Hijack.windowsupdate Logs

todoinst · November 16, 2009

Malwarebytes' Anti-Malware 1.41

Database version: 3179

Windows 5.1.2600 Service Pack 2

11/16/2009 11:43:23 AM

mbam-log-2009-11-16 (11-43-23).txt

Scan type: Quick Scan

Objects scanned: 186299

Time elapsed: 14 minute(s), 2 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemRoot%\System32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wuauserv\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemroot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:40:34 PM, on 11/16/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

D:\PROGRA~1\avgwdsvc.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

D:\PROGRA~1\avgrsx.exe

D:\Program Files\TrueImageMonitor.exe

D:\PROGRA~1\avgnsx.exe

D:\Program Files\TimounterMonitor.exe

C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe

D:\Program Files\IObit\Advanced WindowsCare V2\MemCleaner.exe

D:\PROGRA~1\avgtray.exe

C:\WINDOWS\system32\ctfmon.exe

D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Documents and Settings\Linda\Application Data\Smilebox\SmileboxTray.exe

C:\WINDOWS\system32\wscntfy.exe

D:\Program Files\Conceptworld\RecentX\RecentX.exe

D:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

D:\Program Files\Mozilla Firefox\firefox.exe

D:\Program Files\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirec...amp;gc=1&q=

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirec...amp;gc=1&q=

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://toolbar.ask.com/toolbarv/askRedirec...p;gc=1&q=%s

R3 - URLSearchHook: DefaultSearchHook Class - {C94E154B-1459-4A47-966B-4B843BEFC7DB} - C:\Program Files\AskSearch\bin\DefaultSearch.dll (file missing)

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - D:\Program Files\avgssie.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O2 - BHO: &Google Notebook - {CCCCCCD3-666F-4F81-8B69-745DE9F6D897} - C:\Program Files\Google\Google Notebook\gnotes1.0.2.19-1197297785.dll

O3 - Toolbar: Google Notebook - {CCCCCCDB-4DDB-4703-95D4-DD2C526397BF} - C:\Program Files\Google\Google Notebook\gnotes1.0.2.19-1197297785.dll

O4 - HKLM\..\Run: [QuickFinder Scheduler] "D:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE"

O4 - HKLM\..\Run: [samsung Common SM] "C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" /autorun

O4 - HKLM\..\Run: [TrueImageMonitor.exe] D:\Program Files\TrueImageMonitor.exe

O4 - HKLM\..\Run: [AcronisTimounterMonitor] D:\Program Files\TimounterMonitor.exe

O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"

O4 - HKLM\..\Run: [smartRAM] D:\Program Files\IObit\Advanced WindowsCare V2\MemCleaner.exe /m

O4 - HKLM\..\Run: [AVG8_TRAY] D:\PROGRA~1\avgtray.exe

O4 - HKCU\..\Run: [Copernic Desktop Search] "D:\Program Files\Copernic Desktop Search\CopernicDesktopSearch.exe" /tray

O4 - HKCU\..\Run: [updateMgr] "D:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [\\RYOKAN\EPSON Stylus NX400 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEGA.EXE /FU "C:\DOCUME~1\Linda\LOCALS~1\Temp\E_S52.tmp" /EF "HKCU"

O4 - HKCU\..\Run: [sUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKCU\..\Run: [smileboxTray] "C:\Documents and Settings\Linda\Application Data\Smilebox\SmileboxTray.exe"

O4 - Startup: RecentX.lnk = D:\Program Files\Conceptworld\RecentX\RecentX.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Note this (Google Notebook) - res://C:\Program Files\Google\Google Notebook\gnotes1.0.2.19-1197297785.dll/gn_menu1.html

O8 - Extra context menu item: Note this item (Google Notebook) - res://C:\Program Files\Google\Google Notebook\gnotes1.0.2.19-1197297785.dll/gn_menu2.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1238598753046

O17 - HKLM\System\CCS\Services\Tcpip\..\{3E536EF8-6696-4440-A1D5-549A9A346D7A}: NameServer = 65.19.68.30,65.19.68.31

O17 - HKLM\System\CS1\Services\Tcpip\..\{3E536EF8-6696-4440-A1D5-549A9A346D7A}: NameServer = 65.19.68.30,65.19.68.31

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - D:\Program Files\avgpp.dll

O20 - Winlogon Notify: !saswinlogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - D:\PROGRA~1\avgwdsvc.exe

O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)

O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--

End of file - 5896 bytes

todoinst · November 17, 2009

Hi,

We are a small non-profit organization in the mental health field and only have a few functional computers. One of our computers is infected (see logs below) and our ISP is locking us out of our FTP access until we can verify that our local computer is virus free. We are facing a Hijack.WindowsUpdates virus that we cannot remove with our Malwarebytes program. I realize that the assistance in this forum is volunteer and I would like to sincerely thank the volunteers for being so generous with their time. If it is possible for someone to assist us with our virus situation we would be extremely grateful.

Thank you very much.

Malwarebytes' Anti-Malware 1.41
Database version: 3179
Windows 5.1.2600 Service Pack 2
11/16/2009 11:43:23 AM
mbam-log-2009-11-16 (11-43-23).txt
Scan type: Quick Scan
Objects scanned: 186299
Time elapsed: 14 minute(s), 2 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemRoot%\System32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wuauserv\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemroot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:40:34 PM, on 11/16/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
D:\PROGRA~1\avgwdsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\PROGRA~1\avgrsx.exe
D:\Program Files\TrueImageMonitor.exe
D:\PROGRA~1\avgnsx.exe
D:\Program Files\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
D:\Program Files\IObit\Advanced WindowsCare V2\MemCleaner.exe
D:\PROGRA~1\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Documents and Settings\Linda\Application Data\Smilebox\SmileboxTray.exe
C:\WINDOWS\system32\wscntfy.exe
D:\Program Files\Conceptworld\RecentX\RecentX.exe
D:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirec...amp;gc=1&q=
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirec...amp;gc=1&q=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://toolbar.ask.com/toolbarv/askRedirec...p;gc=1&q=%s
R3 - URLSearchHook: DefaultSearchHook Class - {C94E154B-1459-4A47-966B-4B843BEFC7DB} - C:\Program Files\AskSearch\bin\DefaultSearch.dll (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - D:\Program Files\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: &Google Notebook - {CCCCCCD3-666F-4F81-8B69-745DE9F6D897} - C:\Program Files\Google\Google Notebook\gnotes1.0.2.19-1197297785.dll
O3 - Toolbar: Google Notebook - {CCCCCCDB-4DDB-4703-95D4-DD2C526397BF} - C:\Program Files\Google\Google Notebook\gnotes1.0.2.19-1197297785.dll
O4 - HKLM\..\Run: [QuickFinder Scheduler] "D:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE"
O4 - HKLM\..\Run: [samsung Common SM] "C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" /autorun
O4 - HKLM\..\Run: [TrueImageMonitor.exe] D:\Program Files\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] D:\Program Files\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [smartRAM] D:\Program Files\IObit\Advanced WindowsCare V2\MemCleaner.exe /m
O4 - HKLM\..\Run: [AVG8_TRAY] D:\PROGRA~1\avgtray.exe
O4 - HKCU\..\Run: [Copernic Desktop Search] "D:\Program Files\Copernic Desktop Search\CopernicDesktopSearch.exe" /tray
O4 - HKCU\..\Run: [updateMgr] "D:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [\\RYOKAN\EPSON Stylus NX400 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEGA.EXE /FU "C:\DOCUME~1\Linda\LOCALS~1\Temp\E_S52.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [sUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [smileboxTray] "C:\Documents and Settings\Linda\Application Data\Smilebox\SmileboxTray.exe"
O4 - Startup: RecentX.lnk = D:\Program Files\Conceptworld\RecentX\RecentX.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Note this (Google Notebook) - res://C:\Program Files\Google\Google Notebook\gnotes1.0.2.19-1197297785.dll/gn_menu1.html
O8 - Extra context menu item: Note this item (Google Notebook) - res://C:\Program Files\Google\Google Notebook\gnotes1.0.2.19-1197297785.dll/gn_menu2.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1238598753046
O17 - HKLM\System\CCS\Services\Tcpip\..\{3E536EF8-6696-4440-A1D5-549A9A346D7A}: NameServer = 65.19.68.30,65.19.68.31
O17 - HKLM\System\CS1\Services\Tcpip\..\{3E536EF8-6696-4440-A1D5-549A9A346D7A}: NameServer = 65.19.68.30,65.19.68.31
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - D:\Program Files\avgpp.dll
O20 - Winlogon Notify: !saswinlogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - D:\PROGRA~1\avgwdsvc.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\
--
End of file - 5896 bytes

screen317 · December 18, 2009

Hi and welcome to Malwarebytes.

My apologies for the delay. Do you still need help?

-screen317

screen317 · December 26, 2009

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Sign In

Hijack.windowsupdate Logs

Recommended Posts

todoinst

Link to post

Share on other sites

todoinst

Link to post

Share on other sites

screen317

Link to post

Share on other sites

screen317

Link to post

Share on other sites

Recently Browsing 0 members

Browse

Activity

Personal

Business

Business Modules

Partners

Learn

Start here

Type of malware/attacks

How does it get on my computer?

Scams and grifts

Support

Important Information