Previous Topic Next Topic

AVG-Windows update failure

Closed
akatextileas Posts 2 Registration date Monday December 8, 2008 Status Member Last seen December 9, 2008 - Dec 9, 2008 at 09:00 AM
 lll - Apr 20, 2010 at 09:29 AM
Hello,
I have got problem with updates ,I think there is new kind of virus type that effecting computor to browse Windows update-antivirus web page update even to open all other antivirus sites at the same time.
it is really a strange type.
I use AVG 8.0 free type addition and surely cannot update+open www.avg.com site to update +to browse any other latest antivirus sites to load latest antivirus editions downloads to solve my problem.
Please help how to solve it.
Related:

78 responses

Answer 21 / 78
MightySpear
Jan 8, 2009 at 04:33 PM
Same problem on a friends computer. Trojan Remover worked!!!!
0
Answer 22 / 78
Chango
Jan 8, 2009 at 05:59 PM
I have been having the same problem with multiple computers. I work in IT and this particular infection is driving me crazy. I first saw it 2 years ago and back then smifraudfix was ll you needed. Quick, simple and easy. This latest one is ridiculous. I have used Spybot S+D, AVG, Smitfraudfix, Super Anti-Spyware and now Trojan Remover wont even run. If anybody has any other possible ideas I would greatly appreciate it. I have run trojan remover in regular and safe modes. THe last time I tried to scan with it I got BSOD. I'm ready to start hitting my head on the keyboard to see if that will help!!!! Thanks in advance.
0
Answer 23 / 78
Metech25 Posts 2 Registration date Thursday January 8, 2009 Status Member Last seen January 8, 2009
Jan 8, 2009 at 08:52 PM
I am glad to see that I'm not the only one having this problem. I consider myself to be fairly adept when it comes to computers and this has been the first problem of this type that I haven't been able to solve on my own. I will be trying these steps when I get home tonight to see if it fixes my problems.

Thanks in advance to all posters, in particular, Morphine.
0
Answer 24 / 78
SASMALTA
Jan 9, 2009 at 04:52 AM
The virus was killed by Trojan Remover 675.
thanks Guys.

Attached is the log file
***** THE SYSTEM HAS BEEN RESTARTED *****
1/9/2009 11:35:46 AM: Trojan Remover has been restarted
----------
Cleaning up TDSS keys/files:
HKLM\SOFTWARE\TDSS - key (and subkeys) deleted
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata - key (and subkeys) deleted
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TDSSSERV.SYS - key (and subkeys) deleted
C:\WINDOWS\system32\TDSSosvn.dll - deleted
C:\WINDOWS\system32\TDSSnrsr.dat - deleted
C:\WINDOWS\system32\TDSSnmxh.dll - deleted
C:\WINDOWS\system32\TDSSsbhc.dll - deleted
C:\WINDOWS\system32\TDSSthym.dll - deleted
C:\WINDOWS\system32\TDSStkdv.dll - deleted
C:\WINDOWS\system32\TDSSkpjp.log - deleted
----------
=======================================================
Removing the following registry keys:
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TDSSoeqh.sys - already removed (or did not exist)
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\TDSSoeqh.sys - already removed (or did not exist)
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tdsspaxt.sys - already removed (or did not exist)
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\tdsspaxt.sys - already removed (or did not exist)
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv - already removed (or did not exist)
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys - removed
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv) - already removed (or did not exist)
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys) - already removed (or did not exist)
=======================================================
1/9/2009 11:35:46 AM: Trojan Remover closed
************************************************************


***** NORMAL SCAN FOR ACTIVE MALWARE *****
Trojan Remover Ver 6.7.5.2560. For information, email support@simplysup1.com
[Unregistered version]
Scan started at: 11:32:43 AM 09 Jan 2009
Using Database v7254
Operating System: Windows XP SP3 [Windows XP Professional Service Pack 3 (Build 2600)]
File System: NTFS
Data directory: C:\Documents and Settings\Norman\Application Data\Simply Super Software\Trojan Remover\
Database directory: C:\Program Files\Trojan Remover\
Logfile directory: C:\Documents and Settings\Norman\My Documents\Simply Super Software\Trojan Remover Logfiles\
Program directory: C:\Program Files\Trojan Remover\
Running with Administrator privileges

************************************************************
The following Anti-Malware program(s) are loaded:
Microsoft Windows Defender
AVG Anti-Virus

************************************************************


************************************************************
11:32:43 AM: Scanning ----------WIN.INI-----------
WIN.INI found in C:\WINDOWS

************************************************************
11:32:43 AM: Scanning --------SYSTEM.INI---------
SYSTEM.INI found in C:\WINDOWS

************************************************************
11:32:43 AM: ----- SCANNING FOR ROOTKIT SERVICES -----
Hidden Service Keyname: TDSSserv.sys
C:\WINDOWS\system32\drivers\TDSSoeqh.sys appears to contain: BACKDOOR.TDSS
C:\WINDOWS\system32\drivers\TDSSoeqh.sys - file backed up to C:\WINDOWS\system32\drivers\TDSSoeqh.sys.vir
C:\WINDOWS\system32\drivers\TDSSoeqh.sys - file has been erased using RAW erasure

