AVG-Windows update failure

Closed
akatextileas Posts 2 Registration date Monday December 8, 2008 Status Member Last seen December 9, 2008 - Dec 9, 2008 at 09:00 AM
 lll - Apr 20, 2010 at 09:29 AM
Hello,
I have got problem with updates ,I think there is new kind of virus type that effecting computor to browse Windows update-antivirus web page update even to open all other antivirus sites at the same time.
it is really a strange type.
I use AVG 8.0 free type addition and surely cannot update+open www.avg.com site to update +to browse any other latest antivirus sites to load latest antivirus editions downloads to solve my problem.
Please help how to solve it.
Related:

78 responses

TheParoxysm Posts 169 Registration date Sunday December 7, 2008 Status Member Last seen March 25, 2011 74
Dec 9, 2008 at 01:46 PM
The chances of this being a virus is low.
The chances of this being non-viral malware is extremely high.



Download and execute HiJack This! (HJT)
http://www.trendsecure.com/portal/en...HJTInstall.exe

Then post the contents of the HJT log here.

Also! this could also be a malware that has edited your host file. Meaning, whenever you look to surf antivirus or antispyware/malware websites, it redirects you to the address of your own internet port! Which is a pain in the butt!

So look at your "host" file, that is,
C:\windows\system32\drivers\etc\hosts. (hosts has no extention; it is just
"hosts".)

(Note, you may need to change windows explorer setting to allow seeing
system and hidden files.)

This file can be used to bypass a DNS server, effectively equating a web
address to a specific place. However, it can also be used to short-circuit
any website, pointing back to the local PC. That is a great way to block
advertsiements, but it could also be used to prevent access to specific
websites, like antivirus.

The minimum contents of a hostfile file is the one line below:

127.0.0.1 localhost

Other lines are optional.

For example, to block a webiste called www.ads.active.com", add a line like:

127.0.0.1 ads.active.com

Placing a "#" in column one of a line makes it a comment.
5
Thank you once again for your help.
I try all you have written and explained.
But the result is the same.
Shall I download ''hijack this''?
The host file consists of 127.0.0.1 localhost only.
So what shall we do next?
I really appreciate your kind help.
0
Hi,

I have the same problem. My windows defender cannot update, nor can a manual windows update. AVG seems to update, but doesn't detect any errors. I tried to do the TrendMirco HouseCall, but it couldn't work - an error occurred right at the beginning. HijackThis ran normally the first time, then the second time it came up with an error and asked me to run it as administrator. I did this, and it presented the following log. Could someone help me identify the stuff I should remove? Thank you.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:49:07 PM, on 28/03/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
C:\Program Files\Acer\Empowering Technology\eAudio\eAudio.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\PLFSetI.exe
C:\Program Files\Acer\Acer Bio Protection\PdtWzd.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Launch Manager\LManager.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe
C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe
C:\Program Files\Acer Arcade Deluxe\PlayMovie\PMVService.exe
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Program Files\Acer\Acer Bio Protection\PwdBank.exe
C:\Program Files\ScanSoft\OmniPageSE4\OpWareSE4.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\system32\igfxext.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\VoipStunt.com\VoipStunt\VoipStunt.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Acer\Acer VCM\AcerVCM.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Users\RUBEND~1\AppData\Local\Temp\RtkBtMnt.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Acer\Acer VCM\acp2HID.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Windows Live\Mail\wlmail.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Adobe\Updater6\Adobe_Updater.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=53EEB45F21EA47F2B95DF58497B5E6B6
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.us.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=53EEB45F21EA47F2B95DF58497B5E6B6
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=53EEB45F21EA47F2B95DF58497B5E6B6
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [ePower_DMC] C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe
O4 - HKLM\..\Run: [eAudio] "C:\Program Files\Acer\Empowering Technology\eAudio\eAudio.exe"
O4 - HKLM\..\Run: [BkupTray] "C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Acer Assist Launcher] C:\Program Files\Acer\Acer Assist\launcher.exe
O4 - HKLM\..\Run: [Acer Product Registration] "C:\Program Files\Acer\Acer Registration\ACE1.exe" /startup
O4 - HKLM\..\Run: [PLFSetI] C:\Windows\PLFSetI.exe
O4 - HKLM\..\Run: [ZPdtWzdVitaKey MC3000] "C:\Program Files\Acer\Acer Bio Protection\PdtWzd.exe" show
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ArcadeDeluxeAgent] "C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe"
O4 - HKLM\..\Run: [CLMLServer] "C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe"
O4 - HKLM\..\Run: [PlayMovie] "C:\Program Files\Acer Arcade Deluxe\PlayMovie\PMVService.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [VoipStunt] "C:\Program Files\VoipStunt.com\VoipStunt\VoipStunt.exe" -nosplash -minimized
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: Acer VCM.lnk = ?
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Quick-Launching Area - {10954C80-4F0F-11d3-B17C-00C0DFE39736} - C:\Program Files\Acer\Acer Bio Protection\PwdBank.exe
O9 - Extra 'Tools' menuitem: Quick-Launching Area - {10954C80-4F0F-11d3-B17C-00C0DFE39736} - C:\Program Files\Acer\Acer Bio Protection\PwdBank.exe
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O13 - Gopher Prefix:
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: AWinNotifyVitaKey MC3000 - C:\Program Files\Acer\Acer Bio Protection\WinNotify.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: NTI Backup Now 5 Agent Service (BUNAgentSvc) - NewTech Infosystems, Inc. - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe
O23 - Service: CLHNService - Unknown owner - C:\Program Files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe
O23 - Service: eDataSecurity Service - Egis Incorporated - C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
O23 - Service: Empowering Technology Service (ETService) - Unknown owner - C:\Program Files\Acer\Empowering Technology\Service\ETService.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Update Service (gupdate1c98f382744ce9d) (gupdate1c98f382744ce9d) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iGroupTec Service (IGBASVC) - Unknown owner - C:\Program Files\Acer\Acer Bio Protection\BASVC.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: NTI Backup Now 5 Backup Service (NTIBackupSvc) - NewTech InfoSystems, Inc. - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe
O23 - Service: NTI Backup Now 5 Scheduler Service (NTISchedulerSvc) - Unknown owner - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\Cyberlink\Shared files\RichVideo.exe
O23 - Service: Raw Socket Service (RS_Service) - Acer Incorporated - C:\Program Files\Acer\Acer VCM\RS_Service.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
0
TheParoxysm Posts 169 Registration date Sunday December 7, 2008 Status Member Last seen March 25, 2011 74
Dec 10, 2008 at 07:47 AM
I would definitely try to use HiJack this.
3
Again the browser dont let me to browse your recommended ''http://www.trendsecure.com/portal/en...HJTInstall.exe ''site.
What to do next ?Any suggestion?
How can a Malware think all our best moves to get rid of itself and prepare all them one by one
at advance?
Thank you
Regards
0
afig13 > akatextileas
Dec 30, 2008 at 08:46 AM
Same thing is happening to me. I upgraded advanced windows care to version 3. scanned only to find a trojan click virus or something. I tried to get HiJack This! (HJT) but when I click on the link I only get an error.
0
Morphine > afig13
Dec 31, 2008 at 04:22 PM
Argh! I have this same exact thing... on 2 computers that are hard wired to a wireless router.

