Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Hijack.WindowsUpdates removal

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Hijack.WindowsUpdates removal

Unread postby jmw3 » January 13th, 2010, 10:44 pm

Hi

Give it a bit longer, but if it you still have problems, try this one:

ESET Online Scanner
Go here to run an online scannner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia
Advertisement
Register to Remove

Re: Hijack.WindowsUpdates removal

Unread postby nwitte » January 13th, 2010, 11:16 pm

Alright. Kaspersky's been sitting at 98% done on the same file for about 1 1/2 hrs. Scan duration timer has been stopped the whole time too. Computer is not locked up however. The one i started last night was sitting at 97% when I got up this morning with the timer stuck at about 5-6 hrs, although 8-9 hrs had passed. Do I need to wait this out or is something wrong here?
nwitte
Regular Member
 
Posts: 15
Joined: December 31st, 2009, 12:12 am

Re: Hijack.WindowsUpdates removal

Unread postby jmw3 » January 13th, 2010, 11:34 pm

Hello nwitte

Stop the Kaspersky scan & continue with the ESET Online Scan. In the interim, could you post the logs from Malwarebytes Anti-Malware & ComboFix as previously instructed.

Cheers
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: Hijack.WindowsUpdates removal

Unread postby nwitte » January 13th, 2010, 11:50 pm

Trying Eset now. When I click the yes box and then start in terms of use window, the window resets to the same terms of use page with the box unchecked. Is there some setting in Explorer that is preventing this from starting?
nwitte
Regular Member
 
Posts: 15
Joined: December 31st, 2009, 12:12 am

Re: Hijack.WindowsUpdates removal

Unread postby nwitte » January 13th, 2010, 11:52 pm

MBAM log:

Malwarebytes' Anti-Malware 1.41
Database version: 3143
Windows 5.1.2600 Service Pack 3

1/12/2010 7:01:16 AM
mbam-log-2010-01-12 (07-01-16).txt

Scan type: Full Scan (C:\|)
Objects scanned: 217724
Time elapsed: 2 hour(s), 46 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1444\A0125895.sys (Rootkit) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1444\A0125896.sys (Rootkit) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1455\A0133382.sys (Rootkit.Agent) -> Quarantined and deleted successfully.


ComboFix log:

ComboFix 10-01-11.01 - Neil Witte 01/11/2010 21:33:27.1.2 - x86
Running from: c:\documents and settings\Neil Witte\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\COUPON~1.OCX
c:\windows\CouponPrinter.ocx
c:\windows\system32\bszip.dll
c:\windows\system32\Thumbs.db

.
((((((((((((((((((((((((( Files Created from 2009-12-12 to 2010-01-12 )))))))))))))))))))))))))))))))
.