************************************************************
11:33:05 AM: Scanning -----WINDOWS REGISTRY-----
--------------------
Checking HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon
This key's "Shell" value calls the following program(s):
File: Explorer.exe
C:\WINDOWS\Explorer.exe
1033728 bytes
Created: 8/3/2004
Modified: 4/14/2008
Company: Microsoft Corporation
----------
This key's "Userinit" value calls the following program(s):
File: C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\userinit.exe
26112 bytes
Created: 8/3/2004
Modified: 4/14/2008
Company: Microsoft Corporation
----------
This key's "System" value appears to be blank
----------
This key's "UIHost" value calls the following program:
File: logonui.exe
C:\WINDOWS\system32\logonui.exe
514560 bytes
Created: 8/3/2004
Modified: 4/14/2008
Company: Microsoft Corporation
----------
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
--------------------
Checking HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Value Name: load
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value Name: IgfxTray
Value Data: C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxtray.exe
-R- 98304 bytes
Created: 6/1/2008
Modified: 10/5/2006
Company: Intel Corporation
--------------------
Value Name: HotKeysCmds
Value Data: C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\hkcmd.exe
-R- 114688 bytes
Created: 6/1/2008
Modified: 10/5/2006
Company: Intel Corporation
--------------------
Value Name: Persistence
Value Data: C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxpers.exe
-R- 94208 bytes
Created: 6/1/2008
Modified: 10/5/2006
Company: Intel Corporation
--------------------
Value Name: RTHDCPL
Value Data: RTHDCPL.EXE
C:\WINDOWS\RTHDCPL.EXE
-R- 16126464 bytes
Created: 6/1/2008
Modified: 4/10/2007
Company: Realtek Semiconductor Corp.
--------------------
Value Name: SkyTel
Value Data: SkyTel.EXE
C:\WINDOWS\SkyTel.EXE
-R- 1822720 bytes
Created: 6/1/2008
Modified: 4/4/2007
Company: Realtek Semiconductor Corp.
--------------------
Value Name: Alcmtr
Value Data: ALCMTR.EXE
C:\WINDOWS\ALCMTR.EXE
-R- 69632 bytes
Created: 6/1/2008
Modified: 5/3/2005
Company: Realtek Semiconductor Corp.
--------------------
Value Name: CmUCRRun
Value Data: C:\WINDOWS\system32\CmUCReye.exe
C:\WINDOWS\system32\CmUCReye.exe
-R- 237568 bytes
Created: 7/28/2008
Modified: 7/11/2006
Company:
--------------------
Value Name: SunJavaUpdateSched
Value Data: "C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe"
C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe
75520 bytes
Created: 10/12/2008
Modified: 5/2/2007
Company: Sun Microsystems, Inc.
--------------------
Value Name: Adobe Reader Speed Launcher
Value Data: "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
39792 bytes
Created: 10/15/2008
Modified: 10/15/2008
Company: Adobe Systems Incorporated
--------------------
Value Name: Hiyo
Value Data: C:\Program Files\HiYo\bin\HiYo.exe /RunFromStartup
C:\Program Files\HiYo\bin\HiYo.exe
300336 bytes
Created: 12/10/2008
Modified: 12/10/2008
Company: IncrediMail, Ltd.
--------------------
Value Name: SweetIM
Value Data: C:\Program Files\SweetIM\Messenger\SweetIM.exe
C:\Program Files\SweetIM\Messenger\SweetIM.exe
-R- 111928 bytes
Created: 12/2/2008
Modified: 12/2/2008
Company: SweetIM Technologies Ltd.
--------------------
Value Name: Windows Defender
Value Data: "C:\Program Files\Windows Defender\MSASCui.exe" -hide
C:\Program Files\Windows Defender\MSASCui.exe
866584 bytes
Created: 11/3/2006
Modified: 11/3/2006
Company: Microsoft Corporation
--------------------
Value Name: TrojanScanner
Value Data: C:\Program Files\Trojan Remover\Trjscan.exe /boot
C:\Program Files\Trojan Remover\Trjscan.exe
1231752 bytes
Created: 1/9/2009
Modified: 1/1/2009
Company: Simply Super Software
--------------------
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
This Registry Key appears to be empty
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
This Registry Key appears to be empty
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
This Registry Key appears to be empty
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
This Registry Key appears to be empty
--------------------
Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Value Name: msnmsgr
Value Data: ~"C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
~ [file not found to scan]
--------------------
Value Name: SpybotSD TeaTimer
Value Data: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe - this entry is globally excluded
--------------------
Value Name: ctfmon.exe
Value Data: C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\ctfmon.exe
15360 bytes
Created: 8/3/2004
Modified: 4/14/2008
Company: Microsoft Corporation
--------------------
--------------------
Checking HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
This Registry Key appears to be empty
--------------------
Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
This Registry Key appears to be empty

