008-12-05 12:32 76,040 --a------ c:\windows\system32\drivers\avgtdix.sys
2008-11-29 18:40 . 2008-12-05 12:32 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-11-26 18:07 . 2008-11-26 18:07 <DIR> d-------- c:\program files\AIDA32
2008-11-22 11:41 . 2008-11-22 11:41 <DIR> d-------- c:\temp\website
2008-11-14 20:28 . 2008-11-14 20:29 <DIR> d-------- c:\program files\GPLGS
2008-11-14 20:27 . 2008-11-14 20:27 <DIR> d-------- c:\program files\Acro Software
2008-11-14 20:27 . 2007-07-12 22:33 87,552 --a------ c:\windows\system32\cpwmon2k.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-05 21:10 --------- d-----w c:\documents and settings\Owner\Application Data\Skype
2008-12-05 21:00 --------- d-----w c:\documents and settings\Owner\Application Data\skypePM
2008-12-03 06:20 --------- d-----w c:\program files\TagRename
2008-12-03 06:19 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-11-30 03:45 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-30 00:22 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-29 23:39 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2008-11-21 12:29 --------- d-----w c:\program files\Kyodai Mahjongg
2008-11-02 20:17 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-13 13:09 --------- d-----w c:\program files\QuickTime
2008-10-13 13:08 --------- d-----w c:\program files\Common Files\Apple
2008-10-13 13:08 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-10-13 13:04 --------- d-----w c:\program files\Apple Software Update
2008-10-13 13:04 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2008-04-07 23:10 31,448 ----a-w c:\documents and settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2008-04-05 01:05 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2008-03-11 23:08 2,426 ----a-w c:\documents and settings\Owner\Application Data\wklnhst.dat
2008-03-08 18:08 0 ----a-w c:\program files\temp01
2007-06-29 18:23 774,144 ----a-w c:\program files\RngInterstitial.dll
2005-10-12 20:43 32 ----a-r c:\documents and settings\All Users\hash.dat
2003-01-15 19:19 98,304 ----a-w c:\documents and settings\Owner\WhoAreYou.exe
.

((((((((((((((((((((((((((((( snapshot@2008-12-05_11.45.41.48 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-11-29 23:40:17 26,184 ----a-w c:\windows\system32\drivers\avgmfx86.sys
+ 2008-12-05 17:32:43 26,824 ----a-w c:\windows\system32\drivers\avgmfx86.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-02-13 1587512]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-02-01 21898024]
"POP Peeper"="c:\program files\POP Peeper\POPPeeper.exe" [2008-07-18 1437696]
"SpybotSD TeaTimer"="c:\program files\SpybotSD\TeaTimer.exe" [2008-07-30 1829712]
"RocketDock"="c:\rocketdock\RocketDock.exe" [2007-09-02 495616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-03-27 98304]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-03-27 499712]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2006-09-26 35328]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-05 1261336]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-01-01 180269]
"SiSPower"="SiSPower.dll" [2004-09-02 c:\windows\system32\SiSPower.dll]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-11 c:\windows\LOGI_MWX.EXE]
"SoundMan"="SOUNDMAN.EXE" [2005-04-15 c:\windows\SOUNDMAN.EXE]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk - c:\program files\BigFix\BigFix.exe [2004-10-02 1742384]
Utility Tray.lnk - c:\windows\system32\sistray.exe [2004-10-02 331776]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.X264"= x264vfw.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"BootSkin Startup Jobs"="c:\progra~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
"PhilipsDM"="c:\program files\Philips\Philips Device Manager\Bin\DeviceManager.exe"
"1A:Stardock TrayMonitor"="c:\program files\Common Files\Stardock\TrayServer.exe"
"LWBKEYBOARD"=c:\program files\MultiMedia Keyboard\MultiMedia Keyboard\1.1\KbdAp32A.exe
"LWBMOUSE"=c:\program files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"SunJavaUpdateSched"=c:\program files\Java\jre1.5.0_06\bin\jusched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Avant Browser\\avant.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\TC PowerPack\\TOTALCMD.EXE"=
"c:\\Program Files\\Kyodai Mahjongg\\kmj.exe"=
"c:\\Program Files\\The KMPlayer\\KMPlayer.exe"=
"c:\\Program Files\\Octoshape Streaming Services\\Owner\\OctoshapeClient.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-11-29 97928]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-12-05 875288]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-05 231704]
R2 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-11-29 76040]
R3 HSFHWSIS;HSFHWSIS;c:\windows\system32\DRIVERS\HSFHWSIS.sys [2004-10-02 193280]
S3 AMDMSRIO;AMDMSRIO;\??\c:\docume~1\Owner\LOCALS~1\Temp\Safe To Delete 3_0_4_8\AMDMSRIO.sys []
S3 SQTECH930B;USB 2.0 PC CAMERA;c:\windows\system32\Drivers\Capt930b.sys []
.
Contents of the 'Scheduled Tasks' folder

