Jump to content

Gosh. I can't update virus protection


Recommended Posts

When I try to update Virus protection, I get the following message from Malwarebytes: "Update failed. Make sure you are connected to the Internet and your firewall is set to allow Malwarebytes to access the internet."

When I try to update Avira Anti-virus, I am told: Internet connection failed. The report from Avira is the following:

13.05.2009 18:10:47 - Installation Directory: C:\Program Files\Avira\AntiVir PersonalEdition Classic\

13.05.2009 18:10:47 - Backup Directory: C:\Documents and Settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\BACKUP\

13.05.2009 18:10:47 - Temp Directory: C:\Documents and Settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\Update\AVUPDATE_4a0b4561\

13.05.2009 18:10:47 - Using System's global Proxy settings

13.05.2009 18:10:48 - Launching GUI... display mode: 0

13.05.2009 18:10:48 - selftest successful: C:\Program Files\Avira\AntiVir PersonalEdition Classic\updlib.dll

13.05.2009 18:10:48 - selftest successful: C:\Program Files\Avira\AntiVir PersonalEdition Classic\updlibrc.dll

13.05.2009 18:10:47 - Installation Directory: C:\Program Files\Avira\AntiVir PersonalEdition Classic\

13.05.2009 18:10:47 - Backup Directory: C:\Documents and Settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\BACKUP\

13.05.2009 18:10:47 - Temp Directory: C:\Documents and Settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\Update\AVUPDATE_4a0b4561\

13.05.2009 18:10:47 - Using System's global Proxy settings

13.05.2009 18:10:48 - Launching GUI... display mode: 0

13.05.2009 18:10:48 - selftest successful: C:\Program Files\Avira\AntiVir PersonalEdition Classic\updlib.dll

13.05.2009 18:10:48 - selftest successful: C:\Program Files\Avira\AntiVir PersonalEdition Classic\updlibrc.dll

13.05.2009 18:10:48 - Avira AntiVir Personal - Free Antivirus

13.05.2009 18:10:55 - The file C:\Documents and Settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\Update\AVUPDATE_4a0b4561\idx/master.idx with the following content is erroneous:

13.05.2009 18:10:55 - <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

13.05.2009 18:10:55 - <html><head>

13.05.2009 18:10:55 - <title>403 Forbidden</title>

13.05.2009 18:10:55 - </head><body>

13.05.2009 18:10:55 - <h1>Forbidden</h1>

13.05.2009 18:10:55 - <p>You don't have permission to access /upd/idx/master.idx

13.05.2009 18:10:55 - on this server.</p>

13.05.2009 18:10:55 - </body></html>

13.05.2009 18:10:55 - There was a problem updating from the specified server: Validation error. File C:\Documents and Settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\Update\AVUPDATE_4a0b4561\idx/master.idx is corrupted!

13.05.2009 18:10:55 - Switching to next update server

13.05.2009 18:10:57 - The file C:\Documents and Settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\Update\AVUPDATE_4a0b4561\idx/master.idx with the following content is erroneous:

13.05.2009 18:10:57 - <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

13.05.2009 18:10:57 - <html><head>

13.05.2009 18:10:57 - <title>403 Forbidden</title>

13.05.2009 18:10:57 - </head><body>

13.05.2009 18:10:57 - <h1>Forbidden</h1>

13.05.2009 18:10:57 - <p>You don't have permission to access /upd/idx/master.idx

13.05.2009 18:10:57 - on this server.</p>

13.05.2009 18:10:57 - </body></html>

13.05.2009 18:10:57 - There was a problem updating from the specified server: Validation error. File C:\Documents and Settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\Update\AVUPDATE_4a0b4561\idx/master.idx is corrupted!

13.05.2009 18:10:57 - Switching to next update server

13.05.2009 18:10:58 - The file C:\Documents and Settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\Update\AVUPDATE_4a0b4561\idx/master.idx with the following content is erroneous:

13.05.2009 18:10:58 - <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

13.05.2009 18:10:58 - <html><head>

13.05.2009 18:10:58 - <title>403 Forbidden</title>

13.05.2009 18:10:58 - </head><body>

13.05.2009 18:10:58 - <h1>Forbidden</h1>

13.05.2009 18:10:58 - <p>You don't have permission to access /upd/idx/master.idx

13.05.2009 18:10:59 - on this server.</p>

13.05.2009 18:10:59 - </body></html>

13.05.2009 18:10:59 - There was a problem updating from the specified server: Validation error. File C:\Documents and Settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\Update\AVUPDATE_4a0b4561\idx/master.idx is corrupted!

