Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijak This Log - Windows Xp Update Broken


  • This topic is locked This topic is locked
7 replies to this topic

#1 RobVB

RobVB

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:14 PM

Posted 03 December 2005 - 08:15 PM

Hello

I am a recent victim of Virus attacks. Trend Micro PCcillin does not prevent/remove some virusus. I was directed to post my log here from the Windows XP forum.

I am using Sony Viao PCG GRX500P, Intel Pentium 4, 1.6 Ghtz, 512 mb ram, Windows XP pro, SP2.

I do have the anti virus and firewall up (Trend micro PCcillin internet security 2005). I got several anti spi ware programs and utilities after I got infected: Spyware doctor (very good), Spybot, Trend micro TAS, Microsoft anti spyware, Registry mechanic, Ccleaner and others.

PCcillin alerted me that I am missing 2 critical windows updates and that is when I found this problem of updates not working. However, PCcillin internet security 2005 does not stop viruses / spyware. It could not stop or remove Spysheriff and could not remove a couple of other viruses.

Registry Mechanic did find several high priority issues (in deep scan section and program shortcuts section).

I may need to buy the full version to get rid of the junk. I will also install EWIDO security suite.

My question still remains: How can I fix this issue with microsoft update? Is this problem a side effect of a virus/malware? The redirection to MSN.com seems like the effect of a malware? OR Is my registry corrupted?

Please see the log below and help me !!!

Rob

Logfile of HijackThis v1.99.1
Scan saved at 8:00:45 PM, on 12/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\MSSQL7\binn\sqlservr.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\system32\BRMFRSMG.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\Sony\Jog Dial Utility\JogServ2.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijakthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sony.com/vaiopeople
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: - {1E6CE4CD-161B-4847-B8BF-E2EF72299D69} - C:\WINDOWS\system32\ib2.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [JOGSERV2.EXE] C:\Program Files\Sony\Jog Dial Utility\JogServ2.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

BC AdBot (Login to Remove)

 


#2 JG427

JG427

  • Members
  • 241 posts
  • OFFLINE
  •  
  • Local time:08:14 PM

Posted 08 December 2005 - 12:49 AM

Hi, RobVB.

You appear to have a keylogger in your hijackthis log. Keylog-Sters

Your protection programs may interfere with the hijackthis fix.
Please shut down spyware doctor and microsoft anti-spyware before continuing.

Scan with hijackthis and checkmark this line:

O2 - BHO: - {1E6CE4CD-161B-4847-B8BF-E2EF72299D69} - C:\WINDOWS\system32\ib2.dll

Close all browsers and open windows, except hijackthis, and click fix checked.

Hijackthis normally deletes the dll file at this line, but lets check to make sure.
Delete the file marked in bold if found:

C:\WINDOWS\system32\ib2.dll

If you have not installed ewido yet:
Please download, install, and update the free version of ewido security suite:
When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
Click on update in the left menu, then click the Start update button.
After the update finishes, exit from ewido as it should be run in safemode.

Reboot into safemode
Restart the computer, as soon as the BIOS has finished loading, begin tapping the F8 key .
Continue to do so until the Windows Advanced Options menu appears.
Using the arrow keys, scroll to and select Safemode, then press Enter.

Open Ewido and click on the Scanner button in the left menu, then click on complete system scan.
When ewido finds something, it will pop up a notification.
Select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on ok.
When the scan finishes, click on "Save Report".

Reboot to normal mode.

Post the report from ewido.
It's located in the folder at C:\Program Files\ewido\security suite\Reports.
Scan with hijackthis and post a fresh log.

This malware may have changed some settings in the registry to block windows update.
We can check for that once the scans are clean.
Posted Image

#3 RobVB

RobVB
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:14 PM

Posted 14 December 2005 - 01:34 PM

Thank you JG

I just saw this reply. I will do this in the evening and let you know. Thanks again!

Rob

#4 RobVB

RobVB
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:14 PM

Posted 14 December 2005 - 11:51 PM

Hi
I deleted the key logger using Hijack This. The file C:/windows/system32/ib2.dll had to be deleted in safe mode, as it was in use. I ran EWIDO full system scan and no infected objects were found.
This must mean I am clean!
Now I am back to my original issue of getting the updates to work. The automatic update still does not work.

Any thoughts?
Rob

Edited by RobVB, 14 December 2005 - 11:54 PM.


#5 JG427

JG427

  • Members
  • 241 posts
  • OFFLINE
  •  
  • Local time:08:14 PM

Posted 15 December 2005 - 01:22 AM

Post the report from ewido.
It's located in the folder at C:\Program Files\ewido\security suite\Reports.
Scan with hijackthis and post a fresh log.
Posted Image

#6 RobVB

RobVB
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:14 PM

Posted 28 December 2005 - 12:16 AM

I am glad to say that my update issue has been fixed. Bleeping computer helped me clean my PC of virus/spyware.
I wasted my time with Trendmicro, which was completely incapable of supporting the products it sells and couldn't help me fix these issues in anyway.
Below are 1)EWIDO report 2)Hijackthis log 3)resolution from microsoft update support team:
Thank you all again!!!

Rob

Here is the report from Ewido:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 10:37:47 PM, 12/14/2005
+ Report-Checksum: B9436148

+ Scan result:

No infected objects found.

::Report End

Here is the Hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 11:43:15 PM, on 12/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\MSSQL7\binn\sqlservr.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\Sony\Jog Dial Utility\JogServ2.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\BRMFRSMG.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijakthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sony.com/vaiopeople
F2 - REG:system.ini: Shell=explorer.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [JOGSERV2.EXE] C:\Program Files\Sony\Jog Dial Utility\JogServ2.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [gcasServ] C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: www.greenhomegroup.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
---------------End of Hijackthis log --------------------------


After cleaning the malware / virus / spyware I tried the update and no longer got redirected to msn.com, instead I got an error in the process. I sent an email to microsoft update support and got a resolution from them in 2 days. The first solution (Suggestion 1) worked for me:

Here is the email I received from microsoft update support staff:
--------------start of the support email--------------------------
From the case log, I understand that the error code 0x80070424 was encountered
when trying to update Windows XP. This error may appear both in Windows XP and
Windows 2000. I am sorry for the inconvenience you have experienced. Please be
assured that I will try my best to help you. However, if there
has been any misunderstanding, please feel free to correct me.

This error can be caused by one of the following factors:

1. The two registry branches of Automatic Updates are corrupted.
2. Some Windows Update engine files have not been registered.

Let us refer to the following steps to get this issue resolved.

Suggestion 1: Restore two registry branches.
===================
This issue can occur if the following two branches have been corrupted:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wuauserv
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WUAUSERV

We can use the following steps to restore the two branches:

1. Click Start, click Run, type: Inf and press Enter. A folder will be opened.
2. Locate the file "au.inf" in the opened folder (you can type au to locate this
file), right click on the file and choose "Install".

Note: The file extension ".inf" may be hidden; we may only see the file named
"au".

3. The setup process will try to restore the registry branches automatically.
You may not receive any notification. However, if some files cannot be located
automatically, we will be prompted to select the installation source. Please
click browse, and go to this location:

C:\Windows\ServicePackFiles\i386
If this folder is not available, please choose the folder C:\Windows\System32.

4. Restart the computer and test the issue.

If you encounter any trouble with the above steps, or the Windows Update issue
persists, please refer to the next suggestion.

Suggestion 2: Re-register the Windows Update engine files.
====================
This issue can also occur if the Windows Update engine files have not been
registered. I suggest we use the following steps to re-register these files:

1. Click Start, click Run, type: cmd and press Enter.
2. Run the following commands:

Regsvr32 wuaueng.dll
Regsvr32 wuapi.dll
Regsvr32 wucltui.dll
Regsvr32 wups.dll
Regsvr32 wuweb.dll
Regsvr32 qmgr.dll
Regsvr32 qmgrprxy.dll

After running each command, we will receive a message stating "Succeeded". If
you do not see the message, please let me know.

After performing the steps, please visit the Windows Update site again and see
if the issue is resolved.
-----------------------End of the support email----------------------

Edited by RobVB, 28 December 2005 - 12:23 AM.


#7 JG427

JG427

  • Members
  • 241 posts
  • OFFLINE
  •  
  • Local time:08:14 PM

Posted 28 December 2005 - 06:04 PM

Glad you got windows update sorted out! :thumbsup:
Thanks for posting the results, it's good to know what worked.

Your hijackthis log is clear of malware.
Your system is in good shape with antivirus and malware scanners.
Consider adding the following free prevention programs.
Since they each work in a different way, I recommend installing all of them.

SpywareBlaster - Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests.

IE-SPYAD is a Registry file (IE-ADS.REG) that adds a long list of sites and domains associated with known advertisers, marketers, and crapware pushers to the Restricted sites zone of Internet Explorer.

Blocking Unwanted Parasites with a Hosts File
http://www.mvps.org/winhelp2002/hosts.htm

These do not run in the background, just check for updates every few weeks.
Open spywareblaster and click check for updates then enable all protection.
Updates for IE-SPYAD and MVPS HOSTS are announced in the software forum at SpywareInfo.
Posted Image

#8 JG427

JG427

  • Members
  • 241 posts
  • OFFLINE
  •  
  • Local time:08:14 PM

Posted 02 January 2006 - 10:16 PM

Since this issue appears resolved , this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users