2008-12-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
IE: &Search

O16 -: {149E45D8-163E-4189-86FC-45022AB2B6C9}

O16 -: {CC450D71-CC90-424C-8638-1F2DBAC87A54}

O16 -: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A}
FireFox -: Profile - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\e2z78wea.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.trustybox.com/search/?source ... ult-url&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - file:///c:/intranet/vesti.html
FF -: plugin - c:\documents and settings\Owner\Application Data\Mozilla\plugins\npoctoshape.dll
FF -: plugin - c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - c:\program files\Java\j2re1.4.2\bin\NPJava11.dll
FF -: plugin - c:\program files\Java\j2re1.4.2\bin\NPJava12.dll
FF -: plugin - c:\program files\Java\j2re1.4.2\bin\NPJava13.dll
FF -: plugin - c:\program files\Java\j2re1.4.2\bin\NPJava14.dll
FF -: plugin - c:\program files\Java\j2re1.4.2\bin\NPJava32.dll
FF -: plugin - c:\program files\Java\j2re1.4.2\bin\NPJPI142.dll
FF -: plugin - c:\program files\Java\j2re1.4.2\bin\NPOJI610.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npgcplug.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\NPMyrMus.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npracplug.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF -: plugin - c:\program files\Octoshape Streaming Services\Owner\octoprogram-L03-N00-U00-C00_0804080_000\npoctoshape.dll
FF -: plugin - c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-05 16:24:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\wdfmgr.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\windows\system32\rundll32.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2008-12-05 16:33:10 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-05 21:32:58
ComboFix2.txt 2008-12-05 16:46:44
ComboFix3.txt 2007-07-18 22:57:44

Pre-Run: 24,157,634,560 bytes free
Post-Run: 24,143,548,416 bytes free

179 --- E O F --- 2008-11-13 08:13:32
abraxas
Active Member
 
Posts: 10
Joined: November 30th, 2008, 6:52 pm

Re: Can't get any updates on antivirus/antispyware software

Unread postby abraxas » December 6th, 2008, 1:59 pm

Next, the Kaspersky log:

KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, December 6, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, December 06, 2008 02:29:08
Records in database: 1439709


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
C:\
D:\

Scan statistics
Files scanned 86550
Threat name 21
Infected objects 32
Suspicious objects 0
Duration of the scan 02:37:08

File name Threat name Threats count
C:\Download\tightvnc-1.3.8-setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1370 1

C:\Download\UltraVNC-102-Setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c 2

C:\Download\UltraVNC-102-Setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 1

C:\FromWork\Dejan\Download\dvdbx25.exe Infected: not-a-virus:AdWare.Win32.NavExcel 4

C:\FromWork\Dejan\Download\dvdbx25.exe Infected: not-a-virus:AdWare.Win32.HelpExpress 1

C:\FromWork\Dejan\Download\marinefree_231.exe Infected: not-a-virus:AdWare.Win32.SaveNow.v 2

C:\FromWork\Dejan\Download\marinefree_231.exe Infected: not-a-virus:AdWare.Win32.NewDotNet 1