Blocks ALL update sites; windows, avg, anything. But allows for browsing no problem. The windows updater page redicts to a "page no found", everything else just gives some sort of "failed to connect" message.

I've run every virus and malware software known to man.... nothing fixes it. It has crippled my systems.
0
sheepdog > Morphine
Jan 3, 2009 at 10:58 PM
Morphine - where did you get Trojan Remover? Did you need to DL it on a non-infected PC first? I'm having the same symptoms....Spybot, SUPERAnti-Virus, AVG, et. al. have indicated presence of Virtumonde, smitfraud-c, and win32.sdBot.aad type viruses/malware....smitfraudfix seemed to wipe out Smitfraud-C, yet Virtumonde remains and the win32.sdDobt.aad showed up after smitfraud-c was removed.

Whatever is happening, it seems to block access to ANT site with the words anti-virus, security, removal, etc...as 'thecoat' stated above: "The malware is intercepting windows dns resolutions at the highest levels". Indeed...
0
Morphine > sheepdog
Jan 3, 2009 at 11:13 PM
I got it from here: https://www.softpedia.com/get/Antivirus/Trojan-Remover.shtml

Both my PCs were infected, so I loaded it up on both, then just ran it.
0
I have this same virus...this is the first site I've found that has an idea of whats going on....
3
I took the lazy way out, backed up important data, scanned it on my Gentoo system, reformated and reinstalled, no problems from the files I backed up yet. Reformats always work. Just wish I didn't have to.

God forbid I ever run into one of these pests who have the nerve to create said malware, they'll find out just why I bothered to get a concealed carry permit.

Though my suspicions lay around the idea that a lot of people profit from malware and fixing it. Tis why I only ever use freeware period. Nobody should ever pay for antivirus software. Ever.

Of course, there is the random fat greasy pimply 30 year old boy living in his mother's basement trying to get revenge at the world because he is a fail.
3

Didn't find the answer you are looking for?

Ask a question
Just some technical info on this issue, working on my girl friends computer atm and she's having this issue. Name resolution is being intercepted in some way. Windows TCP/IP name resolution goes through several steps the first is to check the local systems dns cache. The second is that it checks the hosts file. I added www.agv.com with the correct address in the hosts file. The address still resolved as 127.0.0.1 (localhost). I then did an ipconfig /flushdns which should flush the dns cache on the local machine. This also did not work and www.avg.com still resolved as 127.0.0.1.

ipconfig /displaydns listed only two common correct entries in the dns cache.

This malware is intercepting windows dns resolution at the highest levels. It is not messing with the windows dns cache or the hosts file as is typically the case with hijacks.

This does most likely mean that there is an actively executing program doing the hijack, or a replaced library to which a program is making calls.. most likely the former. I'll post a solution if I find one.
2
Thanks to this forum, I could solve that invasion on my laptop, what I would call the Update Blocker Super Rootkit Virus. Like Dav the culprit for me seems to be:
gaoopdxklowrct.sys" and the Reg key was "HKLM\SYSTEM\CURRENT CONTROL SET\ Services\gaopdxserv.sys" .

Trojan Remover cleared it and I"m crossing my fingers that this Rootkit (named officially TDss.A I think) won"t reappear.

In the meantime, Mr. Coat (or somebody else here), since you seem more technically savvy, could you explain how this can occur: What network layer is compromised when this happens ? What is the mechanism at play and how can we disable it by ourselves (without resorting to Antivirus products)? Thanks, A. R.
0
Hi Thecoat,

Do you have any update on this?

I have the exactly same problems recently. My AVG virus database stands as March 14 2009. No updates were successful ever since. Can't do Windows update either.

The scary thing is that I noticed that this malware (or whatever it might be) was first reported around Dec 2008. Between now and then I had performed many virus database updates and I still have it in my computer! I always have my Windows up to date and my Antivirus and Firewall are fully loaded and operational. I don't go to dodgy websites either. How this thing got into my computer was beyond me. From the threads I can tell it affects many security-minded people with good surfing habits too. Isn't it scary?! Microsoft don't seem to do anything about it either.

Your help is much appreciated.

Ferdinko
0
I have also encountered this problem and the Trojan Remover solved it.

thanks for this thread.
1
Mine started with spoofs telling me my machine needed virus protection and some crazy pop-up every 1-2mins. Then the error message forcing me to shut down. I tried getting updates from all the (AV) sites with no luck. Blank no connection or error message was all I could get. I ran (AVG anti-rootkit) and that paved the way for me to go get all the updates. Ran (microtrend housecall), (malwarebytes-anti-malware), and (spybot). Got the latest (AVG 8.0)
1
Trojan Remover worked for me, too. Thanks Morphine. I don't know why that link worked when other wouldn't, maybe because the AV is buried in the link through google?

For those that missed it, the link is:
https://www.softpedia.com/get/Antivirus/Trojan-Remover.shtml

Just click it and hit the first download button and run the program.
1
my computer has also been blocked for over a week now.

windows update blocked

antivirus update blocked

fix it pages and HIJACK fixes all blocked.

Even SYSTEM RESTORE is blocked!

the HP tools I burned onto a CD that is supposed to boot the computer is also blocked.


this is a MAJOR issue. if you get it, you will understand. I never dreamed that I'd be crippled to this extent.
It seems that the problem gets worse with every attempted fix.

it starts out with a HIJACKED browser ... search results on yahoo or google are redirected to websites that are related to the search, but not what I selected ... basically SPAM

i've tried 5 browsers: Opera Maxtor IE Safari and FIREFOX .... all browsers were the latest edition. ALL browsers are affected.

i tried to back up my data files ... even purchased a new portable hard drive ... but the backup process is interrupted and shuts down every time.
i was able to back up in small sizes by avoiding the spots that cause a hang up ... but this type of backup is not exactly reliable ... 20 backups of bits and pieces.

something is seriously screwy.

if you don't have it, you're darn lucky. this is the first problem that I've been unable to solve in years.
0
I finally was able to cure my PCs from this update blocker virus or whatever it was. It took:

1) SmitFraudFix (normal)
2) SmitFraudFix (safe mode)
2) Spy Subtract
3) SuperAnti Spyware
4) Avira AntiSpywhere
5) Trojan Remover

Doing all this allowed me to update everything, Windows, virus definitions, etc. The Ads are gone.

This was the single most difficult virus I have ever encountered, 4 days of trying to get rid of it. I have no idea how I got it either, but that sucker spread quick!!! I am actually somewhat impressed.

Feel free to shoot me an email if you need any advice.

Additional Keywords: Updater, msn.com, blocked, spyware, ads.
0
joey > Morphine
Jan 2, 2009 at 04:48 PM
ive got it too and this is incredibly annoying. I dont know anything about those fixes you mentioned so could you go into a bit of detail with those? Im sure it would help more than just me...
0
same here!!! It would be great if you could explain the fix more.
0
streinsix > Morphine
Jan 3, 2009 at 10:08 PM
I'm having all of the problems listed from the above people. Can you provide steps I can follow to correct this problem? I do have a computer that was not affected because it hadn't been turned on in weeks, I've been trying to use that to download programs and then transfer them to the affected computer.
I would really appreciate any advice you can offer!
0
morphine > joey
Jan 3, 2009 at 10:14 PM
Those are all anti-virus/anti-spyware programs that are FREE. Just search google, and you should be able to download them. These programs should make it past the virus for a download, as they are all relatively unknown. Don't worry about updating the definitions, because you probably won't be able too (virus). Run them all like I listed. It takes a long time too, run/reboot/run/reboot...
0
I have it too. Not sure how I got it as we don't visit suspicious sites. Hijacked the browser and then blocks all anti-virus sites. If you get hijacked then disconnect form internet at once.
0
I got whatever this thing is after 12/26, since that's my last symantec update. I now have it blocked. Lots of sites reference the hosts file, but that's clearly something different, this is clearly much more difficult.

I ran a few antivirus scans in normal and safe mode, and it cleaned a few files, but the DNS hijack still exists. I'm glad to see other people talking about this, and today!. This is a PIA to get rid of. I'm going to try the list of applications you listed one at a time and see what I can do to eliminate the DNS hijack. The quick test will be to go to the dos prompt (run-->CMD) and try to ping www.symantec.com or whatever, if it pings to 127.0.0.1, the problem is not solved. I'll keep you updated.
0
This appears to be some kind of Trojan / Rootkit thing. Pretty much out of nowhere, my computer suddenly showed a number of symptons: an Internet Explorer window opened up (by itself: I don't use it) and tried to get me to click on something about spyware removal.

Then Windows Firewall and Windows Update were disabled (Windows Security Centre notified me), and I started getting messages that my computer would shutdown in 60 seconds because of a crash in the Generic Host Process (if this happens to you, click on Start / Run and enter shutdown -a to cancel the shutdown).

I also couldn't access antivirus sites such as trendmicro.com, symantec.com or f-secure.com. These sites did *not* appear in the windows/system32/devices/etc folder as they do with other infections.

I rebooted to safe mode (not necessarily a good idea) and scanned with AVG and spybot. I did a whole lot of manual fooling around before finding this site and following the advice above to use Trojan Remover:

https://download.cnet.com/s/security-antispyware/?platform=windows&tag=404

(thanks!)

You might also try Sophos Anti-Rootkit
http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html

And you may also want to run:

- AVG Free
https://www.avg.com/fr-fr/free-antivirus-download

- Spybot Search & Destroy
http://www.safernetworking.de

and throw in some other spyware removers if you like.

If you don't have these programs and your browser won't let you access them, try:
- searching on a reputable download site such as tucows.com, download.com or softpedia.com
- accessing through a web proxy of your choice (I used hidemyass.com)
- getting someone else to download them for you...

Good luck

A
0
Trojan Remover seems to have worked. I tried Morphine's list, some of the sites wouldn't open or the programs wouldn't start just like all the security programs I had already.
Now I can upgrade again. This is TR's log:

***** THE SYSTEM HAS BEEN RESTARTED *****
03/01/2009 14.25.03: Trojan Remover has been restarted
----------
Cleaning up TDSS keys/files:
HKLM\SOFTWARE\TDSS - key (and subkeys) deleted
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata - key (and subkeys) deleted
C:\WINDOWS\system32\TDSSoipa.dll - deleted
C:\WINDOWS\system32\TDSSmupe.dat - deleted
C:\WINDOWS\system32\TDSSirxy.dll - deleted
C:\WINDOWS\system32\TDSSyavu.dll - deleted
C:\WINDOWS\system32\TDSSncur.dll - deleted
C:\WINDOWS\system32\TDSSqxnr.dll - deleted
C:\WINDOWS\system32\TDSSwgod.log - deleted
----------
=======================================================
Removing the following registry keys:
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TDSSmhoe.sys - already removed (or did not exist)
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\TDSSmhoe.sys - already removed (or did not exist)
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv - already removed (or did not exist)
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys - removed
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv) - already removed (or did not exist)
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys) - already removed (or did not exist)
=======================================================
03/01/2009 14.25.03: Trojan Remover closed
************************************************************


***** NORMAL SCAN FOR ACTIVE MALWARE *****
Trojan Remover Ver 6.7.5.2559. For information, email support@simplysup1.com
[Unregistered version]
Scan started at: 14.16.05 03 gen 2009
Using Database v7248
Operating System: Windows XP SP3 [Windows XP Professional Service Pack 3 (Build 2600)]
File System: NTFS
Data directory: C:\Documents and Settings\Raf\Application Data\Simply Super Software\Trojan Remover\
Database directory: C:\Program Files\Trojan Remover\
Logfile directory: C:\Documents and Settings\Raf\My Documents\Simply Super Software\Trojan Remover Logfiles\
Program directory: C:\Program Files\Trojan Remover\
Running with Administrator privileges

************************************************************
The following Anti-Malware program(s) are loaded:
AVG Anti-Virus

************************************************************

The regfile\shell\open\command Registry Key appears to have been modified.
The current Registry entry is: "regedit.exe" "%1".
This entry calls the following file:
C:\WINDOWS\regedit.exe
Trojan Remover has restored the Registry regfile\shell\open key.
--------------------

************************************************************
14.16.20: Scanning ----------WIN.INI-----------
WIN.INI found in C:\WINDOWS

************************************************************
14.16.20: Scanning --------SYSTEM.INI---------
SYSTEM.INI found in C:\WINDOWS

************************************************************
14.16.20: ----- SCANNING FOR ROOTKIT SERVICES -----
Hidden Service Keyname: TDSSserv.sys
C:\WINDOWS\system32\drivers\TDSSmhoe.sys appears to contain: BACKDOOR.TDSS
C:\WINDOWS\system32\drivers\TDSSmhoe.sys - file backed up to C:\WINDOWS\system32\drivers\TDSSmhoe.sys.vir
C:\WINDOWS\system32\drivers\TDSSmhoe.sys - file has been erased using RAW erasure

************************************************************
14.16.46: Scanning -----WINDOWS REGISTRY-----
--------------------
Checking HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon
This key's "Shell" value calls the following program(s):
File: Explorer.exe
C:\WINDOWS\Explorer.exe
1033728 bytes
Created: 16/01/2007
Modified: 14/04/2008
Company: Microsoft Corporation
----------
This key's "Userinit" value calls the following program(s):
File: C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\userinit.exe
26112 bytes
Created: 04/08/2004
Modified: 14/04/2008
Company: Microsoft Corporation
----------
This key's "System" value appears to be blank
----------
This key's "UIHost" value calls the following program:
File: logonui.exe
C:\WINDOWS\system32\logonui.exe
514560 bytes
Created: 04/08/2004
Modified: 14/04/2008
Company: Microsoft Corporation
----------
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
--------------------
Checking HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Value Name: load
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value Name: IMJPMIG8.1
Value Data: "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE
208952 bytes
Created: 18/01/2008
Modified: 16/01/2007
Company: Microsoft Corporation
--------------------
Value Name: PHIME2002ASync
Value Data: C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE
455168 bytes
Created: 18/01/2008
Modified: 03/08/2004
Company: Microsoft Corporation
--------------------
Value Name: PHIME2002A
Value Data: C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE
455168 bytes
Created: 18/01/2008
Modified: 03/08/2004
Company: Microsoft Corporation
--------------------
Value Name: Persistence
Value Data: C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxpers.exe
-R- 135168 bytes
Created: 18/01/2008
Modified: 13/01/2007
Company: Intel Corporation
--------------------
Value Name: NvCplDaemon
Value Data: RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
C:\WINDOWS\system32\NvCpl.dll
13574144 bytes
Created: 05/12/2007
Modified: 07/10/2008
Company: NVIDIA Corporation
--------------------
Value Name: nwiz
Value Data: nwiz.exe /install
C:\WINDOWS\system32\nwiz.exe
1630208 bytes
Created: 05/12/2007
Modified: 07/10/2008
Company: NVIDIA Corporation
--------------------
Value Name: AVG8_TRAY
Value Data: C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
1261336 bytes
Created: 04/07/2008
Modified: 27/11/2008
Company: AVG Technologies CZ, s.r.o.
--------------------
Value Name: NvMediaCenter
Value Data: RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
C:\WINDOWS\system32\NvMcTray.dll
86016 bytes
Created: 05/12/2007
Modified: 07/10/2008
Company: NVIDIA Corporation
--------------------
Value Name: BluetoothAuthenticationAgent
Value Data: rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
C:\WINDOWS\system32\bthprops.cpl
110592 bytes
Created: 04/08/2004
Modified: 14/04/2008
Company: Microsoft Corporation
--------------------
Value Name: TrojanScanner
Value Data: C:\Program Files\Trojan Remover\Trjscan.exe /boot
C:\Program Files\Trojan Remover\Trjscan.exe
1231752 bytes
Created: 03/01/2009
Modified: 01/01/2009
Company: Simply Super Software
--------------------
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
This Registry Key appears to be empty
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
This Registry Key appears to be empty
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce
This Registry Key appears to be empty
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
This Registry Key appears to be empty
--------------------
Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Value Name: SpybotSD TeaTimer
Value Data: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe - this entry is globally excluded
--------------------
Value Name: DAEMON Tools Lite
Value Data: "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
C:\Program Files\DAEMON Tools Lite\daemon.exe
486856 bytes
Created: 17/01/2008
Modified: 17/01/2008
Company: DT Soft Ltd
--------------------
Value Name: NVIDIA nTune
Value Data: "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe
81920 bytes
Created: 04/09/2007
Modified: 04/09/2007
Company: NVIDIA
--------------------
Value Name: CTZDetec.exe
Value Data: C:\Program Files\Creative\Creative Media Lite\CTZDetec.exe
C:\Program Files\Creative\Creative Media Lite\CTZDetec.exe
368640 bytes
Created: 22/01/2008
Modified: 24/04/2008
Company: Creative Technology Ltd.
--------------------
--------------------
Checking HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
This Registry Key appears to be empty
--------------------
Checking HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
This Registry Key appears to be empty
--------------------
Checking HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
This Registry Key appears to be empty

************************************************************
14.16.47: Scanning -----SHELLEXECUTEHOOKS-----
ValueName: {AEB6717E-7E19-11d0-97EE-00C04FD91972}
File: shell32.dll - this file is expected and has been left in place
----------

************************************************************
14.16.47: Scanning -----HIDDEN REGISTRY ENTRIES-----
Taskdir check completed
----------
No Hidden File-loading Registry Entries found
----------

************************************************************
14.16.47: Scanning -----ACTIVE SCREENSAVER-----
ScreenSaver: C:\WINDOWS\system32\logon.scr
C:\WINDOWS\system32\logon.scr
220672 bytes
Created: 04/08/2004
Modified: 14/04/2008
Company: Microsoft Corporation
--------------------

************************************************************
14.16.47: Scanning ----- REGISTRY ACTIVE SETUP KEYS -----

************************************************************
14.16.47: Scanning ----- SERVICEDLL REGISTRY KEYS -----
Key: BthServ
Path: %SystemRoot%\System32\bthserv.dll
C:\WINDOWS\System32\bthserv.dll
30208 bytes
Created: 04/08/2004
Modified: 14/04/2008
Company: Microsoft Corporation
--------------------
Key: HidServ
%SystemRoot%\System32\hidserv.dll - file is globally excluded (file cannot be found)
--------------------

************************************************************
14.16.48: Scanning ----- SERVICES REGISTRY KEYS -----
Key: ASPI
ImagePath: \??\C:\WINDOWS\System32\DRIVERS\ASPI32.sys
C:\WINDOWS\System32\DRIVERS\ASPI32.sys
16512 bytes
Created: 07/03/2008
Modified: 17/07/2002
Company: Adaptec
----------
Key: atksgt
ImagePath: system32\DRIVERS\atksgt.sys
C:\WINDOWS\system32\DRIVERS\atksgt.sys
278728 bytes
Created: 22/12/2008
Modified: 22/12/2008
Company: [no info]
----------
Key: avg8emc
ImagePath: C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
875288 bytes
Created: 04/07/2008
Modified: 30/08/2008
Company: AVG Technologies CZ, s.r.o.
----------
Key: avg8wd
ImagePath: C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
231704 bytes
Created: 04/07/2008
Modified: 30/08/2008
Company: AVG Technologies CZ, s.r.o.
----------
Key: AvgLdx86
ImagePath: \SystemRoot\System32\Drivers\avgldx86.sys
C:\WINDOWS\System32\Drivers\avgldx86.sys
97928 bytes
Created: 23/05/2008
Modified: 30/08/2008
Company: AVG Technologies CZ, s.r.o.
----------
Key: AvgMfx86
ImagePath: \SystemRoot\System32\Drivers\avgmfx86.sys
C:\WINDOWS\System32\Drivers\avgmfx86.sys
26824 bytes
Created: 18/01/2008
Modified: 04/07/2008
Company: AVG Technologies CZ, s.r.o.
----------
Key: AvgTdiX
ImagePath: \SystemRoot\System32\Drivers\avgtdix.sys
C:\WINDOWS\System32\Drivers\avgtdix.sys
76040 bytes
Created: 23/05/2008
Modified: 04/07/2008
Company: AVG Technologies CZ, s.r.o.
----------
Key: BlueletAudio
ImagePath: system32\DRIVERS\blueletaudio.sys
C:\WINDOWS\system32\DRIVERS\blueletaudio.sys [file not found to scan]
----------
Key: BlueletSCOAudio
ImagePath: system32\DRIVERS\BlueletSCOAudio.sys
C:\WINDOWS\system32\DRIVERS\BlueletSCOAudio.sys [file not found to scan]
----------
Key: Bonjour Service
ImagePath: "C:\Program Files\Bonjour\mDNSResponder.exe"
C:\Program Files\Bonjour\mDNSResponder.exe
229376 bytes
Created: 28/02/2006
Modified: 28/02/2006
Company: Apple Computer, Inc.
----------
Key: BT
ImagePath: system32\DRIVERS\btnetdrv.sys
C:\WINDOWS\system32\DRIVERS\btnetdrv.sys [file not found to scan]
----------
Key: Btcsrusb
ImagePath: System32\Drivers\btcusb.sys
C:\WINDOWS\System32\Drivers\btcusb.sys [file not found to scan]
----------
Key: BthEnum
ImagePath: system32\DRIVERS\BthEnum.sys
C:\WINDOWS\system32\DRIVERS\BthEnum.sys
17024 bytes
Created: 12/12/2008
Modified: 14/04/2008
Company: Microsoft Corporation
----------
Key: BTHidEnum
ImagePath: System32\Drivers\vbtenum.sys
C:\WINDOWS\System32\Drivers\vbtenum.sys [file not found to scan]
----------
Key: BTHidMgr
ImagePath: System32\Drivers\BTHidMgr.sys
C:\WINDOWS\System32\Drivers\BTHidMgr.sys [file not found to scan]
----------
Key: BTHMODEM
ImagePath: system32\DRIVERS\bthmodem.sys
C:\WINDOWS\system32\DRIVERS\bthmodem.sys
37888 bytes
Created: 12/12/2008
Modified: 14/04/2008
Company: Microsoft Corporation
----------
Key: BthPan
ImagePath: system32\DRIVERS\bthpan.sys
C:\WINDOWS\system32\DRIVERS\bthpan.sys
101120 bytes
Created: 12/12/2008
Modified: 14/04/2008
Company: Microsoft Corporation
----------
Key: BTHPORT
ImagePath: System32\Drivers\BTHport.sys
C:\WINDOWS\System32\Drivers\BTHport.sys
273024 bytes
Created: 12/12/2008
Modified: 14/04/2008
Company: Microsoft Corporation
----------
Key: BTHUSB
ImagePath: System32\Drivers\BTHUSB.sys
C:\WINDOWS\System32\Drivers\BTHUSB.sys
18944 bytes
Created: 12/12/2008
Modified: 14/04/2008
Company: Microsoft Corporation
----------
Key: CLEDX
ImagePath: system32\DRIVERS\cledx.sys
C:\WINDOWS\system32\DRIVERS\cledx.sys
33792 bytes
Created: 16/03/2008
Modified: 09/05/2005
Company: Team H2O
----------
Key: CTDevice_Srv
ImagePath: C:\Program Files\Creative\Shared Files\CTDevSrv.exe
C:\Program Files\Creative\Shared Files\CTDevSrv.exe
61440 bytes
Created: 02/04/2007
Modified: 02/04/2007
Company: Creative Technology Ltd
----------
Key: dmxfire
ImagePath: system32\drivers\dmx6fire.sys
C:\WINDOWS\system32\drivers\dmx6fire.sys
148724 bytes
Created: 29/08/2003
Modified: 29/08/2003
Company: Terratec Electronic GmbH
----------
Key: dmxsens
ImagePath: system32\drivers\dmxsens.sys
C:\WINDOWS\system32\drivers\dmxsens.sys
403968 bytes
Created: 22/07/2003
Modified: 22/07/2003
Company: Sensaura Ltd
----------
Key: EagleNT
ImagePath: \??\C:\WINDOWS\system32\drivers\EagleNT.sys
C:\WINDOWS\system32\drivers\EagleNT.sys [file not found to scan]
----------
Key: FLEXnet Licensing Service
ImagePath: "C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe"
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
655624 bytes
Created: 18/01/2008
Modified: 19/11/2008
Company: Acresso Software Inc.
----------
Key: ialm
ImagePath: system32\DRIVERS\igxpmp32.sys
C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
-R- 5672032 bytes
Created: 18/01/2008
Modified: 13/01/2007
Company: Intel Corporation
----------
Key: IDriverT
ImagePath: "C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe"
C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
69632 bytes
Created: 14/11/2005
Modified: 14/11/2005
Company: Macrovision Corporation
----------
Key: irsir
ImagePath: system32\DRIVERS\irsir.sys
C:\WINDOWS\system32\DRIVERS\irsir.sys
18688 bytes
Created: 18/01/2008
Modified: 17/08/2001
Company: Microsoft Corporation
----------
Key: lirsgt
ImagePath: system32\DRIVERS\lirsgt.sys
C:\WINDOWS\system32\DRIVERS\lirsgt.sys
25416 bytes
Created: 22/12/2008
Modified: 22/12/2008
Company: [no info]
----------
Key: mcdbus
ImagePath: system32\DRIVERS\mcdbus.sys
C:\WINDOWS\system32\DRIVERS\mcdbus.sys [file not found to scan]
----------
Key: NMIndexingService
ImagePath: "C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe"
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
382248 bytes
Created: 20/09/2007
Modified: 20/09/2007
Company: Nero AG
----------
Key: nocashio
ImagePath: system32\drivers\nocashio.sys
C:\WINDOWS\system32\drivers\nocashio.sys
4096 bytes
Created: 12/05/2008
Modified: 12/05/2008
Company: [no info]
----------
Key: nTuneService
ImagePath: C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe /StartService
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
131072 bytes
Created: 04/09/2007
Modified: 04/09/2007
Company: NVIDIA
----------
Key: NVR0Dev
ImagePath: \??\C:\WINDOWS\nvoclock.sys
C:\WINDOWS\nvoclock.sys
29696 bytes
Created: 04/09/2007
Modified: 04/09/2007
Company: NVidia Corp.
----------
Key: pcouffin
ImagePath: System32\Drivers\pcouffin.sys
C:\WINDOWS\System32\Drivers\pcouffin.sys
47360 bytes
Created: 27/11/2008
Modified: 27/11/2008
Company: VSO Software
----------
Key: PnkBstrA
ImagePath: C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrA.exe
66872 bytes
Created: 20/01/2008
Modified: 21/11/2008
Company: [no info]
----------
Key: RFCOMM
ImagePath: system32\DRIVERS\rfcomm.sys
C:\WINDOWS\system32\DRIVERS\rfcomm.sys
59136 bytes
Created: 12/12/2008
Modified: 14/04/2008
Company: Microsoft Corporation
----------
Key: RivaTuner32
ImagePath: \??\C:\Program Files\RivaTuner v2.20\RivaTuner32.sys
C:\Program Files\RivaTuner v2.20\RivaTuner32.sys
9088 bytes
Created: 19/11/2008
Modified: 19/11/2008
Company: [no info]
----------
Key: sptd
ImagePath: System32\Drivers\sptd.sys - this file is globally excluded
----------
Key: sr
ImagePath: \SystemRoot\system32\DRIVERS\sr.sys
C:\WINDOWS\system32\DRIVERS\sr.sys
73472 bytes
Created: 18/01/2008
Modified: 14/04/2008
Company: Microsoft Corporation
----------
Key: SwPrv
ImagePath: C:\WINDOWS\system32\dllhost.exe /Processid:{9C06143E-7556-458C-95F3-F86B10C31391}
C:\WINDOWS\system32\dllhost.exe
5120 bytes
Created: 04/08/2004
Modified: 14/04/2008
Company: Microsoft Corporation
----------
Key: trutil
ImagePath: \??\C:\DOCUME~1\Raf\LOCALS~1\Temp\trutil.sys - this file is a Trojan Remover component
----------
Key: UnlockerDriver5
ImagePath: \??\C:\Program Files\Unlocker\UnlockerDriver5.sys
C:\Program Files\Unlocker\UnlockerDriver5.sys
4096 bytes
Created: 07/09/2006
Modified: 07/09/2006
Company: [no info]
----------
Key: usbsermpt
ImagePath: system32\DRIVERS\usbsermpt.sys
C:\WINDOWS\system32\DRIVERS\usbsermpt.sys
22768 bytes
Created: 21/05/2008
Modified: 21/05/2008
Company: Microsoft Corporation
----------
Key: Useless
ImagePath: \??\C:\Kaizoku_Script\KEngine\Dll\Useless.sys
C:\Kaizoku_Script\KEngine\Dll\Useless.sys [file not found to scan]
----------
Key: usnjsvc
ImagePath: "C:\Program Files\Windows Live\Messenger\usnsvc.exe"
C:\Program Files\Windows Live\Messenger\usnsvc.exe
98840 bytes
Created: 07/11/2007
Modified: 07/11/2007
Company: Microsoft Corporation
----------
Key: VComm
ImagePath: system32\DRIVERS\VComm.sys
C:\WINDOWS\system32\DRIVERS\VComm.sys [file not found to scan]
----------
Key: VcommMgr
ImagePath: System32\Drivers\VcommMgr.sys
C:\WINDOWS\System32\Drivers\VcommMgr.sys [file not found to scan]
----------
Key: VirtualFD
ImagePath: \??\D:\Accumulator\vfd21-080206\vfd.sys
D:\Accumulator\vfd21-080206\vfd.sys [file not found to scan]
----------
Key: WMConnectCDS
ImagePath: C:\Program Files\Windows Media Connect 2\wmccds.exe
C:\Program Files\Windows Media Connect 2\wmccds.exe
855552 bytes
Created: 18/01/2008
Modified: 06/10/2005
Company: Microsoft Corporation
----------
Key: {DEF85C80-216A-43ab-AF70-1665EDBE2780}
ImagePath: \??\C:\WINDOWS\TEMP\60.tmp
C:\WINDOWS\TEMP\60.tmp [file not found to scan]
----------

************************************************************
14.16.53: Scanning -----VXD ENTRIES-----

************************************************************
14.16.53: Scanning ----- WINLOGON\NOTIFY DLLS -----
Key : igfxcui
DLLName: igfxdev.dll
C:\WINDOWS\system32\igfxdev.dll
-R- 204800 bytes
Created: 18/01/2008
Modified: 13/01/2007
Company: Intel Corporation
----------

************************************************************
14.16.53: Scanning ----- CONTEXTMENUHANDLERS -----
Key: Adobe.Acrobat.ContextMenu
CLSID: {D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}
Path: C:\Program Files\Adobe\Acrobat 8.0\Acrobat Elements\ContextMenu.dll
C:\Program Files\Adobe\Acrobat 8.0\Acrobat Elements\ContextMenu.dll
677504 bytes
Created: 22/10/2006
Modified: 22/10/2006
Company: Adobe Systems Inc.
----------
Key: AVG8 Shell Extension
CLSID: {9F97547E-4609-42C5-AE0C-81C61FFAEBC3}
Path: C:\Program Files\AVG\AVG8\avgse.dll
C:\Program Files\AVG\AVG8\avgse.dll
99608 bytes
Created: 04/07/2008
Modified: 04/07/2008
Company: AVG Technologies CZ, s.r.o.
----------
Key: PowerISO
CLSID: {967B2D40-8B7D-4127-9049-61EA0C2C6DCE}
Path: C:\Program Files\PowerISO\PWRISOSH.DLL
C:\Program Files\PowerISO\PWRISOSH.DLL
208896 bytes
Created: 20/01/2008
Modified: 20/01/2008
Company: PowerISO Computing, Inc.
----------
Key: TagRename_ContextMenu
CLSID: {7C5E74A0-D5E0-11D0-A9BF-E886A83B9BE5}
Path: C:\PROGRA~1\TAGREN~1\TRshell.dll
C:\PROGRA~1\TAGREN~1\TRshell.dll
144640 bytes
Created: 15/02/2008
Modified: 05/12/2007
Company: Softpointer Inc
----------

************************************************************
14.16.53: Scanning ----- FOLDER\COLUMNHANDLERS -----
Key: {7A5117B0-B594-4DA8-829D-D15BF11996F2}
File: C:\Program Files\DAEMON Tools Lite\awxDTools.dll
C:\Program Files\DAEMON Tools Lite\awxDTools.dll
151552 bytes
Created: 18/01/2008
Modified: 27/03/2006
Company: arniWORX
----------
Key: {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}
File: "C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll"
C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll
357888 bytes
Created: 28/08/2008
Modified: 28/08/2008
Company: Sun Microsystems, Inc.
----------

************************************************************
14.16.53: Scanning ----- BROWSER HELPER OBJECTS -----
Key: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
BHO: C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
62080 bytes
Created: 22/10/2006
Modified: 22/10/2006
Company: Adobe Systems Incorporated
----------
Key: {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20}
BHO: C:\Program Files\Winamp Toolbar\winamptb.dll
C:\Program Files\Winamp Toolbar\winamptb.dll
1267040 bytes
Created: 19/03/2008
Modified: 19/03/2008
Company: AOL LLC.
----------
Key: {53707962-6F74-2D53-2644-206D7942484F}
BHO: C:\PROGRA~1\SPYBOT~1\SDHelper.dll
C:\PROGRA~1\SPYBOT~1\SDHelper.dll - file is excluded from scanning [SPYBOT S&D file]
----------
Key: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
BHO: C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
509328 bytes
Created: 10/11/2008
Modified: 10/06/2008
Company: Sun Microsystems, Inc.
----------
Key: {AE7CD045-E861-484f-8273-0445EE161910}
BHO: C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
321120 bytes
Created: 22/10/2006
Modified: 22/10/2006
Company: Adobe Systems Incorporated
----------

************************************************************
14.16.54: Scanning ----- SHELLSERVICEOBJECTS -----

************************************************************
14.16.54: Scanning ----- SHAREDTASKSCHEDULER ENTRIES -----

************************************************************
14.16.54: Scanning ----- IMAGEFILE DEBUGGERS -----
No "Debugger" entries found.

************************************************************
14.16.54: Scanning ----- APPINIT_DLLS -----
The HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows key appears to be locked
AppInitDLLs entry = [avgrsstx.dll]
File: avgrsstx.dll
C:\WINDOWS\system32\avgrsstx.dll
10520 bytes
Created: 23/05/2008
Modified: 04/07/2008
Company: AVG Technologies CZ, s.r.o.
----------

************************************************************
14.16.54: Scanning ----- SECURITY PROVIDER DLLS -----

************************************************************
14.16.54: Scanning ------ COMMON STARTUP GROUP ------
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
The Common Startup Group attempts to load the following file(s) at boot time:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
-HS- 84 bytes
Created: 18/01/2008
Modified: 18/01/2008
Company: [no info]
--------------------
C:\Program Files\TerraTec\DMX 6fire\DMX6Fire.exe
335872 bytes
Created: 18/01/2008
Modified: 29/08/2003
Company: TerraTec Electronic GmbH
DMX 6fire 2496 ControlPanel.lnk - links to C:\Program Files\TerraTec\DMX 6fire\DMX6Fire.exe
--------------------

************************************************************
14.16.55: Scanning ------ USER STARTUP GROUPS ------
--------------------
Checking Startup Group for: Raf
[C:\Documents and Settings\Raf\START MENU\PROGRAMS\STARTUP]
The Startup Group for Raf attempts to load the following file(s):
C:\Documents and Settings\Raf\START MENU\PROGRAMS\STARTUP\desktop.ini
-HS- 84 bytes
Created: 18/01/2008
Modified: 18/01/2008
Company: [no info]
----------

************************************************************
14.16.55: Scanning ----- SCHEDULED TASKS -----
No Scheduled Tasks found to scan

************************************************************
14.16.55: Scanning ----- SHELLICONOVERLAYIDENTIFIERS -----

************************************************************
14.16.55: ----- ADDITIONAL CHECKS -----
PE386 rootkit checks completed
----------
Winlogon registry rootkit checks completed
----------
1 TDSS rootkit driver(s) heuristically detected
No specific TDSS rootkit drivers could be located - no action taken
-----
Heuristic checks for hidden files/drivers completed
----------
Layered Service Provider entries checks completed
----------
Windows Explorer Policies checks completed
----------
Desktop Wallpaper: C:\Documents and Settings\Raf\Application Data\IrfanView\IrfanView_Wallpaper.bmp
C:\Documents and Settings\Raf\Application Data\IrfanView\IrfanView_Wallpaper.bmp
3888054 bytes
Created: 18/01/2008
Modified: 01/01/2009
Company: [no info]
----------
Web Desktop Wallpaper: %SystemRoot%\web\wallpaper\Bliss.bmp
C:\WINDOWS\web\wallpaper\Bliss.bmp
1440054 bytes
Created: 18/01/2008
Modified: 18/01/2008
Company: [no info]
----------
Checks for rogue DNS NameServers completed
----------
Additional checks completed

************************************************************
14.17.05: Scanning ----- RUNNING PROCESSES -----

C:\WINDOWS\System32\smss.exe
[1 loaded module]
--------------------
C:\WINDOWS\system32\csrss.exe
[15 loaded modules in total]
--------------------
C:\WINDOWS\system32\winlogon.exe
[74 loaded modules in total]
--------------------
C:\WINDOWS\system32\services.exe
[41 loaded modules in total]
--------------------
C:\WINDOWS\system32\lsass.exe
[59 loaded modules in total]
--------------------
C:\WINDOWS\system32\svchost.exe
[68 loaded modules in total]
--------------------
C:\WINDOWS\system32\svchost.exe - file already scanned
[45 loaded modules in total]
--------------------
C:\WINDOWS\System32\svchost.exe - file already scanned
[140 loaded modules in total]
--------------------
C:\WINDOWS\system32\svchost.exe - file already scanned
[36 loaded modules in total]
--------------------
C:\WINDOWS\system32\svchost.exe - file already scanned
[44 loaded modules in total]
--------------------
C:\WINDOWS\Explorer.EXE - file already scanned
[151 loaded modules in total]
--------------------
C:\WINDOWS\system32\spoolsv.exe
[60 loaded modules in total]
--------------------
C:\PROGRA~1\AVG\AVG8\avgtray.exe - file already scanned
[49 loaded modules in total]
--------------------
C:\WINDOWS\system32\RUNDLL32.EXE
[35 loaded modules in total]
--------------------
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
[58 loaded modules in total]
--------------------
C:\WINDOWS\system32\rundll32.exe
[38 loaded modules in total]
--------------------
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
[38 loaded modules in total]
--------------------
C:\Program Files\Creative\Creative Media Lite\CTZDetec.exe - file already scanned
[29 loaded modules in total]
--------------------
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe - file already scanned
[38 loaded modules in total]
--------------------
C:\WINDOWS\system32\svchost.exe - file already scanned
[35 loaded modules in total]
--------------------
C:\WINDOWS\system32\CTsvcCDA.exe
[22 loaded modules in total]
--------------------
C:\Program Files\Creative\Shared Files\CTDevSrv.exe - file already scanned
[22 loaded modules in total]
--------------------
C:\WINDOWS\system32\nvsvc32.exe
[40 loaded modules in total]
--------------------
C:\WINDOWS\system32\svchost.exe - file already scanned
[44 loaded modules in total]
--------------------
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
[27 loaded modules in total]
--------------------
C:\PROGRA~1\AVG\AVG8\avgemc.exe - file already scanned
[66 loaded modules in total]
--------------------
C:\WINDOWS\System32\alg.exe
[34 loaded modules in total]
--------------------
C:\Program Files\Mozilla Firefox\firefox.exe
[86 loaded modules in total]
--------------------
C:\Documents and Settings\Raf\Application Data\Simply Super Software\Trojan Remover\qri5E.exe
FileSize: 2913144
[This is a Trojan Remover component]
[65 loaded modules in total]
--------------------

************************************************************
14.17.39: Checking AUTOEXEC.BAT file
AUTOEXEC.BAT found in C:\
No malicious entries were found in the AUTOEXEC.BAT file

************************************************************
14.17.39: Checking AUTOEXEC.NT file
AUTOEXEC.NT found in C:\WINDOWS\system32
No malicious entries were found in the AUTOEXEC.NT file

************************************************************
14.17.39: Checking HOSTS file
No malicious entries were found in the HOSTS file

************************************************************
14.17.39: Scanning ------ %TEMP% DIRECTORY ------
C:\DOCUME~1\Raf\LOCALS~1\Temp\etilqs_xCq1O2fXEr6pAmeLBAkT appears to be in-use/locked
************************************************************
14.17.51: Scanning ------ C:\WINDOWS\Temp DIRECTORY ------
************************************************************
14.17.51: Scanning ------ ROOT DIRECTORY ------

************************************************************
14.17.51: ------ Scan for other files to remove ------
No malware-related files found to remove

************************************************************
------ INTERNET EXPLORER HOME/START/SEARCH SETTINGS ------
HKLM\Software\Microsoft\Internet Explorer\Main\"Start Page":
http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
HKLM\Software\Microsoft\Internet Explorer\Main\"Local Page":
%SystemRoot%\system32\blank.htm
HKLM\Software\Microsoft\Internet Explorer\Main\"Search Page":
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Microsoft\Internet Explorer\Main\"Default_Page_URL":
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKLM\Software\Microsoft\Internet Explorer\Main\"Default_Search_URL":
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Microsoft\Internet Explorer\Search\"CustomizeSearch":
https://www.bing.com/?toHttps=1&redig=73960D15C3CC4942B0C871380AA65EA0{SUB_RFC1766}/srchasst/srchcust.htm
HKLM\Software\Microsoft\Internet Explorer\Search\"SearchAssistant":
https://www.bing.com/?toHttps=1&redig=73960D15C3CC4942B0C871380AA65EA0{SUB_RFC1766}/srchasst/srchasst.htm
HKCU\Software\Microsoft\Internet Explorer\Main\"Start Page":
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKCU\Software\Microsoft\Internet Explorer\Main\"Local Page":
C:\WINDOWS\system32\blank.htm
HKCU\Software\Microsoft\Internet Explorer\Main\"Search Page":
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

************************************************************
=== CHANGES WERE MADE TO THE WINDOWS REGISTRY ===
=== ONE OR MORE FILES WERE RENAMED OR REMOVED ===
Scan completed at: 14.17.51 03 gen 2009
Total Scan time: 00.01.45
-------------------------------------------------------------------------
One or more files could not be moved or renamed as requested.
They may be in use by Windows, so Trojan Remover needs
to restart the system in order to deal with these files.
03/01/2009 14.17.57: restart commenced
************************************************************
0
Trojan Remover did the trick! Been having this issue for about 24 hours now, ran 2 anti-virus and 3 anti-spyware with no luck. Run Trojan Remover!!

THANKS MORPHINE!!!!
0
It worked for me too!
0
Glad it helped! If you have any trouble downloading the software, search for mirrors sites... like "Spysubtract mirror" Most have other sites where you can download the EXE, and they are not blocked.

Happy virus-free 2009!
0
Rooty Mac > morphine
Jan 4, 2009 at 12:57 PM
Thanks for the info Morphine! I used Trojan Remover first and that did the trick! Happy New Year!
0
sourya_4 Posts 4 Registration date Thursday February 12, 2009 Status Member Last seen February 13, 2009 > morphine
Feb 13, 2009 at 09:17 AM
hi mate,,,,,i hav d same prob...not abl to open anti-v sites or update avg.....i uninstalled avg n downloaded 'ur' trojandwnldr as proposed. I started d scan when it displayed dat avg is running....proceed with scan? I scanned but my probz still der torturing me. I searched for every single avg file n dltd but still same msg.....pls help me as u did it 4 many


in seach of help

an amateur techfella
0
Trojan Remover worked! I can now access AVG.com, including updates, etc. Thanks a ton.

I also ran AVG (without the update) and Malwarebytes Anti-Malware. They both found lots of stuff, but didn't get rid of the DNS blocks.
0
WOW! I thought I was the only one with this problem! Thanks for helping morphine that did the trick! I noticed that I could use a proxy to get to AVG to update but it still didn't work but this sure did thanks a bunch!
0
Morphine!!!! THANK YOU SO MUCH. Your link to the trojan removal did the trick. I've been dealing with this for a week and have tried EVERYTHING! Thanks for the tip.

I just used the TR at your first link and everything seems to be running fine. I was able to update my AVG. But I didn't use the other step you mentioned in your later post:
1) SmitFraudFix (normal)
2) SmitFraudFix (safe mode)
2) Spy Subtract
3) SuperAnti Spyware
4) Avira AntiSpywhere
5) Trojan Remover

Do I need to do steps 1-4?
0
Thanks a lot guys!!!! im now updating my avg. Thanks morphine.
0
Thanks for everything... Thats a nasty infection and one which I never want to see again! Does anyone have any more info on what it is or how it has got on to all these pcs? I for one know I havent been using dodgy sites and still got it??? please let me know if there is any info on what this is as it took me ages to get rid of!

Cheers
0
I have (had) it too. Thanks to morphine for the List.
The first thing I noticed when it started to work again was the toolbar accross the top of the google page appeared again !!
0
Had the same problem after updating on or around xmas... It's all malware dude. I tried all the internet gimmicks - None worked. Solution was simple: Scan your computer with an antivirus which support spyware, spam, rootkit etc.. (i used AVG security Center); then use (Malwarebytes' Anti-Malware) - it found about 30 malware on my machine. Erase malware found... Restart your computer!!! bang bang - my updates worked again... Note: Keep a working antivirus/spyware/spamware software which is updated regularly... WORKS
0
I tried three different anti-virus and two anti-spyware, but none of them could fix it. Trojan Remover did the magic, and it seems to be back to normal. Thanks for all your help, Morphine!
0
This virus was the worst...I slowed down a fcked up my computer.. Thankfully I was able to surf the web to find valuable information like this to kill it... Good job Fellas
0
I've been fighting this for 3 weeks. I some how down loaded "ANTI virus 2009" which made things worse. The trojan removial tool did the trick. I also ran Malwarebytes Anti-Malware. I ran them both twice and that cleaned everything up. Thanks for the information!
0
DebiDibly > M AJ mike
Jan 6, 2009 at 09:48 AM
I had it too! AVG woudn't update. Every time I started to run scan I'd get an error in the first few seconds but then the scan would continue and not find anything. I tried un-installing and re-installing, figuring maybe a file had gotten corrupted. I tried running windows update and noticed my page kept getting redirected. I was about to buy Trend Micro Pc Cillin because I never had a problem with that program. When I tried to load their site I was also redirected. Seems I was "infected" or "malware-d" without any warning but at least at this point, I knew something was up despite my anti-virus finding nothing.

No idea how I got it. I don't download from people I don't know or visiti strange sites. Wondering what else it was doing in the background. Stealing passwords? Credit cards?

This is the only forum I've been able to find any info on this. So glad I used the Trojan Remover. Found it right away and at the moment - every last thing appears fine. I hope it really is :)
0
kalloco > DebiDibly
Jan 6, 2009 at 05:54 PM
that free Kaspersky 30 day trial seems to be going great!

i might even consider purchasing it!

I've run TROJAN REMOVER ... all is clear.

thanks to all on this forum!

Kalloco
0
rainbowrunner > kalloco
Jan 9, 2009 at 12:21 AM
thanks guys I hope this works. . . . . . trojan remover
0
zerocool64 > rainbowrunner
Jan 10, 2009 at 01:29 AM
same problem for me... It will work... Trojan Remover

fixes the update blocks (cannot connect to server) for all antivirus programs, fixes browser redirecting when surfing certain sites, fixes Firefox Homepage "The page - *** - does not exist." and Advertisement pop-up.
0