************************************************************
11:33:07 AM: Scanning -----SHELLEXECUTEHOOKS-----
ValueName: {AEB6717E-7E19-11d0-97EE-00C04FD91972}
File: shell32.dll - this file is expected and has been left in place
----------
ValueName: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}
Value: Microsoft AntiMalware ShellExecuteHook
File: C:\PROGRA~1\WIFD1F~1\MpShHook.dll
C:\PROGRA~1\WIFD1F~1\MpShHook.dll
83224 bytes
Created: 11/3/2006
Modified: 11/3/2006
Company: Microsoft Corporation
----------

************************************************************
11:33:07 AM: Scanning -----HIDDEN REGISTRY ENTRIES-----
Taskdir check completed
----------
No Hidden File-loading Registry Entries found
----------

************************************************************
11:33:07 AM: Scanning -----ACTIVE SCREENSAVER-----
ScreenSaver: C:\WINDOWS\System32\logon.scr
C:\WINDOWS\System32\logon.scr
220672 bytes
Created: 8/3/2004
Modified: 4/14/2008
Company: Microsoft Corporation
--------------------

************************************************************
11:33:07 AM: Scanning ----- REGISTRY ACTIVE SETUP KEYS -----

************************************************************
11:33:07 AM: Scanning ----- SERVICEDLL REGISTRY KEYS -----
Key: HidServ
%SystemRoot%\System32\hidserv.dll - file is globally excluded (file cannot be found)
--------------------

************************************************************
11:33:08 AM: Scanning ----- SERVICES REGISTRY KEYS -----
Key: AnyDVD
ImagePath: System32\Drivers\AnyDVD.sys
C:\WINDOWS\System32\Drivers\AnyDVD.sys
97216 bytes
Created: 1/23/2008
Modified: 1/23/2008
Company: SlySoft, Inc.
----------
Key: AtcL002
ImagePath: system32\DRIVERS\l251x86.sys
C:\WINDOWS\system32\DRIVERS\l251x86.sys
-R- 29696 bytes
Created: 6/1/2008
Modified: 7/3/2007
Company: Atheros Communications Inc.
----------
Key: avg8emc
ImagePath: C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
875288 bytes
Created: 1/1/2009
Modified: 1/1/2009
Company: AVG Technologies CZ, s.r.o.
----------
Key: avg8wd
ImagePath: C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
231704 bytes
Created: 1/1/2009
Modified: 1/1/2009
Company: AVG Technologies CZ, s.r.o.
----------
Key: AvgLdx86
ImagePath: \SystemRoot\System32\Drivers\avgldx86.sys
C:\WINDOWS\System32\Drivers\avgldx86.sys
97928 bytes
Created: 1/1/2009
Modified: 1/1/2009
Company: AVG Technologies CZ, s.r.o.
----------
Key: AvgMfx86
ImagePath: \SystemRoot\System32\Drivers\avgmfx86.sys
C:\WINDOWS\System32\Drivers\avgmfx86.sys
26824 bytes
Created: 1/1/2009
Modified: 1/1/2009
Company: AVG Technologies CZ, s.r.o.
----------
Key: AvgTdiX
ImagePath: \SystemRoot\System32\Drivers\avgtdix.sys
C:\WINDOWS\System32\Drivers\avgtdix.sys
76040 bytes
Created: 1/1/2009
Modified: 1/1/2009
Company: AVG Technologies CZ, s.r.o.
----------
Key: BandLuxe_Service
ImagePath: "C:\Program Files\BandRich\BandLuxe HSDPA Utility R11\BRService.exe" -e
C:\Program Files\BandRich\BandLuxe HSDPA Utility R11\BRService.exe
87264 bytes
Created: 8/19/2008
Modified: 8/19/2008
Company: BandRich Inc.
----------
Key: br3gmdm
ImagePath: system32\DRIVERS\br3gmdm.sys
C:\WINDOWS\system32\DRIVERS\br3gmdm.sys
104192 bytes
Created: 1/9/2009
Modified: 5/15/2008
Company: BandRich Inc.
----------
Key: CMISTOR
ImagePath: system32\DRIVERS\cmiucr.SYS
C:\WINDOWS\system32\DRIVERS\cmiucr.SYS
-R- 86912 bytes
Created: 7/28/2008
Modified: 7/14/2006
Company: C-Media Corporation
----------
Key: ElbyCDIO
ImagePath: System32\Drivers\ElbyCDIO.sys
C:\WINDOWS\System32\Drivers\ElbyCDIO.sys
25160 bytes
Created: 8/7/2007
Modified: 8/7/2007
Company: Elaborate Bytes AG
----------
Key: gusvc
ImagePath: "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
137200 bytes
Created: 10/20/2008
Modified: 12/20/2008
Company: Google
----------
Key: HPZid412
ImagePath: system32\DRIVERS\HPZid412.sys
C:\WINDOWS\system32\DRIVERS\HPZid412.sys
49920 bytes
Created: 10/21/2005
Modified: 10/21/2005
Company: HP
----------
Key: HPZipr12
ImagePath: system32\DRIVERS\HPZipr12.sys
C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
16496 bytes
Created: 10/21/2005
Modified: 10/21/2005
Company: HP
----------
Key: HPZius12
ImagePath: system32\DRIVERS\HPZius12.sys
C:\WINDOWS\system32\DRIVERS\HPZius12.sys
-R- 21456 bytes
Created: 10/22/2005
Modified: 3/9/2003
Company: HP
----------
Key: ialm
ImagePath: system32\DRIVERS\igxpmp32.sys
C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
-R- 1181824 bytes
Created: 6/1/2008
Modified: 10/5/2006
Company: Intel Corporation
----------
Key: MTsensor
ImagePath: system32\DRIVERS\ASACPI.sys
C:\WINDOWS\system32\DRIVERS\ASACPI.sys
-R- 5810 bytes
Created: 6/1/2008
Modified: 8/13/2004
Company:
----------
Key: rmcd
ImagePath: system32\drivers\xtbjifl.sys
C:\WINDOWS\system32\drivers\xtbjifl.sys [file not found to scan]
----------
Key: SwPrv
ImagePath: C:\WINDOWS\system32\dllhost.exe /Processid:{9BF17899-D048-4BDB-94DF-4E90CE781682}
C:\WINDOWS\system32\dllhost.exe
5120 bytes
Created: 8/3/2004
Modified: 4/14/2008
Company: Microsoft Corporation
----------
Key: trutil
ImagePath: \??\C:\DOCUME~1\Norman\LOCALS~1\Temp\trutil.sys - this file is a Trojan Remover component
----------
Key: usnjsvc
ImagePath: "C:\Program Files\Windows Live\Messenger\usnsvc.exe"
C:\Program Files\Windows Live\Messenger\usnsvc.exe
98328 bytes
Created: 10/18/2007
Modified: 10/18/2007
Company: Microsoft Corporation
----------
Key: WinDefend
ImagePath: "C:\Program Files\Windows Defender\MsMpEng.exe"
C:\Program Files\Windows Defender\MsMpEng.exe
13592 bytes
Created: 11/3/2006
Modified: 11/3/2006
Company: Microsoft Corporation
----------
Key: WLSetupSvc
ImagePath: "C:\Program Files\Windows Live\installer\WLSetupSvc.exe"
C:\Program Files\Windows Live\installer\WLSetupSvc.exe
266240 bytes
Created: 10/25/2007
Modified: 10/25/2007
Company: Microsoft Corporation
----------

