Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack.Windowsupdate not removed by MalwareBytes [Moved]


  • This topic is locked This topic is locked
3 replies to this topic

#1 Bryanmakeup

Bryanmakeup

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:19 PM

Posted 31 August 2009 - 09:24 PM

Antivirus is disabled, firewall is disabled, can't update thru windows update. Restore function is not working. Ran Spybot, it removed quite a bit. Then ran mbam. It also removed many things, but has left 2 registry files that can't be deleted.

"Hijack.windowsUpdates"

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wuauserv\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemroot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemRoot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.

But they are still there on a second, third, & fourth scan.

Ran Sophos Anti-rootkit, crashed in both normal and safe mode.

Housecall ran in normal mode but found nothing. Crashed in Safe mode.

Would really like some help on this. Would hate to have to Format/reinstall!

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,993 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:02:19 PM

Posted 31 August 2009 - 09:37 PM

As no logs have been posted, I am shifting this topic from the specialized HiJack This forum to the Am I Infected forum.

==>PLEASE DO NOT NOW POST LOGS<== unless a log is specifically requested.
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 Bryanmakeup

Bryanmakeup
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:19 PM

Posted 31 August 2009 - 09:42 PM

Antivirus is disabled, firewall is disabled, can't update thru windows update. Restore function is not working. Ran Spybot, it removed quite a bit. Then ran mbam. It also removed many things, but has left 2 registry files that can't be deleted.

"Hijack.windowsUpdates"

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wuauserv\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemroot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemRoot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.

But they are still there on a second, third, & fourth scan.

Ran Sophos Anti-rootkit, crashed in both normal and safe mode.

Housecall ran in normal mode but found nothing. Crashed in Safe mode.

Would really like some help on this. Would hate to have to Format/reinstall!

Just let me know what other logs you need.[/quote]

Edited by Bryanmakeup, 31 August 2009 - 09:46 PM.


#4 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,993 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:02:19 PM

Posted 01 September 2009 - 12:07 AM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/254140/hijackwindowsupdate-not-removed-by-malwarebytes/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond. Because of this, I shall remove the bumping post to your topic there.

Please be patient. It may take several days, perhaps less, to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users