13.05.2009 18:10:59 - Switching to next update server

13.05.2009 18:11:00 - The file C:\Documents and Settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\Update\AVUPDATE_4a0b4561\idx/master.idx with the following content is erroneous:

13.05.2009 18:11:00 - <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

13.05.2009 18:11:00 - <html><head>

13.05.2009 18:11:00 - <title>403 Forbidden</title>

13.05.2009 18:11:00 - </head><body>

13.05.2009 18:11:00 - <h1>Forbidden</h1>

13.05.2009 18:11:00 - <p>You don't have permission to access /upd/idx/master.idx

13.05.2009 18:11:00 - on this server.</p>

13.05.2009 18:11:00 - </body></html>

13.05.2009 18:11:00 - There was a problem updating from the specified server: Validation error. File C:\Documents and Settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\Update\AVUPDATE_4a0b4561\idx/master.idx is corrupted!

13.05.2009 18:11:00 - Switching to next update server

13.05.2009 18:11:02 - The file C:\Documents and Settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\Update\AVUPDATE_4a0b4561\idx/master.idx with the following content is erroneous:

13.05.2009 18:11:02 - <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

13.05.2009 18:11:02 - <html><head>

13.05.2009 18:11:02 - <title>403 Forbidden</title>

13.05.2009 18:11:02 - </head><body>

13.05.2009 18:11:02 - <h1>Forbidden</h1>

13.05.2009 18:11:02 - <p>You don't have permission to access /upd/idx/master.idx

13.05.2009 18:11:02 - on this server.</p>

13.05.2009 18:11:02 - </body></html>

13.05.2009 18:11:02 - There was a problem updating from the specified server: Validation error. File C:\Documents and Settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\Update\AVUPDATE_4a0b4561\idx/master.idx is corrupted!

13.05.2009 18:11:02 - Switching to next update server

13.05.2009 18:11:03 - The file C:\Documents and Settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\Update\AVUPDATE_4a0b4561\idx/master.idx with the following content is erroneous:

13.05.2009 18:11:03 - <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

13.05.2009 18:11:03 - <html><head>

13.05.2009 18:11:03 - <title>403 Forbidden</title>

13.05.2009 18:11:03 - </head><body>

13.05.2009 18:11:03 - <h1>Forbidden</h1>

13.05.2009 18:11:03 - <p>You don't have permission to access /upd/idx/master.idx

13.05.2009 18:11:03 - on this server.</p>

13.05.2009 18:11:03 - </body></html>

13.05.2009 18:11:03 - There was a problem updating from the specified server: Validation error. File C:\Documents and Settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\Update\AVUPDATE_4a0b4561\idx/master.idx is corrupted!

13.05.2009 18:11:03 - Switching to next update server

13.05.2009 18:11:05 - The file C:\Documents and Settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\Update\AVUPDATE_4a0b4561\idx/master.idx with the following content is erroneous:

13.05.2009 18:11:05 - <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

13.05.2009 18:11:05 - <html><head>

13.05.2009 18:11:05 - <title>403 Forbidden</title>

13.05.2009 18:11:05 - </head><body>

13.05.2009 18:11:05 - <h1>Forbidden</h1>

13.05.2009 18:11:05 - <p>You don't have permission to access /upd/idx/master.idx

13.05.2009 18:11:05 - on this server.</p>

13.05.2009 18:11:05 - </body></html>

13.05.2009 18:11:05 - There was a problem updating from the specified server: Validation error. File C:\Documents and Settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\Update\AVUPDATE_4a0b4561\idx/master.idx is corrupted!

13.05.2009 18:11:05 - Switching to next update server

13.05.2009 18:11:06 - The file C:\Documents and Settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\Update\AVUPDATE_4a0b4561\idx/master.idx with the following content is erroneous:

13.05.2009 18:11:06 - <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

13.05.2009 18:11:06 - <html><head>

13.05.2009 18:11:06 - <title>403 Forbidden</title>

13.05.2009 18:11:06 - </head><body>

13.05.2009 18:11:06 - <h1>Forbidden</h1>

13.05.2009 18:11:06 - <p>You don't have permission to access /upd/idx/master.idx

13.05.2009 18:11:06 - on this server.</p>

13.05.2009 18:11:06 - </body></html>

13.05.2009 18:11:06 - There was a problem updating from the specified server: Validation error. File C:\Documents and Settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\Update\AVUPDATE_4a0b4561\idx/master.idx is corrupted!

13.05.2009 18:11:06 - Switching to next update server

13.05.2009 18:11:08 - The file C:\Documents and Settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\Update\AVUPDATE_4a0b4561\idx/master.idx with the following content is erroneous:

13.05.2009 18:11:08 - <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

13.05.2009 18:11:08 - <html><head>

13.05.2009 18:11:08 - <title>403 Forbidden</title>

13.05.2009 18:11:08 - </head><body>

13.05.2009 18:11:08 - <h1>Forbidden</h1>

13.05.2009 18:11:08 - <p>You don't have permission to access /upd/idx/master.idx

13.05.2009 18:11:08 - on this server.</p>

13.05.2009 18:11:08 - </body></html>

13.05.2009 18:11:08 - There was a problem updating from the specified server: Validation error. File C:\Documents and Settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\Update\AVUPDATE_4a0b4561\idx/master.idx is corrupted!

13.05.2009 18:11:08 - Switching to next update server

13.05.2009 18:11:09 - The file C:\Documents and Settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\Update\AVUPDATE_4a0b4561\idx/master.idx with the following content is erroneous:

13.05.2009 18:11:09 - <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

13.05.2009 18:11:09 - <html><head>

13.05.2009 18:11:09 - <title>403 Forbidden</title>

13.05.2009 18:11:09 - </head><body>

13.05.2009 18:11:09 - <h1>Forbidden</h1>

13.05.2009 18:11:09 - <p>You don't have permission to access /upd/idx/master.idx

13.05.2009 18:11:09 - on this server.</p>

13.05.2009 18:11:09 - </body></html>

13.05.2009 18:11:36 - Registry entry created successfully: Software\Avira\AntiVir PersonalEdition Classic |UpdateInProgress

13.05.2009 18:11:37 - Critical error: Validation error. File C:\Documents and Settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\Update\AVUPDATE_4a0b4561\idx/master.idx is corrupted!

Also, I am unable to access McAfee web page via the Internet. Other than this, my navigation seems to be working fine.

Here is the Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 6:16:13 PM, on 5/13/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16827)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Creative\MediaSource5\MtdAcqu.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\WINDOWS\system32\CTsvcCDA.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe

C:\Program Files\palmOne\Hotsync.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe

C:\Program Files\HijackThis.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\notepad.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll

O2 - BHO: {1a481bb3-40d9-fa5b-3c94-de7a66aecd67} - {76dcea66-a7ed-49c3-b5af-9d043bb184a1} - (no file)

O2 - BHO: (no name) - {7BEC4D47-38D5-4D42-9354-107925DEFE0F} - (no file)

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MtdAcqu] "C:\Program Files\Creative\MediaSource5\MtdAcqu.exe" /s

O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe

O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe

O4 - Global Startup: Renaissance Wireless Server.lnk = C:\Documents and Settings\All Users\Application Data\Renaissance Wireless Server\Renaissance Wireless Server.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1188535179253

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1188535170821

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O20 - Winlogon Notify: qommklj - C:\WINDOWS\

O20 - Winlogon Notify: vvucseiz - C:\WINDOWS\

O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--

End of file - 6468 bytes

Here is the Malwarebytes log file list:

Malwarebytes' Anti-Malware 1.36

Database version: 1945

Windows 5.1.2600 Service Pack 3

5/13/2009 2:19:27 PM

mbam-log-2009-05-13 (14-19-27).txt

Scan type: Quick Scan

Objects scanned: 61836

Time elapsed: 13 minute(s), 37 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 16

Registry Values Infected: 3

Registry Data Items Infected: 0

Folders Infected: 2

Files Infected: 3

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a95b2816-1d7e-4561-a202-68c0de02353a} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{bbb05d9e-0297-404d-a6bf-d8f2876b84a6} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a95b2816-1d7e-4561-a202-68c0de02353a} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{bbb05d9e-0297-404d-a6bf-d8f2876b84a6} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\WR (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\MS Juan (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\jkwslist (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Juan (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinAble (Trojan.Adloader) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\WinAble (Trojan.Adloader) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\CAC (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{11a69ae4-fbed-4832-a2bf-45af82825583} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{11a69ae4-fbed-4832-a2bf-45af82825583} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{bbb05d9e-0297-404d-a6bf-d8f2876b84a6} (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

C:\Program Files\WinAble (Trojan.Adloader) -> Quarantined and deleted successfully.

C:\Program Files\Temporary (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:

C:\WINDOWS\system32\vvucseiz.dllbox (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk (Rogue.Link) -> Quarantined and deleted successfully.

Whew! Any help would be greatly appreciated!!!

Link to post
Share on other sites

  • Staff

Hi,

This smells like you're dealing with the new Win32:Daonoll variant. This one is responsible for "locking" a lot of (commandline)tools, plus cmd, regedit etc.. blocking updates etc...

MalwareBytes does detect this variant, but since you can't update, we need to deal with this manually.

Navigate to your C:\Windows folder and search for the file regedit.exe

Rightclick it and select to rename the file. Rename it to reg3dit.exe

Then launch the reg3dit.exe in order to open your Registry Editor.

There, browse to the following key:

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32

You'll see on the left that you can expand the keys (they will look like folders). So expand them until you get drivers32

Rightclick the drivers32 key (folder) and select to export:

drivers32b.gif

Give it a name and export it as a txtfile on your desktop.

Then copy and paste the contents of it in your next reply.

If confused, please ask first.

Extra note.. after you have used the renamed regedit.exe (reg3dit.exe), look in your Windows folder if Windows File Protection placed a new regedit.exe there again (it should). If not, then rename reg3dit.exe back to regedit.exe.

Link to post
Share on other sites

Thanks for your assistance. Here is the information you requested. (Now, do I leave both the regedit.exe and reg3dit.exe

in my folder, or should I delete one?)

Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32

Class Name: <NO CLASS>

Last Write Time: 5/8/2009 - 5:24 PM

Value 0

Name: midimapper

Type: REG_SZ

Data: midimap.dll

Value 1

Name: msacm.imaadpcm

Type: REG_SZ

Data: imaadp32.acm

Value 2

Name: msacm.msadpcm

Type: REG_SZ

Data: msadp32.acm

Value 3

Name: msacm.msg711

Type: REG_SZ

Data: msg711.acm

Value 4

Name: msacm.msgsm610

Type: REG_SZ

Data: msgsm32.acm

Value 5

Name: msacm.trspch

Type: REG_SZ

Data: tssoft32.acm

Value 6

Name: vidc.cvid

Type: REG_SZ

Data: iccvid.dll

Value 7

Name: vidc.I420

Type: REG_SZ

Data: msh263.drv

Value 8

Name: vidc.iv31

Type: REG_SZ

Data: ir32_32.dll

Value 9

Name: vidc.iv32

Type: REG_SZ

Data: ir32_32.dll

Value 10

Name: vidc.iv41

Type: REG_SZ

Data: ir41_32.ax

Value 11

Name: vidc.iyuv

Type: REG_SZ

Data: iyuv_32.dll

Value 12

Name: vidc.mrle

Type: REG_SZ

Data: msrle32.dll

Value 13

Name: vidc.msvc

Type: REG_SZ

Data: msvidc32.dll

Value 14

Name: vidc.uyvy

Type: REG_SZ

Data: msyuv.dll

Value 15

Name: vidc.yuy2

Type: REG_SZ

Data: msyuv.dll

Value 16

Name: vidc.yvu9

Type: REG_SZ

Data: tsbyuv.dll

Value 17

Name: vidc.yvyu

Type: REG_SZ

Data: msyuv.dll

Value 18

Name: wavemapper

Type: REG_SZ

Data: msacm32.drv

Value 19

Name: wave

Type: REG_SZ

Data: wdmaud.drv

Value 20

Name: midi

Type: REG_SZ

Data: wdmaud.drv

Value 21

Name: mixer

Type: REG_SZ

Data: wdmaud.drv

Value 22

Name: aux

Type: REG_SZ

Data: wdmaud.drv

Value 23

Name: msacm.msg723

Type: REG_SZ

Data: msg723.acm

Value 24

Name: vidc.M263

Type: REG_SZ

Data: msh263.drv

Value 25

Name: vidc.M261

Type: REG_SZ

Data: msh261.drv

Value 26

Name: msacm.msaudio1

Type: REG_SZ

Data: msaud32.acm

Value 27

Name: msacm.sl_anet

Type: REG_SZ

Data: sl_anet.acm

Value 28

Name: msacm.iac2

Type: REG_SZ

Data: C:\WINDOWS\system32\iac25_32.ax

Value 29

Name: vidc.iv50

Type: REG_SZ

Data: ir50_32.dll

Value 30

Name: msacm.l3acm

Type: REG_SZ

Data: C:\WINDOWS\system32\l3codeca.acm

Value 31

Name: aux2

Type: REG_SZ

Data: C:\WINDOWS\system32\..\pgpkps.xuh

Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\Terminal Server

Class Name: <NO CLASS>

Last Write Time: 10/8/2006 - 5:36 PM

Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\Terminal Server\RDP

Class Name: <NO CLASS>

Last Write Time: 10/8/2006 - 5:36 PM

Value 0

Name: wave

Type: REG_SZ

Data: rdpsnd.dll

Value 1

Name: mixer

Type: REG_SZ

Data: rdpsnd.dll

Value 2

Name: MaxBandwidth

Type: REG_DWORD

Data: 0x56b9

Value 3

Name: wavemapper

Type: REG_SZ

Data: msacm32.drv

Value 4

Name: EnableMP3Codec

Type: REG_DWORD

Data: 0x1

Value 5

Name: midimapper

Type: REG_SZ

Data: midimap.dll

Link to post
Share on other sites

  • Staff

Hi,

Now, do I leave both the regedit.exe and reg3dit.exe

in my folder, or should I delete one?

yes, you should delete the renamed one - or you can just leave it there :P

go to this part of the forum: http://www.malwarebytes.org/forums/index.php?showforum=55

Start a new thread there, because I need a file from your computer which you have to attach there.

Browse to the following file:

C:\WINDOWS\pgpkps.xuh

Rightclick and select to zip it. This should create a vcoy.zip folder.

Upload/attach that folder in the thread you started in that other forumpart.

Once you've uploaded that file, * Open hijackthis, click 'config' (bottom right)

Choose the tab 'misc Tools' on top.

Choose 'delete a file on reboot'

In the field, copy and paste next:

C:\WINDOWS\pgpkps.xuh

Click open.

Hijackthis will tell you that this file will be deleted on next reboot and if you want to reboot now. Click Yes/ok

Your system should reboot now.

Then, Open notepad and copy and paste next present in the quotebox below in it:

(don't forget to copy and paste REGEDIT4)

REGEDIT4

[KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]

"aux2"="wdmaud.drv"

Save this as fix.reg Choose to save as *all files and place it on your desktop.

It should look like this: reg.gif

Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

O2 - BHO: {1a481bb3-40d9-fa5b-3c94-de7a66aecd67} - {76dcea66-a7ed-49c3-b5af-9d043bb184a1} - (no file)

O2 - BHO: (no name) - {7BEC4D47-38D5-4D42-9354-107925DEFE0F} - (no file)

O20 - Winlogon Notify: qommklj - C:\WINDOWS\

O20 - Winlogon Notify: vvucseiz - C:\WINDOWS\

* Click on Fix Checked when finished and exit HijackThis.

Make sure your Internet Explorer is closed when you click Fix Checked!

Above steps should resolve your problems, so let me know in your next reply. You'll also be able to update malwarebytes then ;)

Link to post
Share on other sites

  • Staff

After reading this thread: http://www.malwarebytes.org/forums/index.php?showtopic=15588 - it appears that your issue is resolved now after following above steps.

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

Link to post
Share on other sites

  • 2 weeks later...
  • Staff

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.