************************************************************
11:33:09 AM: Scanning -----VXD ENTRIES-----

************************************************************
11:33:09 AM: Scanning ----- WINLOGON\NOTIFY DLLS -----
Key : igfxcui
DLLName: igfxdev.dll
C:\WINDOWS\system32\igfxdev.dll
-R- 155648 bytes
Created: 6/1/2008
Modified: 10/5/2006
Company: Intel Corporation
----------

************************************************************
11:33:10 AM: Scanning ----- CONTEXTMENUHANDLERS -----

************************************************************
11:33:10 AM: Scanning ----- FOLDER\COLUMNHANDLERS -----

************************************************************
11:33:10 AM: Scanning ----- BROWSER HELPER OBJECTS -----
Key: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
BHO: C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
62080 bytes
Created: 10/22/2006
Modified: 10/22/2006
Company: Adobe Systems Incorporated
----------
Key: {53707962-6F74-2D53-2644-206D7942484F}
BHO: C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
C:\Program Files\Spybot - Search & Destroy\SDHelper.dll - file is excluded from scanning [SPYBOT S&D file]
----------
Key: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
BHO: C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
440056 bytes
Created: 5/2/2007
Modified: 5/2/2007
Company: Sun Microsystems, Inc.
----------
Key: {9030D464-4C02-4ABF-8ECC-5164760863C6}
BHO: C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
328752 bytes
Created: 9/20/2007
Modified: 9/20/2007
Company: Microsoft Corporation
----------
Key: {AA58ED58-01DD-4d91-8333-CF10577473F7}
BHO: C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
251504 bytes
Created: 12/20/2008
Modified: 12/20/2008
Company: [no info]
----------
Key: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D}
BHO: C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
657904 bytes
Created: 12/20/2008
Modified: 12/20/2008
Company: Google Inc.
----------
Key: {C84D72FE-E17D-4195-BB24-76C02E2E7C4E}
BHO: C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
522224 bytes
Created: 12/20/2008
Modified: 12/20/2008
Company: Google Inc.
----------
Key: {EEE6C35C-6118-11DC-9C72-001320C79847}
BHO: C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
1172792 bytes
Created: 10/8/2008
Modified: 10/8/2008
Company: SweetIM Technologies Ltd.
----------

************************************************************
11:33:10 AM: Scanning ----- SHELLSERVICEOBJECTS -----

************************************************************
11:33:10 AM: Scanning ----- SHAREDTASKSCHEDULER ENTRIES -----

************************************************************
11:33:10 AM: Scanning ----- IMAGEFILE DEBUGGERS -----
No "Debugger" entries found.

