Sign In
Create Account
0
When I try to update Virus protection, I get the following message from Malwarebytes: "Update failed. Make sure you are connected to the Internet and your firewall is set to allow Malwarebytes to access the internet."
When I try to update Avira Anti-virus, I am told: Internet connection failed. The report from Avira is the following:
13.05.2009 18:10:47 - Installation Directory: C:\Program Files\Avira\AntiVir PersonalEdition Classic\
13.05.2009 18:10:47 - Backup Directory: C:\Documents and Settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\BACKUP\
13.05.2009 18:10:47 - Temp Directory: C:\Documents and Settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\Update\AVUPDATE_4a0b4561\
13.05.2009 18:10:47 - Using System's global Proxy settings
13.05.2009 18:10:48 - Launching GUI... display mode: 0
13.05.2009 18:10:48 - selftest successful: C:\Program Files\Avira\AntiVir PersonalEdition Classic\updlib.dll
13.05.2009 18:10:48 - selftest successful: C:\Program Files\Avira\AntiVir PersonalEdition Classic\updlibrc.dll
13.05.2009 18:10:47 - Installation Directory: C:\Program Files\Avira\AntiVir PersonalEdition Classic\
13.05.2009 18:10:47 - Backup Directory: C:\Documents and Settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\BACKUP\
13.05.2009 18:10:47 - Temp Directory: C:\Documents and Settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\Update\AVUPDATE_4a0b4561\
13.05.2009 18:10:47 - Using System's global Proxy settings
13.05.2009 18:10:48 - Launching GUI... display mode: 0
13.05.2009 18:10:48 - selftest successful: C:\Program Files\Avira\AntiVir PersonalEdition Classic\updlib.dll
13.05.2009 18:10:48 - selftest successful: C:\Program Files\Avira\AntiVir PersonalEdition Classic\updlibrc.dll
13.05.2009 18:10:48 - Avira AntiVir Personal - Free Antivirus
13.05.2009 18:10:55 - The file C:\Documents and Settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\Update\AVUPDATE_4a0b4561\idx/master.idx with the following content is erroneous:
13.05.2009 18:10:55 - <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
13.05.2009 18:10:55 - <html><head>
13.05.2009 18:10:55 - <title>403 Forbidden</title>
13.05.2009 18:10:55 - </head><body>
13.05.2009 18:10:55 - <h1>Forbidden</h1>
13.05.2009 18:10:55 - <p>You don't have permission to access /upd/idx/master.idx
13.05.2009 18:10:55 - on this server.</p>
13.05.2009 18:10:55 - </body></html>
13.05.2009 18:10:55 - There was a problem updating from the specified server: Validation error. File C:\Documents and Settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\Update\AVUPDATE_4a0b4561\idx/master.idx is corrupted!
13.05.2009 18:10:55 - Switching to next update server
13.05.2009 18:10:57 - The file C:\Documents and Settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\Update\AVUPDATE_4a0b4561\idx/master.idx with the following content is erroneous:
13.05.2009 18:10:57 - <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
13.05.2009 18:10:57 - <html><head>
13.05.2009 18:10:57 - <title>403 Forbidden</title>
13.05.2009 18:10:57 - </head><body>
13.05.2009 18:10:57 - <h1>Forbidden</h1>
13.05.2009 18:10:57 - <p>You don't have permission to access /upd/idx/master.idx
13.05.2009 18:10:57 - on this server.</p>
13.05.2009 18:10:57 - </body></html>
13.05.2009 18:10:57 - There was a problem updating from the specified server: Validation error. File C:\Documents and Settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\Update\AVUPDATE_4a0b4561\idx/master.idx is corrupted!
13.05.2009 18:10:57 - Switching to next update server
13.05.2009 18:10:58 - The file C:\Documents and Settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\Update\AVUPDATE_4a0b4561\idx/master.idx with the following content is erroneous:
13.05.2009 18:10:58 - <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
13.05.2009 18:10:58 - <html><head>
13.05.2009 18:10:58 - <title>403 Forbidden</title>
13.05.2009 18:10:58 - </head><body>
13.05.2009 18:10:58 - <h1>Forbidden</h1>
13.05.2009 18:10:58 - <p>You don't have permission to access /upd/idx/master.idx
13.05.2009 18:10:59 - on this server.</p>
13.05.2009 18:10:59 - </body></html>
13.05.2009 18:10:59 - There was a problem updating from the specified server: Validation error. File C:\Documents and Settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\Update\AVUPDATE_4a0b4561\idx/master.idx is corrupted!
13.05.2009 18:10:59 - Switching to next update server
13.05.2009 18:11:00 - The file C:\Documents and Settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\Update\AVUPDATE_4a0b4561\idx/master.idx with the following content is erroneous:
13.05.2009 18:11:00 - <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
13.05.2009 18:11:00 - <html><head>
13.05.2009 18:11:00 - <title>403 Forbidden</title>
13.05.2009 18:11:00 - </head><body>
13.05.2009 18:11:00 - <h1>Forbidden</h1>
13.05.2009 18:11:00 - <p>You don't have permission to access /upd/idx/master.idx
13.05.2009 18:11:00 - on this server.</p>
13.05.2009 18:11:00 - </body></html>
13.05.2009 18:11:00 - There was a problem updating from the specified server: Validation error. File C:\Documents and Settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\Update\AVUPDATE_4a0b4561\idx/master.idx is corrupted!
13.05.2009 18:11:00 - Switching to next update server
13.05.2009 18:11:02 - The file C:\Documents and Settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\Update\AVUPDATE_4a0b4561\idx/master.idx with the following content is erroneous:
13.05.2009 18:11:02 - <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
13.05.2009 18:11:02 - <html><head>
13.05.2009 18:11:02 - <title>403 Forbidden</title>
13.05.2009 18:11:02 - </head><body>
13.05.2009 18:11:02 - <h1>Forbidden</h1>
13.05.2009 18:11:02 - <p>You don't have permission to access /upd/idx/master.idx
13.05.2009 18:11:02 - on this server.</p>
13.05.2009 18:11:02 - </body></html>
13.05.2009 18:11:02 - There was a problem updating from the specified server: Validation error. File C:\Documents and Settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\Update\AVUPDATE_4a0b4561\idx/master.idx is corrupted!
13.05.2009 18:11:02 - Switching to next update server
13.05.2009 18:11:03 - The file C:\Documents and Settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\Update\AVUPDATE_4a0b4561\idx/master.idx with the following content is erroneous:
13.05.2009 18:11:03 - <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
13.05.2009 18:11:03 - <html><head>
13.05.2009 18:11:03 - <title>403 Forbidden</title>
13.05.2009 18:11:03 - </head><body>
13.05.2009 18:11:03 - <h1>Forbidden</h1>
13.05.2009 18:11:03 - <p>You don't have permission to access /upd/idx/master.idx
13.05.2009 18:11:03 - on this server.</p>
13.05.2009 18:11:03 - </body></html>
13.05.2009 18:11:03 - There was a problem updating from the specified server: Validation error. File C:\Documents and Settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\Update\AVUPDATE_4a0b4561\idx/master.idx is corrupted!
13.05.2009 18:11:03 - Switching to next update server
13.05.2009 18:11:05 - The file C:\Documents and Settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\Update\AVUPDATE_4a0b4561\idx/master.idx with the following content is erroneous:
13.05.2009 18:11:05 - <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
13.05.2009 18:11:05 - <html><head>
13.05.2009 18:11:05 - <title>403 Forbidden</title>
13.05.2009 18:11:05 - </head><body>
13.05.2009 18:11:05 - <h1>Forbidden</h1>
13.05.2009 18:11:05 - <p>You don't have permission to access /upd/idx/master.idx
13.05.2009 18:11:05 - on this server.</p>
13.05.2009 18:11:05 - </body></html>
13.05.2009 18:11:05 - There was a problem updating from the specified server: Validation error. File C:\Documents and Settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\Update\AVUPDATE_4a0b4561\idx/master.idx is corrupted!
13.05.2009 18:11:05 - Switching to next update server
13.05.2009 18:11:06 - The file C:\Documents and Settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\Update\AVUPDATE_4a0b4561\idx/master.idx with the following content is erroneous:
13.05.2009 18:11:06 - <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
13.05.2009 18:11:06 - <html><head>
13.05.2009 18:11:06 - <title>403 Forbidden</title>
13.05.2009 18:11:06 - </head><body>
13.05.2009 18:11:06 - <h1>Forbidden</h1>
13.05.2009 18:11:06 - <p>You don't have permission to access /upd/idx/master.idx
13.05.2009 18:11:06 - on this server.</p>
13.05.2009 18:11:06 - </body></html>
13.05.2009 18:11:06 - There was a problem updating from the specified server: Validation error. File C:\Documents and Settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\Update\AVUPDATE_4a0b4561\idx/master.idx is corrupted!
13.05.2009 18:11:06 - Switching to next update server
13.05.2009 18:11:08 - The file C:\Documents and Settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\Update\AVUPDATE_4a0b4561\idx/master.idx with the following content is erroneous:
13.05.2009 18:11:08 - <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
13.05.2009 18:11:08 - <html><head>
13.05.2009 18:11:08 - <title>403 Forbidden</title>
13.05.2009 18:11:08 - </head><body>
13.05.2009 18:11:08 - <h1>Forbidden</h1>
13.05.2009 18:11:08 - <p>You don't have permission to access /upd/idx/master.idx
13.05.2009 18:11:08 - on this server.</p>
13.05.2009 18:11:08 - </body></html>
13.05.2009 18:11:08 - There was a problem updating from the specified server: Validation error. File C:\Documents and Settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\Update\AVUPDATE_4a0b4561\idx/master.idx is corrupted!
13.05.2009 18:11:08 - Switching to next update server
13.05.2009 18:11:09 - The file C:\Documents and Settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\Update\AVUPDATE_4a0b4561\idx/master.idx with the following content is erroneous:
13.05.2009 18:11:09 - <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
13.05.2009 18:11:09 - <html><head>
13.05.2009 18:11:09 - <title>403 Forbidden</title>
13.05.2009 18:11:09 - </head><body>
13.05.2009 18:11:09 - <h1>Forbidden</h1>
13.05.2009 18:11:09 - <p>You don't have permission to access /upd/idx/master.idx
13.05.2009 18:11:09 - on this server.</p>
13.05.2009 18:11:09 - </body></html>
13.05.2009 18:11:36 - Registry entry created successfully: Software\Avira\AntiVir PersonalEdition Classic |UpdateInProgress
13.05.2009 18:11:37 - Critical error: Validation error. File C:\Documents and Settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\Update\AVUPDATE_4a0b4561\idx/master.idx is corrupted!
Also, I am unable to access McAfee web page via the Internet. Other than this, my navigation seems to be working fine.
Here is the Hijackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:16:13 PM, on 5/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource5\MtdAcqu.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\palmOne\Hotsync.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\HijackThis.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\notepad.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: {1a481bb3-40d9-fa5b-3c94-de7a66aecd67} - {76dcea66-a7ed-49c3-b5af-9d043bb184a1} - (no file)
O2 - BHO: (no name) - {7BEC4D47-38D5-4D42-9354-107925DEFE0F} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MtdAcqu] "C:\Program Files\Creative\MediaSource5\MtdAcqu.exe" /s
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: Renaissance Wireless Server.lnk = C:\Documents and Settings\All Users\Application Data\Renaissance Wireless Server\Renaissance Wireless Server.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1188535179253
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1188535170821
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - Winlogon Notify: qommklj - C:\WINDOWS\
O20 - Winlogon Notify: vvucseiz - C:\WINDOWS\
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
--
End of file - 6468 bytes
Here is the Malwarebytes log file list:
Malwarebytes' Anti-Malware 1.36
Database version: 1945
Windows 5.1.2600 Service Pack 3
5/13/2009 2:19:27 PM
mbam-log-2009-05-13 (14-19-27).txt
Scan type: Quick Scan
Objects scanned: 61836
Time elapsed: 13 minute(s), 37 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 16
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 3
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a95b2816-1d7e-4561-a202-68c0de02353a} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{bbb05d9e-0297-404d-a6bf-d8f2876b84a6} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a95b2816-1d7e-4561-a202-68c0de02353a} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{bbb05d9e-0297-404d-a6bf-d8f2876b84a6} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\WR (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\MS Juan (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\jkwslist (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Juan (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinAble (Trojan.Adloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\WinAble (Trojan.Adloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\CAC (Malware.Trace) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{11a69ae4-fbed-4832-a2bf-45af82825583} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{11a69ae4-fbed-4832-a2bf-45af82825583} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{bbb05d9e-0297-404d-a6bf-d8f2876b84a6} (Trojan.Vundo) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\Program Files\WinAble (Trojan.Adloader) -> Quarantined and deleted successfully.
C:\Program Files\Temporary (Trojan.Agent) -> Quarantined and deleted successfully.
Files Infected:
C:\WINDOWS\system32\vvucseiz.dllbox (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk (Rogue.Link) -> Quarantined and deleted successfully.
Whew! Any help would be greatly appreciated!!!
-
This topic is locked
Back to top
#2
Posted 14 May 2009 - 08:36 AM
-
- Administrators
-
- 7,353 posts
Forum Deity
- Gender:Female
- Location:Belgium
Hi,
This smells like you're dealing with the new Win32:Daonoll variant. This one is responsible for "locking" a lot of (commandline)tools, plus cmd, regedit etc.. blocking updates etc...
MalwareBytes does detect this variant, but since you can't update, we need to deal with this manually.
Navigate to your C:\Windows folder and search for the file regedit.exe
Rightclick it and select to rename the file. Rename it to reg3dit.exe
Then launch the reg3dit.exe in order to open your Registry Editor.
There, browse to the following key:
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
You'll see on the left that you can expand the keys (they will look like folders). So expand them until you get drivers32
Rightclick the drivers32 key (folder) and select to export:
Give it a name and export it as a txtfile on your desktop.
Then copy and paste the contents of it in your next reply.
If confused, please ask first.
Extra note.. after you have used the renamed regedit.exe (reg3dit.exe), look in your Windows folder if Windows File Protection placed a new regedit.exe there again (it should). If not, then rename reg3dit.exe back to regedit.exe.
This smells like you're dealing with the new Win32:Daonoll variant. This one is responsible for "locking" a lot of (commandline)tools, plus cmd, regedit etc.. blocking updates etc...
MalwareBytes does detect this variant, but since you can't update, we need to deal with this manually.
Navigate to your C:\Windows folder and search for the file regedit.exe
Rightclick it and select to rename the file. Rename it to reg3dit.exe
Then launch the reg3dit.exe in order to open your Registry Editor.
There, browse to the following key:
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
You'll see on the left that you can expand the keys (they will look like folders). So expand them until you get drivers32
Rightclick the drivers32 key (folder) and select to export:
Give it a name and export it as a txtfile on your desktop.
Then copy and paste the contents of it in your next reply.
If confused, please ask first.
Extra note.. after you have used the renamed regedit.exe (reg3dit.exe), look in your Windows folder if Windows File Protection placed a new regedit.exe there again (it should). If not, then rename reg3dit.exe back to regedit.exe.
#3
Posted 14 May 2009 - 05:28 PM
-
- Members
-
- 12 posts
New Member
Thanks for your assistance. Here is the information you requested. (Now, do I leave both the regedit.exe and reg3dit.exe
in my folder, or should I delete one?)
Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
Class Name: <NO CLASS>
Last Write Time: 5/8/2009 - 5:24 PM
Value 0
Name: midimapper
Type: REG_SZ
Data: midimap.dll
Value 1
Name: msacm.imaadpcm
Type: REG_SZ
Data: imaadp32.acm
Value 2
Name: msacm.msadpcm
Type: REG_SZ
Data: msadp32.acm
Value 3
Name: msacm.msg711
Type: REG_SZ
Data: msg711.acm
Value 4
Name: msacm.msgsm610
Type: REG_SZ
Data: msgsm32.acm
Value 5
Name: msacm.trspch
Type: REG_SZ
Data: tssoft32.acm
Value 6
Name: vidc.cvid
Type: REG_SZ
Data: iccvid.dll
Value 7
Name: vidc.I420
Type: REG_SZ
Data: msh263.drv
Value 8
Name: vidc.iv31
Type: REG_SZ
Data: ir32_32.dll
Value 9
Name: vidc.iv32
Type: REG_SZ
Data: ir32_32.dll
Value 10
Name: vidc.iv41
Type: REG_SZ
Data: ir41_32.ax
Value 11
Name: vidc.iyuv
Type: REG_SZ
Data: iyuv_32.dll
Value 12
Name: vidc.mrle
Type: REG_SZ
Data: msrle32.dll
Value 13
Name: vidc.msvc
Type: REG_SZ
Data: msvidc32.dll
Value 14
Name: vidc.uyvy
Type: REG_SZ
Data: msyuv.dll
Value 15
Name: vidc.yuy2
Type: REG_SZ
Data: msyuv.dll
Value 16
Name: vidc.yvu9
Type: REG_SZ
Data: tsbyuv.dll
Value 17
Name: vidc.yvyu
Type: REG_SZ
Data: msyuv.dll
Value 18
Name: wavemapper
Type: REG_SZ
Data: msacm32.drv
Value 19
Name: wave
Type: REG_SZ
Data: wdmaud.drv
Value 20
Name: midi
Type: REG_SZ
Data: wdmaud.drv
Value 21
Name: mixer
Type: REG_SZ
Data: wdmaud.drv
Value 22
Name: aux
Type: REG_SZ
Data: wdmaud.drv
Value 23
Name: msacm.msg723
Type: REG_SZ
Data: msg723.acm
Value 24
Name: vidc.M263
Type: REG_SZ
Data: msh263.drv
Value 25
Name: vidc.M261
Type: REG_SZ
Data: msh261.drv
Value 26
Name: msacm.msaudio1
Type: REG_SZ
Data: msaud32.acm
Value 27
Name: msacm.sl_anet
Type: REG_SZ
Data: sl_anet.acm
Value 28
Name: msacm.iac2
Type: REG_SZ
Data: C:\WINDOWS\system32\iac25_32.ax
Value 29
Name: vidc.iv50
Type: REG_SZ
Data: ir50_32.dll
Value 30
Name: msacm.l3acm
Type: REG_SZ
Data: C:\WINDOWS\system32\l3codeca.acm
Value 31
Name: aux2
Type: REG_SZ
Data: C:\WINDOWS\system32\..\pgpkps.xuh
Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\Terminal Server
Class Name: <NO CLASS>
Last Write Time: 10/8/2006 - 5:36 PM
Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\Terminal Server\RDP
Class Name: <NO CLASS>
Last Write Time: 10/8/2006 - 5:36 PM
Value 0
Name: wave
Type: REG_SZ
Data: rdpsnd.dll
Value 1
Name: mixer
Type: REG_SZ
Data: rdpsnd.dll
Value 2
Name: MaxBandwidth
Type: REG_DWORD
Data: 0x56b9
Value 3
Name: wavemapper
Type: REG_SZ
Data: msacm32.drv
Value 4
Name: EnableMP3Codec
Type: REG_DWORD
Data: 0x1
Value 5
Name: midimapper
Type: REG_SZ
Data: midimap.dll
in my folder, or should I delete one?)
Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
Class Name: <NO CLASS>
Last Write Time: 5/8/2009 - 5:24 PM
Value 0
Name: midimapper
Type: REG_SZ
Data: midimap.dll
Value 1
Name: msacm.imaadpcm
Type: REG_SZ
Data: imaadp32.acm
Value 2
Name: msacm.msadpcm
Type: REG_SZ
Data: msadp32.acm
Value 3
Name: msacm.msg711
Type: REG_SZ
Data: msg711.acm
Value 4
Name: msacm.msgsm610
Type: REG_SZ
Data: msgsm32.acm
Value 5
Name: msacm.trspch
Type: REG_SZ
Data: tssoft32.acm
Value 6
Name: vidc.cvid
Type: REG_SZ
Data: iccvid.dll
Value 7
Name: vidc.I420
Type: REG_SZ
Data: msh263.drv
Value 8
Name: vidc.iv31
Type: REG_SZ
Data: ir32_32.dll
Value 9
Name: vidc.iv32
Type: REG_SZ
Data: ir32_32.dll
Value 10
Name: vidc.iv41
Type: REG_SZ
Data: ir41_32.ax
Value 11
Name: vidc.iyuv
Type: REG_SZ
Data: iyuv_32.dll
Value 12
Name: vidc.mrle
Type: REG_SZ
Data: msrle32.dll
Value 13
Name: vidc.msvc
Type: REG_SZ
Data: msvidc32.dll
Value 14
Name: vidc.uyvy
Type: REG_SZ
Data: msyuv.dll
Value 15
Name: vidc.yuy2
Type: REG_SZ
Data: msyuv.dll
Value 16
Name: vidc.yvu9
Type: REG_SZ
Data: tsbyuv.dll
Value 17
Name: vidc.yvyu
Type: REG_SZ
Data: msyuv.dll
Value 18
Name: wavemapper
Type: REG_SZ
Data: msacm32.drv
Value 19
Name: wave
Type: REG_SZ
Data: wdmaud.drv
Value 20
Name: midi
Type: REG_SZ
Data: wdmaud.drv
Value 21
Name: mixer
Type: REG_SZ
Data: wdmaud.drv
Value 22
Name: aux
Type: REG_SZ
Data: wdmaud.drv
Value 23
Name: msacm.msg723
Type: REG_SZ
Data: msg723.acm
Value 24
Name: vidc.M263
Type: REG_SZ
Data: msh263.drv
Value 25
Name: vidc.M261
Type: REG_SZ
Data: msh261.drv
Value 26
Name: msacm.msaudio1
Type: REG_SZ
Data: msaud32.acm
Value 27
Name: msacm.sl_anet
Type: REG_SZ
Data: sl_anet.acm
Value 28
Name: msacm.iac2
Type: REG_SZ
Data: C:\WINDOWS\system32\iac25_32.ax
Value 29
Name: vidc.iv50
Type: REG_SZ
Data: ir50_32.dll
Value 30
Name: msacm.l3acm
Type: REG_SZ
Data: C:\WINDOWS\system32\l3codeca.acm
Value 31
Name: aux2
Type: REG_SZ
Data: C:\WINDOWS\system32\..\pgpkps.xuh
Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\Terminal Server
Class Name: <NO CLASS>
Last Write Time: 10/8/2006 - 5:36 PM
Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\Terminal Server\RDP
Class Name: <NO CLASS>
Last Write Time: 10/8/2006 - 5:36 PM
Value 0
Name: wave
Type: REG_SZ
Data: rdpsnd.dll
Value 1
Name: mixer
Type: REG_SZ
Data: rdpsnd.dll
Value 2
Name: MaxBandwidth
Type: REG_DWORD
Data: 0x56b9
Value 3
Name: wavemapper
Type: REG_SZ
Data: msacm32.drv
Value 4
Name: EnableMP3Codec
Type: REG_DWORD
Data: 0x1
Value 5
Name: midimapper
Type: REG_SZ
Data: midimap.dll
#4
Posted 15 May 2009 - 01:36 AM
-
- Administrators
-
- 7,353 posts
Forum Deity
- Gender:Female
- Location:Belgium
Hi,
yes, you should delete the renamed one - or you can just leave it there 
go to this part of the forum: http://www.malwareby...hp?showforum=55
Start a new thread there, because I need a file from your computer which you have to attach there.
