Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Cannot access AV or Windows Update web sites, cannot run/update AV [RE

Started by jermysong , Dec 02 2008 09:04 AM

  • This topic is locked This topic is locked

#1
jermysong
Posted 02 December 2008 - 09:04 AM

jermysong

    Member

  • Member
  • PipPip
  • 10 posts
Hi... I found a couple of other threads that may be similar, and I'm hoping I have a similar (and therefore fixable) problem. Mountains of thanks for even reading this!

Note:
I am currently on the GeeksToGo web site via my work computer (where I have been doing the research), as I cannot access GeeksToGo.com from my home PC. I attempted to run through the prerequisites (e.g. download ATF Cleaner, etc.) in the pinned forum post but the page is not accessible from my computer. I also tried from Safe Mode, but the internet is not accessible, and it eventually froze up (requiring another hard stop/start). :)

Symptoms:
- I cannot restore my PC to a previous Restore Point --- I am able to open the System Restore app, choose a day to restore to, but when clicking the final "Next" button, nothing happens
- I cannot currently access the Windows Update web site
- When AVG attempts to update, it "cannot access the server", and I cannot access the AVG web site directly
- I cannot run SpyBot S&D (the .exe process starts and is listed in my Task Manager, but nothing happens on the screen)
- I can access Google.com, but when clicking on search results, I have periodically encountered those evil "pop-ups" indicating "Your PC may be infected! Download this program etc." in order to get you to download more malware/spyware
- When we rebooted the PC, there was a new user account present to choose from (usually we only have our one single user account, so the user account screen is bypassed) and the userID name was a mishmosh of cryptic numbers/letters, and it was categorized as an Admin account with a password --- NOTE: I deleted this account out of initial fear
- When we rebooted the PC, there was (and still is) a svchost.exe program which runs in msconfig (and which ZoneAlarm asks me about)... I believe I understand that svchost.exe could be any number of things, but in this case, I know that this behavior is "different" than what we've had in the past (I keep a close eye on my msconfig Startup Programs, and this was never one of them listed with a checkmark beside it)

How/when noticed:
- After using the computer as usual on Sunday, it was left on overnight. When waking up the next morning, the computer screen was stuck on "Windows is shutting down" (which is not usual behavior). We had to shut down the PC "abruptly". Upon reboot, the symptoms were immediately noticed.

Regular protection (when there are no problems present):
- I have AVG Free performing regular updates and scanning weekly
- I have Windows Update performing automatic updates
- I have ZoneAlarm Free performing automatic updates and monitoring
- I have Spybot S&D and Dell PC Checkup, both which I run manually periocally
- I have DiskCleanup and DiskDefragmenter running on a daily schedule
- I have incremental backups to an external hard drive running daily

More mountains of thanks for reading this! Any help would be greatly appreciated. (I do have HijackThis on my PC, if needed.)

Edited by jermysong, 02 December 2008 - 10:43 AM.

  • 0

Advertisements

#2
Essexboy
Posted 02 December 2008 - 01:30 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hi there lets see if this can be resolved. First we must protect the computer you are using to transfer files to and from plus the USB stick. So to begin I would like you to download and run the following programme on the uninfected computer. Does the infected computer access the net via a router ?

  • 1 - Flash Drive Disinfector
    Download Flash_Disinfector.exe by sUBs from >here< and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.

Now for the infected system, we will try the easy way first :)

Download the HostsXpert 3.7 - Hosts File Manager.
  • Unzip HostsXpert 3.7 - Hosts File Manager to a convenient folder such as C:\HostsXpert
  • Click HostsXpert.exe to Run HostsXpert 3.7 - Hosts File Manager from its new home
  • Click "Make Hosts Writable?" in the upper right corner (If available).
  • Click Restore Microsoft's Hosts file and then click OK.
  • Click the X to exit the program.
  • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

Then try to get updates and access this site. On completion of running that run this next programme, if it fails in normal mode then try it in safe mode (this programme can take up to 10 minutes to run and windows may say it is not responding)

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Download OTScanit2 to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanit folder and double-click on OTScanit.exe to start the program.
  • Check the box that says Scan All Users
  • Check the Radio button for Rootkit check YES
  • Under Additional Scans check the following:
    • File - Lop Check
    • File - Purity Scan
    • Evnt - EventViewer Errors/Warnings (last 10)
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Please attach the log in your next post.