************************************************************
11:33:10 AM: Scanning ----- APPINIT_DLLS -----
The AppInit_DLLs value is blank or does not exist

************************************************************
11:33:10 AM: Scanning ----- SECURITY PROVIDER DLLS -----

************************************************************
11:33:10 AM: Scanning ------ COMMON STARTUP GROUP ------
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
The Common Startup Group attempts to load the following file(s) at boot time:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
-HS- 84 bytes
Created: 6/1/2008
Modified: 6/1/2008
Company: [no info]
--------------------
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
147456 bytes
Created: 4/6/2003
Modified: 4/6/2003
Company: Hewlett-Packard Co.
hp psc 1000 series.lnk - links to C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
--------------------
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
28672 bytes
Created: 4/6/2003
Modified: 4/6/2003
Company: Hewlett-Packard
hpoddt01.exe.lnk - links to C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
--------------------

************************************************************
11:33:11 AM: Scanning ------ USER STARTUP GROUPS ------
--------------------
Checking Startup Group for: Norman
[C:\Documents and Settings\Norman\START MENU\PROGRAMS\STARTUP]
The Startup Group for Norman attempts to load the following file(s):
C:\Documents and Settings\Norman\START MENU\PROGRAMS\STARTUP\desktop.ini
-HS- 84 bytes
Created: 1/2/2009
Modified: 6/1/2008
Company: [no info]
----------
--------------------
Checking Startup Group for: Wayne
[C:\Documents and Settings\Wayne\START MENU\PROGRAMS\STARTUP]
The Startup Group for Wayne attempts to load the following file(s):
C:\Documents and Settings\Wayne\START MENU\PROGRAMS\STARTUP\desktop.ini
-HS- 84 bytes
Created: 10/2/2008
Modified: 6/1/2008
Company: [no info]
----------
--------------------
Checking Startup Group for: XPUser
[C:\Documents and Settings\XPUser\START MENU\PROGRAMS\STARTUP]
The Startup Group for XPUser attempts to load the following file(s):
C:\Documents and Settings\XPUser\START MENU\PROGRAMS\STARTUP\desktop.ini
-HS- 84 bytes
Created: 6/1/2008
Modified: 6/1/2008
Company: [no info]
----------

************************************************************
11:33:11 AM: Scanning ----- SCHEDULED TASKS -----
Taskname: MP Scheduled Scan.job
File: C:\Program Files\Windows Defender\MpCmdRun.exe
C:\Program Files\Windows Defender\MpCmdRun.exe
293144 bytes
Created: 11/3/2006
Modified: 11/3/2006
Company: Microsoft Corporation
Parameters: Scan -RestrictPrivileges
Next Run Time: 1/9/2009 6:00:00 PM
Status: The task has not yet run
Creator: SYSTEM
Comments: Scheduled Scan
----------

************************************************************
11:33:11 AM: Scanning ----- SHELLICONOVERLAYIDENTIFIERS -----

************************************************************
11:33:11 AM: ----- ADDITIONAL CHECKS -----
PE386 rootkit checks completed
----------
Winlogon registry rootkit checks completed
----------
1 TDSS rootkit driver(s) heuristically detected
C:\WINDOWS\system32\drivers\tdsspaxt.sys appears to contain: BACKDOOR.TDSS
C:\WINDOWS\system32\drivers\tdsspaxt.sys - file backed up to C:\WINDOWS\system32\drivers\tdsspaxt.sys.vir
C:\WINDOWS\system32\drivers\tdsspaxt.sys - file has been erased using RAW erasure
-----
Heuristic checks for hidden files/drivers completed
----------
Layered Service Provider entries checks completed
----------
Windows Explorer Policies checks completed
----------
Desktop Wallpaper entry is blank
----------
Web Desktop Wallpaper: %SystemRoot%\web\wallpaper\Bliss.bmp
C:\WINDOWS\web\wallpaper\Bliss.bmp
1440054 bytes
Created: 6/1/2008
Modified: 6/1/2008
Company: [no info]
----------
DNS Server information:
Rogue DNS NameServers:
Interface:
NameServers: 80.93.144.1 80.93.144.2
Checks for rogue DNS NameServers completed
----------
Additional checks completed