Browse to the following file:
C:\WINDOWS\pgpkps.xuh
Rightclick and select to zip it. This should create a vcoy.zip folder.
Upload/attach that folder in the thread you started in that other forumpart.
Once you've uploaded that file, * Open hijackthis, click 'config' (bottom right)
Choose the tab 'misc Tools' on top.
Choose 'delete a file on reboot'
In the field, copy and paste next:
C:\WINDOWS\pgpkps.xuh
Click open.
Hijackthis will tell you that this file will be deleted on next reboot and if you want to reboot now. Click Yes/ok
Your system should reboot now.
Then, Open notepad and copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)
Save this as fix.reg Choose to save as *all files and place it on your desktop.
It should look like this:
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.
* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: {1a481bb3-40d9-fa5b-3c94-de7a66aecd67} - {76dcea66-a7ed-49c3-b5af-9d043bb184a1} - (no file)
O2 - BHO: (no name) - {7BEC4D47-38D5-4D42-9354-107925DEFE0F} - (no file)
O20 - Winlogon Notify: qommklj - C:\WINDOWS\
O20 - Winlogon Notify: vvucseiz - C:\WINDOWS\
* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!
Above steps should resolve your problems, so let me know in your next reply. You'll also be able to update malwarebytes then
Quote
Now, do I leave both the regedit.exe and reg3dit.exe
in my folder, or should I delete one?
in my folder, or should I delete one?
go to this part of the forum: http://www.malwareby...hp?showforum=55
Start a new thread there, because I need a file from your computer which you have to attach there.
Browse to the following file:
C:\WINDOWS\pgpkps.xuh
Rightclick and select to zip it. This should create a vcoy.zip folder.
Upload/attach that folder in the thread you started in that other forumpart.
Once you've uploaded that file, * Open hijackthis, click 'config' (bottom right)
Choose the tab 'misc Tools' on top.
Choose 'delete a file on reboot'
In the field, copy and paste next:
C:\WINDOWS\pgpkps.xuh
Click open.
Hijackthis will tell you that this file will be deleted on next reboot and if you want to reboot now. Click Yes/ok
Your system should reboot now.
Then, Open notepad and copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)
Quote
REGEDIT4
[KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
"aux2"="wdmaud.drv"
[KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
"aux2"="wdmaud.drv"
It should look like this:
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.
* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: {1a481bb3-40d9-fa5b-3c94-de7a66aecd67} - {76dcea66-a7ed-49c3-b5af-9d043bb184a1} - (no file)
O2 - BHO: (no name) - {7BEC4D47-38D5-4D42-9354-107925DEFE0F} - (no file)
O20 - Winlogon Notify: qommklj - C:\WINDOWS\
O20 - Winlogon Notify: vvucseiz - C:\WINDOWS\
* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!
Above steps should resolve your problems, so let me know in your next reply. You'll also be able to update malwarebytes then
#5
Posted 17 May 2009 - 07:23 AM
-
- Administrators
-
- 7,353 posts
Forum Deity
- Gender:Female
- Location:Belgium
After reading this thread: http://www.malwareby...showtopic=15588 - it appears that your issue is resolved now after following above steps.
Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.
Happy Surfing again!
Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.
Happy Surfing again!
#6
Posted 29 May 2009 - 12:17 PM
-
- Administrators
-
- 7,353 posts
Forum Deity
- Gender:Female
- Location:Belgium
Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.
Everyone else please begin a New Topic.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.
Everyone else please begin a New Topic.
1 user(s) are reading this topic
0 members, 1 guests, 0 anonymous users
