Jump to content

Hijack.WindowsUpdates keeps repeating on me


Recommended Posts

Apparently I am not alone in this but AntiMalware keeps finding two instances of Hijack.WindowsUpdates. It removes them but they reappear next time I boot up.

Touch wood the effects seem relatively benign in that I seem to be able to access the Internet and the PC is running no slower than normal (i.e. still too slow!) but I have noticed that Windows Update does not work. I get error message 0x80070002. I am not massively concerned about this as I can get round this with Windows Updates Downloader or Autopatcher or similar.

Still, if Hijack.WindowsUpdates is causing the problem (or even if it is not) it would be nice to clean the machine.

FWIW, I have used the following bits of software to check my machine:

AVG free

Drive Sentry

A2 (A-squared)

AdAware

Dr. Web CureIt (boot disk)

AntiMalware

SuperAntiSpyware

Spybot S&D

Windows Defender

I am running the online Kaspersky scanner as I type this.

FWIW, AntiMalware is the only software that finds Hijack.WindowsUpdates.

Here is the AntiMalware log.

- - - - -

Malwarebytes' Anti-Malware 1.41

Database version: 2904

Windows 5.1.2600 Service Pack 3

10/10/2009 09:25:43

mbam-log-2009-10-10 (09-25-43).txt

Scan type: Quick Scan

Objects scanned: 130044

Time elapsed: 20 minute(s), 43 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemRoot%\System32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wuauserv\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemroot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

- - - - - -

Here is the HijackThis log file.

- - - - - -

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 14:26:53, on 10/10/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

Running processes:

C:\WINME\System32\smss.exe

C:\WINME\system32\winlogon.exe

C:\WINME\system32\services.exe

C:\WINME\system32\lsass.exe

C:\WINME\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINME\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\WINME\system32\spoolsv.exe

C:\Program Files\a-squared Free\a2service.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\WINME\Explorer.EXE

C:\Program Files\DriveSentry\DriveSentryService.exe

C:\WINME\system32\nvsvc32.exe

C:\WINME\System32\svchost.exe

C:\PROGRA~1\AVG\AVG8\avgemc.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\Program Files\AVG\AVG8\avgcsrvx.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\DriveSentry\DriveSentry.exe

C:\WINME\system32\ctfmon.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\WINME\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\Program Files\Microsoft Office\Office\WINWORD.EXE

C:\Documents and Settings\dad\Application Data\Mozilla\Firefox\Mozilla Firefox\updates\0\updater.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINME\SYSTEM\blank.htm

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINME\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKLM\..\Run: [DriveSentry] C:\Program Files\DriveSentry\DriveSentry.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINME\system32\ctfmon.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINME\System32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINME\System32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINME\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [Printing Migration] rundll32.exe C:\WINME\System32\spool\migrate.dll,ProcessWin9xNetworkPrinters (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINME\System32\CTFMON.EXE (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [Printing Migration] rundll32.exe C:\WINME\System32\spool\migrate.dll,ProcessWin9xNetworkPrinters (User 'Default user')

O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNfox000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINME\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINME\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .dcr: I:\APPS\OPERA\PLUGINS\np32dsw.dll

O15 - Trusted Zone: *.musicmatch.com

O15 - Trusted Zone: *.musicmatch.com (HKLM)

O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} - http://housecall60.trendmicro.com/housecall/xscan60.cab

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB

O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-30.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1254699899203

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

O20 - Winlogon Notify: avgrsstarter - C:\WINME\SYSTEM32\avgrsstx.dll

O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe

O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINME\

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: DriveSentryService - Unknown owner - C:\Program Files\DriveSentry\DriveSentryService.exe

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINME\system32\nvsvc32.exe

O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINME\

--

End of file - 7211 bytes

- - - - - -

Let me know if you need any more info. Thanks in advance for any help you can offer.

Regards,

John

Link to post
Share on other sites

Hi,

Please download and run WUS_Fix.exe: http://users.telenet.be/marcvn/tools/WUS_Fix.exe

This should restore the default registry settings related with BITS and Automatic updates.

Let me know if that solved your issue.

It appears to have done the trick. I ran a quick scan which normally returns the same two issues and this time it did not. I am just running a full scan now to make sure but, touch wood, the issue has been resolved.

Thanks very much.

John

Link to post
Share on other sites

  • Staff

Glad I could help. <_<

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.