************************************************************
11:33:28 AM: Scanning ----- RUNNING PROCESSES -----

C:\WINDOWS\System32\smss.exe
[1 loaded module]
--------------------
C:\WINDOWS\system32\csrss.exe
[11 loaded modules in total]
--------------------
C:\WINDOWS\system32\winlogon.exe
[68 loaded modules in total]
--------------------
C:\WINDOWS\system32\services.exe
[32 loaded modules in total]
--------------------
C:\WINDOWS\system32\lsass.exe
[61 loaded modules in total]
--------------------
C:\WINDOWS\system32\svchost.exe
[65 loaded modules in total]
--------------------
C:\WINDOWS\system32\svchost.exe - file already scanned
[38 loaded modules in total]
--------------------
C:\Program Files\Windows Defender\MsMpEng.exe - file already scanned
[42 loaded modules in total]
--------------------
C:\WINDOWS\System32\svchost.exe - file already scanned
[155 loaded modules in total]
--------------------
C:\WINDOWS\system32\svchost.exe - file already scanned
[31 loaded modules in total]
--------------------
C:\WINDOWS\system32\svchost.exe - file already scanned
[41 loaded modules in total]
--------------------
C:\WINDOWS\system32\spoolsv.exe
[57 loaded modules in total]
--------------------
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe - file already scanned
[36 loaded modules in total]
--------------------
C:\Program Files\BandRich\BandLuxe HSDPA Utility R11\BRService.exe - file already scanned
[29 loaded modules in total]
--------------------
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
[27 loaded modules in total]
--------------------
C:\WINDOWS\system32\svchost.exe - file already scanned
[44 loaded modules in total]
--------------------
C:\WINDOWS\Explorer.EXE - file already scanned
[112 loaded modules in total]
--------------------
C:\Program Files\BandRich\BandLuxe HSDPA Utility R11\CManager.exe
[51 loaded modules in total]
--------------------
C:\WINDOWS\system32\igfxtray.exe - file already scanned
[33 loaded modules in total]
--------------------
C:\WINDOWS\system32\igfxpers.exe - file already scanned
[31 loaded modules in total]
--------------------
C:\WINDOWS\RTHDCPL.EXE - file already scanned
[41 loaded modules in total]
--------------------
C:\WINDOWS\system32\CmUCReye.exe - file already scanned
[38 loaded modules in total]
--------------------
C:\Program Files\HiYo\bin\HiYo.exe - file already scanned
[42 loaded modules in total]
--------------------
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
[23 loaded modules in total]
--------------------
C:\Program Files\Windows Defender\MSASCui.exe - file already scanned
[62 loaded modules in total]
--------------------
C:\WINDOWS\system32\ctfmon.exe - file already scanned
[31 loaded modules in total]
--------------------
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
[44 loaded modules in total]
--------------------
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
[35 loaded modules in total]
--------------------
C:\PROGRA~1\AVG\AVG8\avgemc.exe - file already scanned
[60 loaded modules in total]
--------------------
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
[33 loaded modules in total]
--------------------
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
[44 loaded modules in total]
--------------------
C:\WINDOWS\System32\alg.exe
[32 loaded modules in total]
--------------------
C:\WINDOWS\system32\wscntfy.exe
[24 loaded modules in total]
--------------------
C:\Program Files\Mozilla Firefox\firefox.exe
[90 loaded modules in total]
--------------------
C:\Documents and Settings\Norman\Application Data\Simply Super Software\Trojan Remover\uku5.exe
FileSize: 2921336
[This is a Trojan Remover component]
[71 loaded modules in total]
--------------------

************************************************************
11:33:54 AM: Checking AUTOEXEC.BAT file
AUTOEXEC.BAT found in C:\
No malicious entries were found in the AUTOEXEC.BAT file

************************************************************
11:33:54 AM: Checking AUTOEXEC.NT file
AUTOEXEC.NT found in C:\WINDOWS\system32
No malicious entries were found in the AUTOEXEC.NT file

************************************************************
11:33:54 AM: Checking HOSTS file
No malicious entries were found in the HOSTS file

************************************************************
11:33:54 AM: Scanning ------ %TEMP% DIRECTORY ------
C:\DOCUME~1\Norman\LOCALS~1\Temp\etilqs_Xkbrfg7sDcl14tV8HsDS appears to be in-use/locked
************************************************************
11:33:55 AM: Scanning ------ C:\WINDOWS\Temp DIRECTORY ------
************************************************************
11:33:58 AM: Scanning ------ ROOT DIRECTORY ------

************************************************************
11:33:58 AM: ------ Scan for other files to remove ------
No malware-related files found to remove

************************************************************
------ INTERNET EXPLORER HOME/START/SEARCH SETTINGS ------
HKLM\Software\Microsoft\Internet Explorer\Main\"Start Page":
http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
HKLM\Software\Microsoft\Internet Explorer\Main\"Local Page":
C:\windows\system32\blank.htm
HKLM\Software\Microsoft\Internet Explorer\Main\"Search Page":
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Microsoft\Internet Explorer\Main\"Default_Page_URL":
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKLM\Software\Microsoft\Internet Explorer\Main\"Default_Search_URL":
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Microsoft\Internet Explorer\Search\"CustomizeSearch":
https://www.bing.com/?toHttps=1&redig=73960D15C3CC4942B0C871380AA65EA0{SUB_RFC1766}/srchasst/srchcust.htm
HKLM\Software\Microsoft\Internet Explorer\Search\"SearchAssistant":
https://www.bing.com/?toHttps=1&redig=73960D15C3CC4942B0C871380AA65EA0{SUB_RFC1766}/srchasst/srchasst.htm
HKCU\Software\Microsoft\Internet Explorer\Main\"Start Page":
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKCU\Software\Microsoft\Internet Explorer\Main\"Local Page":
C:\windows\system32\blank.htm
HKCU\Software\Microsoft\Internet Explorer\Main\"Search Page":
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKCU\Software\Microsoft\Internet Explorer\Main\"Default_Search_URL":
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

************************************************************
=== CHANGES WERE MADE TO THE WINDOWS REGISTRY ===
=== ONE OR MORE FILES WERE RENAMED OR REMOVED ===
Scan completed at: 11:33:58 AM 09 Jan 2009
Total Scan time: 00:01:15
-------------------------------------------------------------------------
One or more files could not be moved or renamed as requested.
They may be in use by Windows, so Trojan Remover needs
to restart the system in order to deal with these files.
1/9/2009 11:34:03 AM: restart commenced
************************************************************
0

Didn't find the answer you are looking for?

Ask a question
Answer 25 / 78
Dae
Jan 10, 2009 at 02:07 PM
Man... this was bananas.
Had to call a friend at microsoft who told me how to even search for a solution which allowed me to find this site, TR, MBytes, etc...thanks for all the info and heads up.
Everyone should spread the word... most folks have no clue what to do in this situation and given the spread of this issue, I'd assume that it's only going to get worse.
Tell your friends!

-D
0
Answer 26 / 78
wahzaboy
Jan 10, 2009 at 02:55 PM
Thanks for the help and hints on Trojan remover ! it worked like a charm and everything is fixed now. thought I still wonder how that thing got into my PC, it's for sure a nasty thing.
0
PSOUTRAGE
Jan 11, 2009 at 03:44 AM
UMM.. Trojan remover is not working for me at all I dont know if this is a New Version of the "whatever its called Trojan DNS Changer" and im running Trojan Remover AVG and Malware, Malware detects it but will not remove it, Trojan Remover will not detect it and wont remove it so I guess im SOL.
Does everyone at all have this same problem not bein able to remove it.
0
poons > PSOUTRAGE
Jan 26, 2009 at 07:18 AM
Hey!

Yeah I'm having the same problem.... trojan remover and the malware is not removing the trojan/malware... what should we do with this new problem?
0
Answer 27 / 78
Rossco Posts 2 Registration date Saturday January 10, 2009 Status Member Last seen January 11, 2009
Jan 11, 2009 at 07:06 AM
To one and all, thank you so very much for helping me fix the inability to get AVG or Microsoft updates.
I too have now had the problem sorted by the Trojan Removal program.

Another thing that happened to our computer was that we couldn't make a restore point, nor could we use any previous restore points! That has also apparently been fixed.
It might be another thing to check on if anyone else has that problem. It may be related??!!
Thanks again people :-)
0
Answer 28 / 78
katalina713 Posts 4 Registration date Monday January 12, 2009 Status Member Last seen January 14, 2009
Jan 13, 2009 at 02:04 PM
Hi,

I have the same virus. I got it around the same time everyone else did (in Decemeber). I was able to download the trojan remover. However, I'm not able to install it. When I hit "open" or "run as" it doesn't do anything. The virus is blocking the installation. I had the same problem with a microsoft program. I downloaded microsoft program and burned it to a disk. I tried installing it from the disk and it wouldn't let me install it.

How can I install the trojan remover? Does anyone have any suggestions? Is there somehting I can do manually to allow the installation?

Thanks
0
renden
Jan 24, 2009 at 10:15 AM
Hi! I downloaded the Trojan Remover set-up program (only....did not run the actual set-up) to a thumb drive from another PC, then installed the set-up program on the infected PC and ran it. Found the "Backdoor.TDSS" in about 1 second! Entire scan only took about 3 minutes....GREAT anti-virus program. Hope it works for you, also. Best of Luck to You!
0
Answer 29 / 78
Gerald
Jan 13, 2009 at 05:20 PM
You guys and Trojan Remover saved the day!
I had 1 week of hell, trying to figure this one out and that having 15 years IT knowledge.

This was weird and there is not much info on the www.

BIG THANK YOU!!
0
Answer 30 / 78
Grateful Guy
Jan 13, 2009 at 10:38 PM
Bless you, bless you, bless you for this stroke of insight on Trojan Remover!!!!
0
Answer 31 / 78
katalina713 Posts 4 Registration date Monday January 12, 2009 Status Member Last seen January 14, 2009
Jan 14, 2009 at 09:01 AM
It worked! Renaming the installation file worked. The internet is working good now, but I did see a pop or two appear.

Does any one have any idea how they got the virus? My boyfriend thinks he got the virus from redtube.com Did anyone else view this website prior to receiving the virus?
0
Answer 32 / 78
sultan69
Jan 18, 2009 at 11:56 AM
i was up all night trying to kill this thing, with no luck.
every site I wanted to visit it would bring me somewhere else. It was pretty smart I must admit.
I have never been so concerned about viruses but after seeing this I was little annoyed.

thanks to your info. and most of all trojan remover which worked after 2nd try. the first time I ran it was in safe mode, didnt seem to solve the problem, when windows rebooted (normal) I scanned again and all seems to work since I am able to update all virus definitions. Moving to other tools now.
0
Answer 33 / 78
imsatan
Jan 19, 2009 at 06:24 PM
Thanks for the Info Morphine I was having the same problem as most everyone here Trojan Remover worked like a charm. Sure beats reformatting the hard drive. Thanks again
0
Answer 34 / 78
evergratiful
Jan 20, 2009 at 02:35 AM
It's been said dozens of times already, but THANKS! Trojan Remover worked like a charm! You guys are the best!
0
Answer 35 / 78
Shotgun Willy
Jan 20, 2009 at 04:53 AM
THANKS FOR THE TIPS EVERYONE!!

I had this update blocker too. The Trojan Remover worked perfectly!

Thanks again!

Shotgun
0
Answer 36 / 78
whollygrael Posts 2 Registration date Tuesday January 20, 2009 Status Member Last seen January 20, 2009
Jan 20, 2009 at 08:38 PM
I too have been the victim of this insidious malware. Not even MS's Malicious Software Removal Tool (January 2009) detected it. (Tool downloaded via an uninfected computer on my home network because even access to Microsoft website was consistently redirected to Google's search page). However, Trojan Remover did the trick!

The idiocy of this sort of malware usually takes days to rectify and then only after reinstalling the OS, but the discussion here was invaluable. Saved me heaps of frustration, anger and time.

Thanks guys.
0
Kris
Jan 21, 2009 at 09:54 AM
I battled this with little success last week for 3 hours, no info due to my searches being filtered and replaced with related but not results. The PC is in a family household and used for most anything. It started with not doing updates to Windows or the AVG8.0 free edition, I uninstalled and tried a reinstall of AVG and it froze it half way through. When I went to the MS website, it said turn updates on, which I did and soon as it went to download updates, it would turn them off and say turn them on again. The culprit I suspect is the Antivirus 2009 pop up , they mistakenly installed it thinking it was their AV suite saying it, things got worse as well. MS is making a tool and its now in the news to everyone, its being blamed on Ukraine ......go figure. I used the end all solution........... back up and reinstall.

http://www.foxnews.com/story/0,2933,480857,00.html

This thing is even attempted to crack passwords and spread through networks, over 9 million infected so far. I suspect its something commonly used or through an automatic update of a program, possibly from a hacked site.

My conspiracy theory for it................ the pirates have gone digital !
0
Answer 37 / 78
JT
Jan 21, 2009 at 06:49 PM
thanks guys it worked for me ....I spent 5 hours trying to fix and I stumbled upon this fourum... lifesavers
0
Wattson
Jan 22, 2009 at 06:56 AM
I have been trying to solve this issue with all the known anti spyware/malware/virus programmes known and no luck, same problem, some will not even install.

thanks for the solution! it saved my computer! I dont wish anyone to have the same problem. if anyone knows the source please post it.
0
Answer 38 / 78
Jake
Jan 23, 2009 at 04:40 PM
I got Trojan remover to install but now it says it's expired?! Any help with this?
0
Answer 39 / 78
SpAX
Jan 28, 2009 at 02:11 PM
Hello. Now I have the same problem. I have tried plenty of different anti-virus software. And yet, unsuccessful. I can tell you, that NOD32, McAfee, Norton, Kaspersky won't find anything. AVG is good, but when you got the infection inside, it is useless. You won't be able to update any of them, not even Malwarebytes or access their websites (e.g. avg.com, symantec.com and so on...). And the "hosts" file has nothing to do with it!
But I have found a solution if you want to be able to update your anti-virus. Is has something to do with "svchost.exe" which can be seen in the task manager (ctrl+alt+dele > Processes). First of all, make a BAT file on your desktop (just make a TXT file and rename it's extension to .BAT). Open it with your right mouse and click edit. Put the following code:
------------------
@echo off
shutdown -a
cls
------------------
and save the file.

Now access the task manager and go to Processes. Start killing all the "svchost.exe" until you have none of them running. This will make a message with a shutdown appear on your screen. Run the BAT file, this will cancel the shutdown. Now when you kill all the "svchost.exe", you will be able to update your anti-virus and go online to avg.com or other.
0
Answer 40 / 78
Count Zero
Jan 28, 2009 at 07:29 PM
I also used TROJAN REMOVER and it removed several files and reg entries related to a file called kdwec.exe. When I restarted my computer still had the problem. I re-ran Trojan Remover after turning off the system restore and the computer seems to working properly.
0
SpAX
Jan 29, 2009 at 03:40 AM
Hi. I agree with you. Trojan Remover helped me as well. It was an awesome ending when I caught all the nasty worms sneaking inside my PC:)) Now the problems gone, thankfully.

Anyone who doesn't have Trojan Remover yet, I advise you to get it.
0
Previous