C:\FromWork\Dejan\Download\marinefree_231.exe Infected: not-a-virus:Server-Proxy.Win32.MarketScore.g 1

C:\Program Files\Microsoft Office\Templates\Presentation Designs\download\setupwavtomp3.exe Infected: not-a-virus:AdWare.Win32.NavExcel.d 1

C:\Program Files\Microsoft Office\Templates\Presentation Designs\download\setupwavtomp3.exe Infected: not-a-virus:AdWare.Win32.NavExcel.b 2

C:\Program Files\Microsoft Office\Templates\Presentation Designs\download\setupwavtomp3.exe Infected: not-a-virus:AdWare.Win32.NavExcel 1

C:\Program Files\Microsoft Office\Templates\Presentation Designs\download\setupwavtomp3.exe Infected: not-a-virus:AdWare.Win32.NavExcel.i 1

C:\Program Files\Microsoft Office\Templates\Presentation Designs\download\setupwavtomp3.exe Infected: not-a-virus:AdWare.Win32.SaveNow.z 1

C:\Program Files\Microsoft Office\Templates\Presentation Designs\download\setupwavtomp3.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.h 2

C:\Program Files\Microsoft Office\Templates\Presentation Designs\download\setupwavtomp3.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.e 1

C:\Program Files\Microsoft Office\Templates\Presentation Designs\download\setupwavtomp3.exe Infected: not-a-virus:AdWare.Win32.EZula.o 1

C:\Program Files\Microsoft Office\Templates\Presentation Designs\download\vnc-3.3.7-x86_win32.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c 2

C:\Program Files\UltraVNC\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 1

C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\TDSSmxoe.sys.vir Infected: Backdoor.Win32.TDSS.bkw 1

C:\QooBox\Quarantine\C\WINDOWS\system32\TDSScrxx.dll.vir Infected: Backdoor.Win32.TDSS.asz 1

C:\QooBox\Quarantine\C\WINDOWS\system32\TDSSoipu.dll.vir Infected: Backdoor.Win32.TDSS.blh 1

C:\QooBox\Quarantine\C\WINDOWS\system32\TDSSyavu.dll.vir Infected: Backdoor.Win32.TDSS.atb 1

C:\temp\VNC416\vnc-tool-1_4_2-x86_win32.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.414 2

The selected area was scanned.
abraxas
Active Member
 
Posts: 10
Joined: November 30th, 2008, 6:52 pm

Re: Can't get any updates on antivirus/antispyware software

Unread postby abraxas » December 6th, 2008, 2:03 pm

At the end, a fresh HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:00:44 PM, on 12/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\Logi_MwX.Exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\POP Peeper\POPPeeper.exe
C:\Program Files\BigFix\BigFix.exe
C:\WINDOWS\system32\sistray.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Avant Browser\avant.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [POP Peeper] "C:\Program Files\POP Peeper\POPPeeper.exe" -min
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\SpybotSD\TeaTimer.exe
O4 - HKCU\..\Run: [RocketDock] "C:\RocketDock\RocketDock.exe"
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/200 ... oader5.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 4732 bytes
abraxas
Active Member
 
Posts: 10
Joined: November 30th, 2008, 6:52 pm

Re: Can't get any updates on antivirus/antispyware software

Unread postby Carolyn » December 7th, 2008, 9:58 am

Hi,

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

Code: Select all
KILLALL::

File::
c:\documents and settings\Owner\WhoAreYou.exe
C:\Download\tightvnc-1.3.8-setup.exe
C:\Download\UltraVNC-102-Setup.exe
C:\FromWork\Dejan\Download\dvdbx25.exe
C:\FromWork\Dejan\Download\marinefree_231.exe
C:\Program Files\Microsoft Office\Templates\Presentation Designs\download\setupwavtomp3.exe
C:\Program Files\Microsoft Office\Templates\Presentation Designs\download\vnc-3.3.7-x86_win32.exe
C:\temp\VNC416\vnc-tool-1_4_2-x86_win32.exe


Save this as CFScript.txt, in the same location as ComboFix.exe


Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall



Please post the Combofix log and a fresh HijackThis log.

Also, please let me know how your computer is behaving.
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine

Re: Can't get any updates on antivirus/antispyware software

Unread postby abraxas » December 7th, 2008, 11:59 am

OK. Did as I was told.

Combofix log:

ComboFix 08-12-06.06 - Owner 2008-12-07 9:56:56.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.679 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\documents and settings\Owner\WhoAreYou.exe
c:\download\tightvnc-1.3.8-setup.exe
c:\download\UltraVNC-102-Setup.exe
c:\fromwork\Dejan\Download\dvdbx25.exe
c:\fromwork\Dejan\Download\marinefree_231.exe
c:\program files\Microsoft Office\Templates\Presentation Designs\download\setupwavtomp3.exe
c:\program files\Microsoft Office\Templates\Presentation Designs\download\vnc-3.3.7-x86_win32.exe
c:\temp\VNC416\vnc-tool-1_4_2-x86_win32.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\WhoAreYou.exe
c:\download\tightvnc-1.3.8-setup.exe
c:\download\UltraVNC-102-Setup.exe
c:\fromwork\Dejan\Download\dvdbx25.exe
c:\fromwork\Dejan\Download\marinefree_231.exe
c:\program files\Microsoft Office\Templates\Presentation Designs\download\setupwavtomp3.exe
c:\program files\Microsoft Office\Templates\Presentation Designs\download\vnc-3.3.7-x86_win32.exe
c:\temp\VNC416\vnc-tool-1_4_2-x86_win32.exe

.
((((((((((((((((((((((((( Files Created from 2008-11-07 to 2008-12-07 )))))))))))))))))))))))))))))))
.

2008-12-06 12:59 . 2008-12-06 12:59 <DIR> d-------- c:\program files\Trend Micro
2008-12-05 16:54 . 2008-12-05 16:54 <DIR> d-------- c:\program files\CCleaner
2008-12-05 16:53 . 2008-12-05 16:53 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-05 16:53 . 2008-12-05 16:53 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-05 12:30 . 2008-12-05 16:59 <DIR> d-------- c:\windows\system32\LogFiles
2008-12-05 11:26 . 2008-12-07 05:18 <DIR> d--h----- C:\$AVG8.VAULT$
2008-12-04 23:22 . 2008-12-05 10:02 <DIR> d-------- C:\Email
2008-12-04 00:22 . 2008-12-04 00:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\AntiVir PersonalEdition Classic
2008-11-29 22:54 . 2008-11-29 22:54 <DIR> d-------- c:\program files\Lavasoft
2008-11-29 22:54 . 2008-11-29 22:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-29 22:53 . 2008-11-29 22:53 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-29 19:24 . 2008-11-29 19:27 <DIR> d-------- c:\program files\SpybotSD
2008-11-29 18:40 . 2008-12-06 23:59 <DIR> d-------- c:\windows\system32\drivers\Avg
2008-11-29 18:40 . 2008-12-05 12:32 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-11-29 18:40 . 2008-12-05 12:32 76,040 --a------ c:\windows\system32\drivers\avgtdix.sys
2008-11-29 18:40 . 2008-12-05 12:32 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-11-26 18:07 . 2008-11-26 18:07 <DIR> d-------- c:\program files\AIDA32
2008-11-22 11:41 . 2008-11-22 11:41 <DIR> d-------- c:\temp\website
2008-11-14 20:28 . 2008-11-14 20:29 <DIR> d-------- c:\program files\GPLGS
2008-11-14 20:27 . 2008-11-14 20:27 <DIR> d-------- c:\program files\Acro Software
2008-11-14 20:27 . 2007-07-12 22:33 87,552 --a------ c:\windows\system32\cpwmon2k.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-07 14:54 --------- d-----w c:\documents and settings\Owner\Application Data\Skype
2008-12-07 13:05 --------- d-----w c:\documents and settings\Owner\Application Data\skypePM
2008-12-07 02:05 --------- d-----w c:\program files\Hewlett-Packard
2008-12-06 22:41 --------- d-----w c:\documents and settings\Owner\Application Data\POP Peeper
2008-12-05 22:02 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-05 21:52 --------- d-----w c:\program files\Java
2008-12-03 06:20 --------- d-----w c:\program files\TagRename
2008-12-03 06:19 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-11-30 00:22 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-29 23:39 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2008-11-21 12:29 --------- d-----w c:\program files\Kyodai Mahjongg
2008-11-02 20:17 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-13 13:09 --------- d-----w c:\program files\QuickTime
2008-10-13 13:08 --------- d-----w c:\program files\Common Files\Apple
2008-10-13 13:08 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-10-13 13:04 --------- d-----w c:\program files\Apple Software Update
2008-10-13 13:04 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2008-04-07 23:10 31,448 ----a-w c:\documents and settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2008-04-05 01:05 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2008-03-11 23:08 2,426 ----a-w c:\documents and settings\Owner\Application Data\wklnhst.dat
2008-03-08 18:08 0 ----a-w c:\program files\temp01
2007-06-29 18:23 774,144 ----a-w c:\program files\RngInterstitial.dll
2005-10-12 20:43 32 ----a-r c:\documents and settings\All Users\hash.dat
.

((((((((((((((((((((((((((((( snapshot@2008-12-05_11.45.41.48 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-11-29 23:40:17 26,184 ----a-w c:\windows\system32\drivers\avgmfx86.sys
+ 2008-12-05 17:32:43 26,824 ----a-w c:\windows\system32\drivers\avgmfx86.sys
- 2004-10-02 10:59:14 24,670 ----a-w c:\windows\system32\java.exe
+ 2008-12-05 21:53:13 144,792 ----a-w c:\windows\system32\java.exe
- 2004-10-02 10:59:14 28,768 ----a-w c:\windows\system32\javaw.exe
+ 2008-12-05 21:53:13 144,792 ----a-w c:\windows\system32\javaw.exe
+ 2008-12-05 21:53:13 148,888 ----a-w c:\windows\system32\javaws.exe
+ 2008-12-07 15:01:39 16,384 ----atw c:\windows\temp\Perflib_Perfdata_1b4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-02-13 1587512]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-02-01 21898024]
"POP Peeper"="c:\program files\POP Peeper\POPPeeper.exe" [2008-07-18 1437696]
"SpybotSD TeaTimer"="c:\program files\SpybotSD\TeaTimer.exe" [2008-07-30 1829712]
"RocketDock"="c:\rocketdock\RocketDock.exe" [2007-09-02 495616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-03-27 98304]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-03-27 499712]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2006-09-26 35328]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-05 1261336]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-01-01 180269]
"SiSPower"="SiSPower.dll" [2004-09-02 c:\windows\system32\SiSPower.dll]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-11 c:\windows\LOGI_MWX.EXE]
"SoundMan"="SOUNDMAN.EXE" [2005-04-15 c:\windows\SOUNDMAN.EXE]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk - c:\program files\BigFix\BigFix.exe [2004-10-02 1742384]
Utility Tray.lnk - c:\windows\system32\sistray.exe [2004-10-02 331776]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.X264"= x264vfw.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"BootSkin Startup Jobs"="c:\progra~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
"PhilipsDM"="c:\program files\Philips\Philips Device Manager\Bin\DeviceManager.exe"
"1A:Stardock TrayMonitor"="c:\program files\Common Files\Stardock\TrayServer.exe"
"LWBKEYBOARD"=c:\program files\MultiMedia Keyboard\MultiMedia Keyboard\1.1\KbdAp32A.exe
"LWBMOUSE"=c:\program files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"SunJavaUpdateSched"=c:\program files\Java\jre1.5.0_06\bin\jusched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Avant Browser\\avant.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\TC PowerPack\\TOTALCMD.EXE"=
"c:\\Program Files\\Kyodai Mahjongg\\kmj.exe"=
"c:\\Program Files\\The KMPlayer\\KMPlayer.exe"=
"c:\\Program Files\\Octoshape Streaming Services\\Owner\\OctoshapeClient.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-11-29 97928]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-12-05 875288]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-05 231704]
R2 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-11-29 76040]
R3 HSFHWSIS;HSFHWSIS;c:\windows\system32\DRIVERS\HSFHWSIS.sys [2004-10-02 193280]
S2 hpdj3600;hpdj3600;c:\docume~1\Owner\LOCALS~1\Temp\hpdj3600.exe -servicerunning=true -uninstall=hp deskjet 3600 series -product=3600 []
S3 AMDMSRIO;AMDMSRIO;\??\c:\docume~1\Owner\LOCALS~1\Temp\Safe To Delete 3_0_4_8\AMDMSRIO.sys []
S3 SQTECH930B;USB 2.0 PC CAMERA;c:\windows\system32\Drivers\Capt930b.sys []

*Newly Created Service* - HPDJ3600
.
Contents of the 'Scheduled Tasks' folder

2008-12-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
IE: &Search
FireFox -: Profile - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\e2z78wea.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.trustybox.com/search/?source ... ult-url&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - file:///c:/intranet/vesti.html
FF -: plugin - c:\documents and settings\Owner\Application Data\Mozilla\plugins\npoctoshape.dll
FF -: plugin - c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - c:\program files\Java\j2re1.4.2\bin\NPJava11.dll
FF -: plugin - c:\program files\Java\j2re1.4.2\bin\NPJava12.dll
FF -: plugin - c:\program files\Java\j2re1.4.2\bin\NPJava13.dll
FF -: plugin - c:\program files\Java\j2re1.4.2\bin\NPJava14.dll
FF -: plugin - c:\program files\Java\j2re1.4.2\bin\NPJava32.dll
FF -: plugin - c:\program files\Java\j2re1.4.2\bin\NPJPI142.dll
FF -: plugin - c:\program files\Java\j2re1.4.2\bin\NPOJI610.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npgcplug.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\NPMyrMus.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npracplug.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF -: plugin - c:\program files\Octoshape Streaming Services\Owner\octoprogram-L03-N00-U00-C00_0804080_000\npoctoshape.dll
FF -: plugin - c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-07 10:01:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wdfmgr.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\windows\system32\rundll32.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2008-12-07 10:09:31 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-07 15:09:28
ComboFix2.txt 2008-12-05 21:33:12
ComboFix3.txt 2008-12-05 16:46:44
ComboFix4.txt 2007-07-18 22:57:44

Pre-Run: 23,997,382,656 bytes free
Post-Run: 24,095,858,688 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows XP Home Edition" /fastdetect

211 --- E O F --- 2008-11-13 08:13:32


Here is the latest HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:16:22 AM, on 12/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\Logi_MwX.Exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\QuickTime\QTTask.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\POP Peeper\POPPeeper.exe
C:\Program Files\SpybotSD\TeaTimer.exe
C:\RocketDock\RocketDock.exe
C:\Program Files\BigFix\BigFix.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [POP Peeper] "C:\Program Files\POP Peeper\POPPeeper.exe" -min
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\SpybotSD\TeaTimer.exe
O4 - HKCU\..\Run: [RocketDock] "C:\RocketDock\RocketDock.exe"
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/200 ... oader5.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: hpdj3600 - Unknown owner - C:\DOCUME~1\Owner\LOCALS~1\Temp\hpdj3600.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 4769 bytes



I can connect to all websites I need, updates are coming down regularily. Computer seems a lot faster, but it's partially caused by the memory upgrade. I've replaced one 256 Mb chip with 1 Gb right before ths "virus cleaning event". But, the feeling being in control again is irreplaceable. Once everything is cleaned and confirmed, my wife will get a separate user account with low set of privileges...