To attach a file, do the following:
  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on Posted Image to insert the attachment into your post

  • 0

#3
jermysong
Posted 02 December 2008 - 04:40 PM

jermysong

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Hi Essexboy - Thanks so much for taking up the challenge!

Answer to initial question: The infected computer does not access the internet via a router. (Access is via a cable modem from Comcast.)

I am traveling this week (using a work PC), and won't have access this evening to be able connect to my home PC (I've been using WebEx to connect to my desktop, with my wife helping/fielding the connection at home). I will do first thing tomorrow AM and get back to you.

Since I cannot access the GeeksToGo site on my home PC (both in normal and safe modes), I'll attempt to download the tools directly from the host sites (hopefully I can access --- if not, I have been able to get to some things via Google "cached" search results, so I'll try that as well).

Since I haven't been using a flash drive yet, should I hold off that step until needed (or is that for planning ahead)?

Again, I will do first thing tomorrow AM and get back to you.

Thanks again!
  • 0

#4
Essexboy
Posted 02 December 2008 - 05:07 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Use the disinfector if you intend to use a flash drive as that will need protection
  • 0

#5
jermysong
Posted 03 December 2008 - 08:29 AM

jermysong

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Hi Essexboy... I think I have a doozy on my hands.

I downloaded HostsXpert. Version 4.3 was the one available on the host site (I went directly to the site, as the redirect did not function). I clicked on Make Hosts Writeable, and then Restore Microsoft's Host file, then closed.

After doing so, I rechecked some of the internet sites/updates. I was still unable to access this site, and unable to access any of the update sites (AVG, Windows, etc).

I was unable to download OTScanIt2.exe because oldtimer.geekstogo.com was not accessible (in Normal mode).

I then rebooted in Safe Mode with Networking (twice) and both times the PC froze when attempting to open an internet browser window. :)

Edited by jermysong, 03 December 2008 - 03:24 PM.

  • 0

#6
Essexboy
Posted 03 December 2008 - 02:57 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Lets try this then

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

Posted Image


Posted Image
--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.

  • 0

#7
jermysong
Posted 03 December 2008 - 05:17 PM

jermysong

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Hi Essexboy,

I was able to download, rename and then click on the .exe.

A few seconds after clicking (and after a small "progress" bar" appears), I received the following error message:

Dialog box title: "32788R22FWJFW\hidec.exe"
Dialog box text: "Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the item."

[I have attached the screenprint to this post.]

Clicking OK (or the 'X') ends the process, and nothing further happens.

Also (this may be a red herring), a brief moment after this error message appears, I also recieved a flag/alert from AVG that this file (hidec.exe) was a "potentially unwanted program". (I got brave and clicked on "Ignore" but it did not continue regardless.) I have included a screenshot of this message, too, in the attachment.

Just to be sure, I downloaded CF.exe from another of the links, and repeated. The behavior repeated itself when I tried to run it.

As for HijackThis, I have also attached a log. I was unable to post it here, as the forum prevents me from posting an outdated version of a HijackThis log, but I cannot access the site to be able to get a more recent version, so hopefully this is adequate in the meantime. I'll poke around to find an back way to the newest version.

Thanks again --- Inch by inch...

Attached Files


  • 0

#8
Essexboy
Posted 04 December 2008 - 03:46 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Can you now access this site from the infected computer

The alert from AVG was on part of Combofix

Could you run combofix from safe mode then AVG should not interfere
  • 0

#9
jermysong
Posted 04 December 2008 - 12:30 PM

jermysong

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Hi Essexboy - progress!

I probably should have checked earlier, but I can now access this site and the AVG update site.

I ran the AVG update (since I was already on the website), I then ran the ComboFix.exe (and AVG did not prompt).

The ComboFix log and HijackThis log are attached.

Continued thanks...

Attached Files


  • 0

#10
Essexboy
Posted 04 December 2008 - 02:50 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Getting there I believe :) Sorry for the terse reply this morning I was off to work but I thought that I would get you a bit cleaner :)

Please read this carefully as we will need to replace your infected winlogon.exe with a clean version

Download the attached zip file to your destop and extract the winlogon.exe file to your c drive



1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::
FCopy::
C:\winlogon.exe | c:\windows\system32\winlogon.exe

File::
c:\windows\SYSTEM32\TDSSfpmp.dll

3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Also how is your system running now after this ?
  • 0

Advertisements

#11
jermysong
Posted 04 December 2008 - 04:22 PM

jermysong

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Essexboy - Looking really good so far!

I was able to perform the tasks exactly as described in your latest post.

Qualitatively, the speed looks "normal" and no "evil-ness" is apparent. Access to sites (including all of those I had trouble with before) appears normal as well. [It's magic!]

I have attached the latest logs - looking good? :)

Attached Files


  • 0

#12
Essexboy
Posted 04 December 2008 - 04:42 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK one final scan to clear the orphan registry entries (...if any :) ) On completion if all goes well I will clean up and bid you adieu. Just the MBAM log this time please

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
  • 0

#13
jermysong
Posted 05 December 2008 - 10:06 AM

jermysong

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Essexboy, smooth sailing with the latest list of tasks!

Below is the MBAM log as requested. (Continued thanks...!)


Malwarebytes' Anti-Malware 1.31
Database version: 1463
Windows 5.1.2600 Service Pack 3

12/5/2008 11:01:40 AM
mbam-log-2008-12-05 (11-01-40).txt

Scan type: Quick Scan
Objects scanned: 54607
Time elapsed: 3 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{87255c51-cd7d-4506-b9ad-97606daf53f3} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3aa42713-5c1e-48e2-b432-d8bf420dd31d} (Rogue.Antivirus2008) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Downloaded Program Files\atmgr.exe (Trojan.Agent) -> Quarantined and deleted successfully.
  • 0

#14
Essexboy
Posted 05 December 2008 - 10:25 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Darn I missed one in the dowloaded programmes. Well in that case, subject to no further problems

Now the best part of the day ----- Your log now appears clean :)

A good workman always cleans up after himself so...Download and run this small programme and hit the cleanup button. It will remove all the programmes we have used plus itself. MBAM can be uninstalled via control panel add/remove along with ERUNT. But they may be useful tools to keep

We will now confirm that your hidden files are set to that, as some of the tools I use will change that
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading select Do not show hidden files and folders.
  • Click Yes to confirm.
  • Click OK.

Please download JavaRa to your desktop and unzip it to its own folder
  • Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.
  • Open JavaRa.exe again and select Search For Updates.
  • Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

XP
Now to get you off to a good start we will clean your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:
  • Select Start > All Programs > Accessories > System tools > System Restore.
  • On the dialogue box that appears select Create a Restore Point
  • Click NEXT
  • Enter a name e.g. Clean
  • Click CREATE
You now have a clean restore point, to get rid of the bad ones:
  • Select Start > All Programs > Accessories > System tools > Disk Cleanup.
  • In the Drop down box that appears select your main drive e.g. C
  • Click OK
  • The System will do some calculation and the display a dialogue box with TABS
  • Select the More Options Tab.
  • At the bottom will be a system restore box with a CLEANUP button click this
  • Accept the Warning and select OK again, the program will close and you are done

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes: It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?
Keep safe :)
  • 0

#15
jermysong
Posted 05 December 2008 - 12:25 PM

jermysong

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Essexboy (or as my wife calls you - "The man!"),

All is well! :) HUGE thanks for all of your help... you saved countless hours of frustration, which probably would have included reformatting the hard drive, reloading programs and rebuilding documents.

Since the trouble started, I have yet to hookup my external hard drive, hoping that whatever took hold of my PC did not also infect the files there. I assume I can run the different Anti-this&that programs directly against the external hard drive (and/or try to wipe out the content sentirely and start from scratch?).

Before I take the plunge and hook it up, any advice on that front?

[And please check your PM when you get a chance]
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP