Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Automatic Windows Updates


  • Please log in to reply
8 replies to this topic

#1 isntdatwild

isntdatwild

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:12 AM

Posted 01 July 2011 - 11:29 AM

Some Malware I beleive will not allow me to turn on, "Automatic Windows Updates"

When I try and turn them on receive this message: We're Sorry. THe Security Center could not change your Automatic Update Settings. To try and change thsees setting yourself, go to System in COntrol Panel. On the Automatic (recommended), them click ok.

Try this same message?

Running Win XP Serv pack 3 32 bit

Thanks in advance

BC AdBot (Login to Remove)

 


#2 Clairvoyant

Clairvoyant

  • Malware Response Team
  • 1,564 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:somewhere in time
  • Local time:11:12 AM

Posted 01 July 2011 - 02:04 PM

Hi isntdatwild, and welcome.

This trouble is on the same computer for wich you have open this
topic?

Anyway, clean temp files with Temp File Cleaner:

  • Double click on TFC.exe to run the program
  • Click on Start button to begin cleaning process
  • TFC will close all running programs, and if ask you to restart computer allow it

then scan your pc with ESET Online Scanner following this steps:


  • Disable your Antivirus and other security software
  • Click here to open ESET Online Scanner
  • Click the Posted Image button
  • Only if you don't use Internet Explorer:
    • Click on Posted Image to download the ESET Smart Installer and Save it to your desktop
    • Double click on the esetsmartinstaller_enu icon on your desktop
  • Check Posted Image
  • Click Posted Image
  • Accept any security warnings from your browser
  • Under scan settings, check Posted Image and Uncheck Remove found threats
  • Click Advanced settings and select:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will download updates and install itself, then begin the scan. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Click Posted Image, and save the file to your desktop using a unique name, such as ESETScan
  • Click Posted Image
  • Click Posted Image
and next download Security Check, save it to your Desktop and:

  • Double-click SecurityCheck.exe
  • Follow the onscreen instructions inside of the black box
  • A Notepad document should open automatically called checkup.txt; save it to you desktop
Now you should to re enable the protections that you have previously disabled and include the contents of the reports in your reply.

Regards.


Edited by Clairvoyant, 01 July 2011 - 03:06 PM.


#3 isntdatwild

isntdatwild
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:12 AM

Posted 05 July 2011 - 03:09 PM

Here are my results files, thanks again.

EST Results:
C:\Documents and Settings\Admin\Local Settings\Application Data\{459AD0EE-85C8-4E85-9E4D-E23223B49DFC}\chrome\content\overlay.xul probably a variant of Win32/Agent.NVQFFQI trojan
C:\Documents and Settings\Rob\Local Settings\Application Data\{E305727D-8247-48EF-BC74-0B2CB17B86F3}\chrome\content\overlay.xul probably a variant of Win32/Agent.NVQFFQI trojan
C:\Documents and Settings\Rob\My Documents\(2) Temp_Software\Cute PDF\Copy of CuteWriter.zip Win32/OpenCandy application
C:\Documents and Settings\Rob\My Documents\(2) Temp_Software\Cute PDF\CuteWriter.exe Win32/OpenCandy application
C:\RECYCLER\S-1-5-21-1956209817-997281547-1955270451-1008\Dc381\plugin-yzbujwblcmdoind.pdf PDF/Exploit.Pidief.PDS.Gen trojan

Security Check Results:
Results of screen317's Security Check version 0.99.7
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
AVG 2011
ESET Online Scanner v3
McAfee Security Scan Plus
Antivirus up to date! (On Access scanning disabled!)
```````````````````````````````
Anti-malware/Other Utilities Check:

MVPS Hosts File
Spybot - Search & Destroy
Java™ 6 Update 21
Java™ 6 Update 2
Java™ 6 Update 3
Java™ 6 Update 5
Java™ 6 Update 7
Out of date Java installed!
Adobe Flash Player 10.1.82.76
Adobe Reader 9.1.2
Out of date Adobe Reader installed!
````````````````````````````````
Process Check:
objlist.exe by Laurent

AVG avgwdsvc.exe
AVG avgtray.exe
Admin Desktop virus files SecurityCheck.exe
``````````End of Log````````````

#4 Clairvoyant

Clairvoyant

  • Malware Response Team
  • 1,564 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:somewhere in time
  • Local time:11:12 AM

Posted 06 July 2011 - 03:56 PM

Hi isntdatwild,

ESET Online scanner found some threats, but in order to proceed to clean your computer you need to do some other activites.

So, you need to install the JRE last version

  • Go here
  • Read the License Agreement, and then check the box that says: "Accept License Agreement"
  • From the list, select your OS and Platform
  • Download for an Offline Installation and save the file to your desktop
  • Close any programs you may have running - especially your web browser
  • Uninstall JRE from Start => Control Panel => Add/Remove Programs => click on Java => click on Unistall
  • Repeat the step above for every JRE entry you see
  • Double click on downloaded file and install it

then:

  • uninstall Chrome
  • install a good free Firewall, like Comodo ( if you choose Comodo DO NOT install the Antivirus during installation process ) or Online Armor.
  • check version of MVPS Hosts File and if it isn't the latest, update it
  • update Acrobat Reader ( if you prefer you can uninstall it and try Foxit Reader )
  • if you wish, you can uninstall CutePDF Writer and install PDF Creator
  • you can even uninstall AVG and install Antivir Free ( in my opinion is better than AVG )

Then disable internet connection, perform a new scan with your updated AV, use TFC, reenable internet connection and scan again your pc with ESET Online Scanner.
Next you can install again Chrome or another browser.

Please, check even these files with Virustotal

  • C:\Documents and Settings\Rob\My Documents\(2) Temp_Software\Cute PDF\Copy of CuteWriter.zip
  • C:\Documents and Settings\Rob\My Documents\(2) Temp_Software\Cute PDF\CuteWriter.exe

Include the contents of the scan reports in your reply.



Regards.

Edited by Clairvoyant, 06 July 2011 - 04:03 PM.


#5 isntdatwild

isntdatwild
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:12 AM

Posted 27 July 2011 - 10:29 PM

Well finally had a chance to work on this again, here's the latest update,

Did the steps that you sent with these results,

Uninstalled All Java, installed the latest version, all went well.

Could not find a way to uninstall Chrome, does not show up in add/remove programs or Start Menu?

Installed Online Armor

Updated to the latest AVG and ran scan, report below.

Infections
;"File";"Infection";"Result"
;"C:\WINDOWS\system32\services.exe (588):\memory_001b0000"; "Trojan horse Cryptic.CYK"
;"C:\WINDOWS\explorer.exe (588)"; "Trojan horse Cryptic.CYK"
;"C:\WINDOWS\system32\services.exe (348):\memory_001b0000";"Trojan horse Cryptic.CYK"
;"C:\WINDOWS\explorer.exe (348):\memory_001b0000";"Trojan horse Cryptic.CYY"


When I ran ESET I forgot to check the "Do Not Remove Threats" option, report is below,

C:\RECYCLER\S-1-5-21-1956209817-997281547-1955270451-1008\Dc381\plugin-yzbujwblcmdoind.pdf PDF/Exploit.Pidief.PDS.Gen trojan cleaned by deleting - quarantined

I than tried to run the Virustotal on the 2 files you listed but they were no longer in the folder? Not sure if the scan removed them?

Still cannot turn on the Automatic Windows Update option?

Thanks

#6 isntdatwild

isntdatwild
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:12 AM

Posted 27 July 2011 - 10:34 PM

Here is the total report from AVG, what I posted above was incomplete:

"Scan ""Whole computer scan"" completed."
"Infections";"4";"2";"2"
"Folders selected for scanning:";"Whole computer scan"
"Scan started:";"Wednesday, July 27, 2011, 10:14:34 PM"
"Scan finished:";"Wednesday, July 27, 2011, 11:29:50 PM (1 hour(s) 15 minute(s) 15 second(s))"
"Total object scanned:";"1244133"
"User who launched the scan:";"Admin"

"Infections"
"";"File";"Infection";"Result"
"";"C:\WINDOWS\system32\services.exe (588)";"Trojan horse Cryptic.CYK";"Deleted"
"";"C:\WINDOWS\explorer.exe (348)";"Trojan horse Cryptic.CYK";"Deleted"
"";"C:\WINDOWS\system32\services.exe (588):\memory_001b0000";"Trojan horse Cryptic.CYK";"Infected"
"";"C:\WINDOWS\explorer.exe (348):\memory_001b0000";"Trojan horse Cryptic.CYK";"Infected"

#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,933 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:12 PM

Posted 28 July 2011 - 04:02 PM

Hello, since Clairvoyant is not available at the moment, I will take over this topic. :)

Instead of browsing to these files to upload them to virustotal, can you copy/paste the file path in the Open box and see if you can upload them like that?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#8 isntdatwild

isntdatwild
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:12 AM

Posted 29 July 2011 - 02:23 PM

The file is not there to upload

#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,933 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:12 PM

Posted 29 July 2011 - 04:16 PM

At virustotal, in the Open box, did you type, for example: c:\windows\explorer.exe, and then click Send File (do not use the Browse button)?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users