Thanks for all the help!
abraxas
Active Member
 
Posts: 10
Joined: November 30th, 2008, 6:52 pm

Re: Can't get any updates on antivirus/antispyware software

Unread postby Carolyn » December 8th, 2008, 7:36 pm

This is my general post for when your logs show no more signs of malware ;)- Please let me know if you still are having problems with your computer and what these problems are

Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints Malware Complaints. You need to be registered to post as, unfortunately, we were hit with too many spam posts to allow guest posting to continue. Just find your country room and register your complaint.

Delete ComboFix and Clean Up
Click Start > Run > type combofix /u > OK (Note the space between combofix and /u)
Image
Please advise if this step is missed for any reason as it performs some important actions.

Protection Programs
Don't forget to re-enable any protection programs we disabled during your fix.

General Security and Computer Health
Below are some steps to follow in order to dramatically lower the chances of reinfection. You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented.

  • Set correct settings for files
    • Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
    • Under Hidden files and folders if necessary select Do not show hidden files and folders.
    • If unchecked please check Hide protected operating system files (Recommended)
    • If necessary check Display content of system folders
    • If necessary Uncheck Hide file extensions for known file types.
    • Click OK

  • Make sure that you keep your antivirus updated
    New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
    Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.

  • Install and use a firewall with outbound protection
    The Windows firewall only monitors incoming traffic, NOT outgoing. Using a software firewall in its default configuration to replace the Windows firewall greatly reduces the risk of your computer being hacked. Make sure your firewall is always enabled while your computer is connected to the internet.
    Note: You should only have one firewall installed at a time. Having more than one firewall installed at once is likely to cause conflicts and may well decrease your overall protection as well as seriously impairing the performance of your PC.

  • Security Updates for Windows, Internet Explorer & Microsoft Office
    Whenever a security problem in its software is found, Microsoft will usually create a patch so that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malicious software being installed on your PC. Ensure you are registered for Windows updates via Start > right-click on My Computer > Properties > Automatic Updates tab or visit the Microsoft Update site on a regular basis.
    Note: The update process uses ActiveX, so you will need to use internet explorer for it and allow the ActiveX control to install.

  • Update Non-Microsoft Programs
    Microsoft isn't the only company whose products can contain security vulnerabilities. To check whether other programs running on your PC are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month.

  • Make Internet Explorer More Secure
    You are using Internet Explorer v. 7. Therefore please read and follow the recommendations at this SITE


Recommended Programs

I would recommend the download and installation of some or all of the following programs (if not already present), and the updating of them on a regular basis.

  • WinPatrol
    As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge. For more information, please visit HERE.

  • SpywareBlaster
    SpywareBlaster sets killbits in the registry to prevent known malicious ActiveX controls from installing on your computer. If you don't know what ActiveX controls are, see HERE. You can download SpywareBlaster from HERE.

  • Malwarebytes' Anti-Malware
    Malwarebytes' Anti-Malware is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start.You can download Malwarebytes' Anti-Malware from HERE. You can find a tutorial HERE.

  • Hosts File
    For added protection you may also like to add a host file. A simple explanation of what a Hosts file does is HERE and for more information regarding host files read HERE.

    Be sure to disable the service "DNS Client" FIRST to allow the use of large HOSTS files without slowdowns.
    If this isn't done first, the next reboot may take a VERY LONG TIME.
    This is how to do it. First be sure you are signed in as a user with administrative privileges:
    Stop and Disable the DNS Client Service
    Go to Start, Run and type Services.msc and click OK.
    Under the Extended Tab, Scroll down and find this service.
    DNS Client
    Right-Click on the DNS Client Service. Choose Properties
    Select the General tab. Click on the Stop button.
    Click the Arrow-down tab on the right-hand side at the Start-up Type box.
    From the drop-down menu, click on Manual
    Click the Apply tab, then click OK


  • Use an alternative Internet Browser
    Many of the exploits are directed to users of Internet Explorer. Try using a different browser instead:
    Firefox
    Opera


Finally I am trying to make one point very clear. It is absolutely essential to keep all of your security programs up to date.

Also please read this great article by Tony Klein So How Did I Get Infected In First Place

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 41 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware