Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Update "blocked": infection ?


  • Please log in to reply
6 replies to this topic

#1 Chicchio

Chicchio

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:29 PM

Posted 06 September 2013 - 04:50 AM

Hi to all !

 

I have 2 PCs, both running Windows XP pro SP3, all updates till july; Symantec Endpoint protection.

 

Few days ago, I noticed that my PC was very slow; in task manager, I found a svchost running 100% of CPU. I found that this was due to windows automatic updates, I turned it off and all was OK. I tried to run Windows Update from Microsoft site, but the green bar "looking for updates" went over and over, finally I closed IE. I tried with the other PC, and the behavior was exactly the same. I tried many fixes from Microsoft, but no result.

 

This is the only sign that I have in my PCs. I surf the web with Firefox or Chrome OK, no pop-ups, no visible re-directions

Symantec Endpoint Protection doesn't find anything, and it runs updates fine.

I have MalwareBytes Antimalware free, it downloaded updates and run OK, and it finds nothing.

I ran Microsoft Safety Scanner: nothing found; Microsoft Defender Offline (boot from CD): nothing found; Avira Rescue (boot from CD): nothing found; TDSS Killer: nothing found; Symantec and F-Secure tools for Conficker (someone told me I could have that virus): nothing found.

 

Now, I remember that some weeks ago I had an alert of GoogleUpdate.exe trying to connect to Internet; since I have a portable Chrome, I was souspicious, and denied, then I went in the folder of the googleupdate.exe and deleted it without any problem. I know the strange rules of updating Chrome, so I thought this could be compatible with my portable Chrome, and forgot all.

 

But now, I read some topics about ZeroAccess rootkit and its use of GoogleUpdate.exe (in McAfee Threat Advisory).

 

I am very worried, so I am asking help to understand if I could be infected or not. In my house  there are also 2 PCs running Windows 7 (starter and home premium), and they both are OK, make windows updates normally.

 

Thanks for any advice, forgive my English.

 

Enrico


Edited by Chicchio, 06 September 2013 - 04:53 AM.


BC AdBot (Login to Remove)

 


#2 TwinHeadedEagle

TwinHeadedEagle

  • Security Colleague
  • 352 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Serbia
  • Local time:07:29 PM

Posted 06 September 2013 - 07:03 AM

You can easily check whether are you infected with ZeroAccess, on this way:

 

Go to Program Files --> Google --> Desktop --> Install --> {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}

 

Inside this folder is one with no name, then another with no name, and finally folder named ". . ." . If you get Location is not available message when you try to open that folder, then you are 99% infected with ZeroAcccess.



#3 Chicchio

Chicchio
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:29 PM

Posted 06 September 2013 - 12:09 PM

TwinHeadedEgle,

 

thanks for the answer. No, I haven't the folders that you describe.

 

So may I think that the problem is only about Windows Update ?



#4 TwinHeadedEagle

TwinHeadedEagle

  • Security Colleague
  • 352 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Serbia
  • Local time:07:29 PM

Posted 06 September 2013 - 02:06 PM

Good, but let's run another scan, just to be sure...

 

 

 

Download Malwarebytes' Anti-Malware (aka MBAM): https://www.bleepingcomputer.com/download/malwarebytes-anti-malware/ to your desktop.
 
* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.
 
Be sure to restart the computer.
 
The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt


#5 Chicchio

Chicchio
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:29 PM

Posted 07 September 2013 - 06:54 AM

Here is the log of MBAM, I had already installed, so this is not the last version; it is in Italian, but I am sure that you will anyway understand !

I ran a quick scan.

 

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Versione database: 913090702

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

07/09/2013 13.51.11
mbam-log-2013-09-07 (13-51-10).txt

Tipo di scansione: Scansione veloce
Elementi esaminati: 334969
Tempo trascorso: 12 minuti, 8 secondi

Processi infetti in memoria: 0
Moduli di memoria infetti: 0
Chiavi di registro infette: 0
Valori di registro infetti: 0
Voci infette nei dati di registro: 2
Cartelle infette: 0
File infetti: 0

Processi infetti in memoria:
(Non sono stati rilevati elementi nocivi)

Moduli di memoria infetti:
(Non sono stati rilevati elementi nocivi)

Chiavi di registro infette:
(Non sono stati rilevati elementi nocivi)

Valori di registro infetti:
(Non sono stati rilevati elementi nocivi)

Voci infette nei dati di registro:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Cartelle infette:
(Non sono stati rilevati elementi nocivi)

File infetti:
(Non sono stati rilevati elementi nocivi)
 



#6 TwinHeadedEagle

TwinHeadedEagle

  • Security Colleague
  • 352 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Serbia
  • Local time:07:29 PM

Posted 07 September 2013 - 10:30 AM

No, ZeroAccess isn't present...



#7 Chicchio

Chicchio
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:29 PM

Posted 07 September 2013 - 11:36 AM

Thanks for the help.

 

I have another little question: I tried to download the last version of MBAM, but it sends me to another site, this one:

http://download.html.it/software/malwarebytes-anti-malware-free/

Is it OK ? Can I download safely ?

 

And finally, looking for software that runs at startup, I have found this:

EPSON Stylus SX200 Series = C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEFE.EXE /FU "C:\DOCUME~1\io\IMPOST~1\Temp\E_S14.tmp" /EF "HKCU"
 

Is this safe ? I have an Epson printer, I know that e_fatife.exe is the program that shows printer icon in the tray, I don't understand the switches.

 

Thanks,

 

Enrico


Edited by Chicchio, 07 September 2013 - 11:40 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users