2010-01-09 14:53 . 2010-01-12 02:47 0 ----a-w- c:\documents and settings\Hope Peterson\Local Settings\Application Data\prvlcl.dat
2010-01-02 19:34 . 2010-01-02 19:34 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-01-01 07:25 . 2010-01-01 07:26 -------- d-----w- c:\documents and settings\Neil Witte\Local Settings\Application Data\Temp
2010-01-01 07:25 . 2010-01-01 07:25 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-12-31 03:24 . 2009-12-31 03:24 -------- d-----w- c:\program files\TrendMicro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-12 02:47 . 2009-12-05 18:44 0 ----a-w- c:\documents and settings\Maia\Local Settings\Application Data\prvlcl.dat
2010-01-12 02:47 . 2009-11-14 01:58 0 ----a-w- c:\documents and settings\Adrian Peterson\Local Settings\Application Data\prvlcl.dat
2010-01-11 03:06 . 2005-10-18 02:35 -------- d-----w- c:\program files\QUICKENW
2010-01-01 07:32 . 2005-10-18 04:10 -------- d-----w- c:\program files\Google
2009-12-24 20:07 . 2008-12-25 20:37 -------- d-----w- c:\program files\Disney Micro
2009-12-19 23:56 . 2008-01-31 00:16 -------- d-----w- c:\program files\InterActual
2009-11-29 05:11 . 2006-08-05 04:00 828 ----a-w- c:\windows\eReg.dat
2009-11-29 05:04 . 2009-11-29 05:04 -------- d-----w- c:\program files\EA GAMES
2009-11-29 05:04 . 2005-10-12 11:19 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-22 16:13 . 2009-11-21 21:41 -------- d-----w- c:\program files\Rhapsody
2009-11-14 01:05 . 2009-11-14 01:05 -------- d-----w- c:\documents and settings\Adrian Peterson\Application Data\Malwarebytes
2009-11-11 01:29 . 2009-01-20 01:55 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-11 01:29 . 2009-01-20 01:55 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-11 01:29 . 2009-01-20 01:54 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-11 01:29 . 2009-01-20 01:54 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-13 68856]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 339968]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-03-30 339968]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-07-19 180269]
"Motive SmartBridge"="c:\progra~1\SBCLIG~1\SMARTB~1\MotiveSB.exe" [2003-12-10 380928]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-02-01 385024]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-12-31 2033432]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
WinCinema Manager.lnk - c:\program files\Sandisk\Common\Bin\WinCinemaMgr.exe [2007-12-24 303104]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-11-11 01:29 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 21:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2009-10-13 02:24 2000112 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Rhapsody\\rhapsody.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [1/19/2009 7:54 PM 333192]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [1/19/2009 7:55 PM 360584]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [10/12/2009 8:24 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/12/2009 8:24 PM 74480]
S1 8615af80;8615af80;c:\windows\system32\drivers\8615af80.sys --> c:\windows\system32\drivers\8615af80.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [10/12/2009 8:24 PM 7408]
S3 SQTECH9052;Disney Micro;c:\windows\system32\drivers\Capt9052.sys [12/25/2008 2:37 PM 38656]

--- Other Services/Drivers In Memory ---

*Deregistered* - uphcleanhlp
.
Contents of the 'Scheduled Tasks' folder

2010-01-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2010-01-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-01 07:24]

2010-01-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-01 07:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.my.yahoo.com/
mSearch Bar = hxxp://red.clientapps.yahoo.com/customi ... ch/ie.html
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customi ... .yahoo.com
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Neil Witte\Application Data\Mozilla\Firefox\Profiles\cvd9104d.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPUploader.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKLM-Run-PRISMSVR.EXE - c:\windows\system32\PRISMSVR.EXE
SharedTaskScheduler-{df81915d-5b8c-4067-b857-5a1dffe3cbae} - (no file)
SSODL-pozejimog-{df81915d-5b8c-4067-b857-5a1dffe3cbae} - (no file)
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb
AddRemove-Yahoo! Applications - c:\progra~1\Yahoo!\Common\uninstall.exe
AddRemove-{{598D99F7-B97C-424F-B899-69B339336411}} - c:\program files\InstallShield Installation Information\{{598D99F7-B97C-424F-B899-69B339336411}}\setup.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-11 22:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\cdm.dll.wusetup.362484.bak 92696 bytes executable
c:\windows\system32\wuapi.dll.mui.wusetup.382953.bak 23576 bytes executable
c:\windows\system32\wuapi.dll.wusetup.381375.bak 561688 bytes executable
c:\windows\system32\wuauclt.exe.wusetup.384046.bak 51224 bytes executable
c:\windows\system32\wuaucpl.cpl.mui.wusetup.389953.bak 23576 bytes executable
c:\windows\system32\wuaucpl.cpl.wusetup.388140.bak 213528 bytes executable
c:\windows\system32\wuaueng.dll.mui.wusetup.398500.bak 18456 bytes executable
c:\windows\system32\wuaueng.dll.wusetup.394578.bak 1809944 bytes executable

scan completed successfully
hidden files: 8

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(628)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\documents and settings\Neil Witte\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

- - - - - - - > 'explorer.exe'(3104)
c:\windows\system32\WININET.dll
c:\progra~1\SBCLIG~1\SMARTB~1\SBHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\AVG\AVG9\avgwdsvc.exe
c:\windows\system32\HPZipm12.exe
c:\program files\UPHClean\uphclean.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\system32\wscntfy.exe
c:\windows\stsystra.exe
.
**************************************************************************
.
Completion time: 2010-01-11 22:26:43 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-12 04:26

Pre-Run: 41,283,031,040 bytes free
Post-Run: 43,332,927,488 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 20FADB64A15AE01F0D09D23C99ED9EF7
nwitte
Regular Member
 
Posts: 15
Joined: December 31st, 2009, 12:12 am

Re: Hijack.WindowsUpdates removal

Unread postby jmw3 » January 14th, 2010, 12:50 am

Hi

That ComboFix log is from the first run of ComboFix. Did you run ComboFix again using the instructions for the CFSCript? If so the most current ComboFix log can be found at C:\ComboFix.txt. Could you post that log please.

Cheers
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: Hijack.WindowsUpdates removal

Unread postby nwitte » January 14th, 2010, 1:01 am

Oops. Sorry.

ComboFix 10-01-12.04 - Neil Witte 01/12/2010 19:45:25.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.254.88 [GMT -6:00]
Running from: c:\documents and settings\Neil Witte\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Neil Witte\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll"
"c:\windows\system32\drivers\8615af80.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_8615af80


((((((((((((((((((((((((( Files Created from 2009-12-13 to 2010-01-13 )))))))))))))))))))))))))))))))
.

2010-01-09 14:53 . 2010-01-12 02:47 0 ----a-w- c:\documents and settings\Hope Peterson\Local Settings\Application Data\prvlcl.dat
2010-01-02 19:34 . 2010-01-02 19:34 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-01-01 07:25 . 2010-01-01 07:26 -------- d-----w- c:\documents and settings\Neil Witte\Local Settings\Application Data\Temp
2010-01-01 07:25 . 2010-01-01 07:25 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-12-31 03:24 . 2009-12-31 03:24 -------- d-----w- c:\program files\TrendMicro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-12 02:47 . 2009-12-05 18:44 0 ----a-w- c:\documents and settings\Maia\Local Settings\Application Data\prvlcl.dat
2010-01-12 02:47 . 2009-11-14 01:58 0 ----a-w- c:\documents and settings\Adrian Peterson\Local Settings\Application Data\prvlcl.dat
2010-01-11 03:06 . 2005-10-18 02:35 -------- d-----w- c:\program files\QUICKENW
2010-01-01 07:32 . 2005-10-18 04:10 -------- d-----w- c:\program files\Google
2009-12-31 03:24 . 2009-12-31 03:24 388096 ----a-r- c:\documents and settings\Neil Witte\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2009-12-24 20:07 . 2008-12-25 20:37 -------- d-----w- c:\program files\Disney Micro
2009-12-22 16:00 . 2009-12-22 16:01 4043544 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
2009-12-22 15:59 . 2009-12-22 16:01 3966744 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2009-12-19 23:56 . 2008-01-31 00:16 -------- d-----w- c:\program files\InterActual
2009-12-18 14:08 . 2009-12-22 16:01 294656 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avglngx.dll
2009-11-29 05:11 . 2006-08-05 04:00 828 ----a-w- c:\windows\eReg.dat
2009-11-29 05:04 . 2009-11-29 05:04 -------- d-----w- c:\program files\EA GAMES
2009-11-29 05:04 . 2005-10-12 11:19 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-22 16:13 . 2009-11-21 21:41 -------- d-----w- c:\program files\Rhapsody
2009-11-11 01:29 . 2009-01-20 01:55 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-11 01:29 . 2009-01-20 01:55 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-11 01:29 . 2009-01-20 01:54 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-11 01:29 . 2009-01-20 01:54 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-10-27 02:54 . 2009-10-27 02:54 117760 ----a-w- c:\documents and settings\Neil Witte\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-13 68856]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 339968]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-03-30 339968]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-07-19 180269]
"Motive SmartBridge"="c:\progra~1\SBCLIG~1\SMARTB~1\MotiveSB.exe" [2003-12-10 380928]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-02-01 385024]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-12-31 2033432]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
WinCinema Manager.lnk - c:\program files\Sandisk\Common\Bin\WinCinemaMgr.exe [2007-12-24 303104]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-11-11 01:29 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 21:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2009-10-13 02:24 2000112 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Rhapsody\\rhapsody.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [1/19/2009 7:54 PM 333192]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [1/19/2009 7:55 PM 360584]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [10/12/2009 8:24 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/12/2009 8:24 PM 74480]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [11/10/2009 7:28 PM 285392]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/1/2010 1:25 AM 135664]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [10/12/2009 8:24 PM 7408]
S3 SQTECH9052;Disney Micro;c:\windows\system32\drivers\Capt9052.sys [12/25/2008 2:37 PM 38656]

--- Other Services/Drivers In Memory ---

*Deregistered* - uphcleanhlp
.
Contents of the 'Scheduled Tasks' folder

2010-01-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2010-01-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-01 07:24]

2010-01-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-01 07:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.my.yahoo.com/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customi ... .yahoo.com
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Neil Witte\Application Data\Mozilla\Firefox\Profiles\cvd9104d.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPUploader.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-12 20:04
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(628)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\documents and settings\Neil Witte\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

- - - - - - - > 'explorer.exe'(3528)
c:\windows\system32\WININET.dll
c:\progra~1\SBCLIG~1\SMARTB~1\SBHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\HPZipm12.exe
c:\program files\UPHClean\uphclean.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\system32\wscntfy.exe
c:\windows\stsystra.exe
.
**************************************************************************
.
Completion time: 2010-01-12 20:14:48 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-13 02:14
ComboFix2.txt 2010-01-12 04:26

Pre-Run: 43,435,962,368 bytes free
Post-Run: 43,405,926,400 bytes free

- - End Of File - - A4FB68416577BD09223113C272774BC4
nwitte
Regular Member
 
Posts: 15
Joined: December 31st, 2009, 12:12 am

Re: Hijack.WindowsUpdates removal

Unread postby jmw3 » January 14th, 2010, 5:25 pm

Hi

Trying Eset now. When I click the yes box and then start in terms of use window, the window resets to the same terms of use page with the box unchecked. Is there some setting in Explorer that is preventing this from starting?
My apologies. I completely missed this post. Try running it with Firefox. I see you have that listed in your installed programs. Even though my instructions say to use IE, it should work.
Let me know how you go.
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: Hijack.WindowsUpdates removal

Unread postby nwitte » January 15th, 2010, 9:12 am

That worked better and faster too.

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=6241707a84ca6346a21dfb7d98a67004
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-01-15 05:47:30
# local_time=2010-01-14 11:47:30 (-0600, Central Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1024 16777191 100 0 4708897 4708897 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=97955
# found=0
# cleaned=0
# scan_time=4638
nwitte
Regular Member
 
Posts: 15
Joined: December 31st, 2009, 12:12 am

Re: Hijack.WindowsUpdates removal

Unread postby jmw3 » January 15th, 2010, 3:26 pm

Hi

Logs looks good. Any problems?
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: Hijack.WindowsUpdates removal

Unread postby nwitte » January 15th, 2010, 4:23 pm

No. Are we finished? Do you have any advice for preventing this kind of stuff in the future? My wife, 7 yr old and 12 yr old all use the computer (none w/ admin. privileges). I use Free AVG virus scan, free MBAB (passive, so I have to run scans manually).

I really appreciate all of your help with this.
nwitte
Regular Member
 
Posts: 15
Joined: December 31st, 2009, 12:12 am

Re: Hijack.WindowsUpdates removal

Unread postby jmw3 » January 15th, 2010, 6:39 pm

Hi

No. Are we finished?
Yep... You're good to go. We'll clean up a little then I'll make some recommendations. You should consider paying for the full version of MBAM. It's a one off fee for life time real-time protection, auto update & auto scanning.


Clean Up
Now we need to clear out the programs we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if used inappropriately.
Remove ComboFix
The following will implement some cleanup procedures as well as reset System Restore points:
Click Start > Run then copy/paste the following bolded text into the Run box and click OK:
ComboFix /Uninstall
OTC
Download OTC by Old Timer here & save it to your desktop.
Double click on OTC.exe. Click on CleanUp!.
You will receive a prompt that it needs to restart the computer to remove the files. Click Yes.
It will restart your computer automatically. If it doesn't, please restart your computer manually.
You can delete the following from your desktop:
DDS.scr
The Gmer.exe file (it will be randomly named .exe file)
RootRepeal.exe & it's zip file
Any logs that may have been saved to your desktop

If you haven't already done so, open Malwarebytes' Anti-Malware, click Quarantine then Delete All. Close the program.
You should also remove HijackThis. You can do this by going to C:\Program Files\Trend Micro\HijackThis
  • Double click HijackThis.exe
  • From the Main menu click Open the Misc Tools section
  • Using the scroll bar, scroll down to Uninstall HijackThis
  • Click Uninstall HijackThis & exit then click Yes at the prompt

All Clean
Congratulations, good work, your system is now clean. Now that your system is safe we would like you to keep it that way.
Take the time to follow these recommendations & it will greatly reduce the risk of further infections and greatly diminish the chances of you having to visit here again.

Create a Clean System Restore Point
Create a new, clean System Restore point which you can use in case of future system problems:
Press Start->All Programs->Accessories->System Tools->System Restore
Select Create a restore point, then Next, type a name like All Clean then press the Create button and once it's done press Close
Now remove old, infected System Restore points:
Next click Start->Run and type cleanmgr in the box and click OK
Ensure the boxes for Temporary Files & Temporary Internet Files are checked. You can choose to check other boxes if you wish but they are not required.
Select the More Options tab, under System Restore click Clean up... and click Yes to the prompt
Click OK and Yes to confirm.

Microsoft Windows Update
Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office products loopholes and fix any bugs found. Install the updates immediately if they are found.
To update Windows
Go to Start > All Programs > Windows Update
To update Office
Open up any Office program.
Go to Help > Check for Updates

Malwarebytes' Anti-Malware
Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is totally free but for real-time protection you will have to pay a small one-time fee.
You can find a tutorial here. Keep it updated & run it regularly.

SpywareBlaster
Download and install Javacools SpywareBlaster from here
SpywareBlaster adds a list of ActiveX controls, tracking cookies and sites which will be blocked in either Internet Explorer or Firefox browsers. You need to manually check for updates regularly.

Download and Install a HOSTS File
A HOSTS file is a big list of bad web sites. The list has a specific format, a specific name, (name is just HOSTS with no file extension), and a specific location. Your machine always looks at that file in that location before connecting to a web site to verify the address. So the HOSTS listing can be used to "short circuit" a request to a bad website by giving it the address of your own machine.

Download BlueTack's HOSTS Manager here, using Internet Explorer (Firefox won't work) & save hosts20setup.exe to your desktop:
  • Double click Hosts20setup.exe on your desktop and let it Install the Hosts Manager
  • After the installation is complete, click on the Hosts Manager icon on your desktop. (You can delete the other Hosts Switch icon from your desktop)
  • When the Hosts Manager comes up, click the small down arrows on the right side of the bar labeled Options and Tools,
  • Click Disable DNS Service. This is important
  • In the Left Pane, click Download
  • It will load 80,000 lines or more. When it finishes, also in the left pane, click Replace, and then click Save
You can use this manager to handle your HOSTS file download, edits, and most any other HOSTS issue.
If you have a separate party firewall or Winpatrol, you may have to give permissions at various times to Unlock the present default HOSTS file and install the new one.

Web of Trust
WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
  • Green to go
  • Yellow for caution
  • Red to stop
WOT has an addon available for both Firefox and Internet Explorer.

Install WinPatrol
Download it here
You can find information about how WinPatrol works here

Read some information here on how to prevent Malware.

Hopefully these steps will help keep your computer clean.

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

If there are any other questions then feel free to ask or in future do not hesitate to contact us here at The Malware Removal Forums
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: Hijack.WindowsUpdates removal

Unread postby jmw3 » January 18th, 2010, 7:09 pm

As your problems appear to have been resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 498 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware