Techy Help AGAIN!!!! Please. This time it's Malware Bytes.

[dx100uk]

Hope you can make some sense of that:p

 

yep on the case

 

leave it with me.

 

got all afternoon

the failure at ATC stanwick means we're quiet.

 

dx

[SOD'EM]

Just done another quick scan with Malware Bytes and it found 19 infected objects. All reg key and all Trojans. Deleted them and restarted. Still have the Configuring Update problem though. Also, I still can't install a new Notrepad or Adobe Reader as they no longer work.

 

I think we are getting there though. Slowly but surely:p.

 

I have had viruses before, but I've managed to clear them. They seem to be getting more clever now.

[dx100uk]

can you hold on your self fix

else post up what you fix

no good saying 19 etc

what were they?

 

not going to waste my time decyphering a hijackthis log

only to find you have already cured the issue

 

post a new HI log please

 

i'll wait.

 

dx

[SOD'EM]

New HI log, I will leave it now and await instructions.

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 13:32:37, on 03/10/2009

Platform: Windows Vista SP2 (WinNT 6.00.1906)

MSIE: Internet Explorer v8.00 (8.00.6001.18813)

Boot mode: Normal

 

Running processes:

C:\Windows\system32\taskeng.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\Alwil Software\Avast4\ashDisp.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Windows\system32\wbem\unsecapp.exe

C:\Program Files\Synaptics\SynTP\SynTPHelper.exe

C:\Program Files\Synaptics\SynTP\SynToshiba.exe

C:\Program Files\Betfair\Betfair Poker\Betfair Poker.exe

C:\Program Files\Mozilla Firefox 3.1 Beta 3\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = iGoogle

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll

O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe (file missing)

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe (file missing)

O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe (file missing)

O9 - Extra button: Ruby Fortune Casino - A98B0756-FA1E-4C07-AF35-837C0ED4FE04 - C:\Microgaming\Casino\RubyFortune\Casinogame.exe (HKCU)

O9 - Extra button: 32Red Poker Room - {00000000-0000-0000-0000-000000000000} - C:\MicroGaming\Poker\32RedMPP\MPPoker.exe (file missing) (HKCU)

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: CopySafe Helper Service (CSHelper) - Unknown owner - C:\Windows\system32\CSHelper.exe

O23 - Service: Google Update Service (gupdate1c9d65dedab2a10) (gupdate1c9d65dedab2a10) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: lxct_device - - C:\Windows\system32\lxctcoms.exe

O23 - Service: @%SystemRoot%\System32\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software - C:\Windows\System32\TuneUpDefragService.exe

O23 - Service: @%SystemRoot%\System32\TUProgSt.exe,-1 (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\Windows\System32\TUProgSt.exe

O23 - Service: XoftSpyService - ParetoLogic Inc. - C:\Program Files\Common Files\XoftSpySE\6\xoftspyservice.exe

 

--

End of file - 5491 bytes

[SOD'EM]

Here is the Malware Bytes log from earlier also dx. Hope it helps.

 

Malwarebytes' Anti-Malware 1.41

Database version: 2881

Windows 6.0.6002 Service Pack 2

 

03/10/2009 12:33:14

mbam-log-2009-10-03 (12-33-14).txt

 

Scan type: Quick Scan

Objects scanned: 96883

Time elapsed: 8 minute(s), 50 second(s)

 

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 17

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

 

Memory Processes Infected:

(No malicious items detected)

 

Memory Modules Infected:

(No malicious items detected)

 

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{3831331e-0d11-4716-871d-68f3b11d23c9} (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\TypeLib\{90f3d7b3-92e7-44ba-b444-6a8e2a3bc375} (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{4921908c-7090-4d37-a6b3-fc447f08378a} (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{750fc67c-0311-4391-9864-a2efed49bd28} (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{f3fc950c-7583-4377-bad8-efbeaa33273c} (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{0944d16c-d0f4-4389-982a-a085595a9eb3} (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{3dcd2bc5-8489-48ae-891f-90c8b2f19f56} (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{52c01a76-19e2-4a50-ae8a-38ffbccf9182} (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{5954ea75-9bfa-461a-bd34-cea3a861ff19} (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{762ec429-1a5d-4ab8-844a-9a552e1241da} (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{a506ef88-9efc-4522-bfe1-a8e886a64d80} (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{a5704c37-40da-49ef-904b-97e5f5f9b1c5} (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{b87799af-2ce9-4daa-93cf-65f002035369} (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{bbc73c94-337c-43cc-b52c-31eb9fa34013} (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{c406f816-318d-4f7d-81cb-ba93ca7b70d5} (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{d502d4a3-03e6-4eae-a14e-69606ca63430} (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{ec22770d-3343-4c56-8a8d-3e560475f655} (Trojan.Agent) -> Quarantined and deleted successfully.

 

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\Windows\system32\actskin4.ocx (Trojan.Agent) -> Quarantined and deleted successfully.

 

Registry Data Items Infected:

(No malicious items detected)

 

Folders Infected:

(No malicious items detected)

 

Files Infected:

C:\Windows\System32\actskin4.ocx (Trojan.Agent) -> Quarantined and deleted successfully.

[dx100uk]

IN HIJACKTHIS

put a tick by these to remove them please:

 

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\P artyPoker\RunApp.exe (file missing)

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\P artyPoker\RunApp.exe (file missing)

O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe (file missing)

O9 - Extra button: Ruby Fortune Casino - A98B0756-FA1E-4C07-AF35-837C0ED4FE04 - C:\Microgaming\Casino\Rub yFortune\Casinogame.exe (HKCU)

O9 - Extra button: 32Red Poker Room - {00000000-0000-0000-0000-000000000000} - C:\MicroGaming\Poker\32Re dMPP\MPPoker.exe (file missing) (HKCU)

 

run Ccleaner reg section after.

 

cant see anything nasty now.

 

dx

[SOD'EM]

Right then, maybe getting somewhere.

 

Adobe Reader = Sorted

NotePad = Sorted

WordPad = Sorted

Malware Bytes = Sorted

Avast Anti Virus = Sorted

 

There will probably be other applications affected but I will have to deal with them if and when.

 

 

The biggest Bugbear I am having is the fact that my system is still configuring 3 updates every time I shut down or re-boot. I manually installed 2 unimportant updates last night to see if that would help, but it

hasn't.

 

I can now use the User Account Control as normal also.

 

It just seems the Configuring Updates is the only problem (touch wood), but it is a pain.

 

I really appreciate everyone's help (especially dx and Locotus).

 

Thanks again:)

[dx100uk]

working..........

 

 

it will be a failed update , the previously downloaded file will now be corrupted by the virus as it was a running process and got infected.

 

try rebooting with the disc now and do what loco said.

 

dx

[SOD'EM]

Tried that dx, typed in sfc /scannow, got this message:-

Windows resource protection could not perform the required operation.

 

Tried it again in Safe Mode, got this message:-

 

There is a system repair pending which requires reboot to complete. Restart Windows and run sfc again.

(also got this message in normal mode).

 

I have looked at windows installed updates, everything is up to date and it says every installed update was successful.

 

[dx100uk]

I found a solution to the Vista Windows update error and have tried posting it to the thread. But twice it did not appear ans since all I got was a blank page when I submitted the post, I figured something was wrong.

I am sure your readers would like to have this because it totally worked for me and was easy. Trust me, I have tried everything else short of re-installing Vista.

So here is the solution that worked:

1. Open the start menu.

2. Type “cmd” into the search and right click on “cmd.exe” and choose “Run as Administrator”

3. Type in “takeown /f C:\Windows\winsxs\pending.xml”

4. Type in “cacls C:\Windows\winsxs\pending.xml /G :F” Note: Your user name will display when you execute step three. (Don’t enter the ““)

5. Type in “del C:\Windows\winsxs\pending.xml”

6. Reboot

7. Downloaded & install the Windows update Agent.

32-bit Users Download it Here:

http://download.windowsupdate.com/v7/windowsupdate/redist/standalone/WindowsUpdateAgent30-x86.exe

64-bit Users Get it Here:

http://download.windowsupdate.com/v7/windowsupdate/redist/standalone/WindowsUpdateAgent30-x64.exe

8. Start Windows update

Since its been so long since I have been able to update, Windows Update had to

update first!

Credit where credit is due:

I found the solution here: http://forums.techarena.in/showthread.php?p=3050763

 

 

try that

 

dx

[SOD'EM]

Sounds easy enough dx:confused:.

 

I'll get right on to it now. I'll get back to you when done (Pancake Tuesday)

[SOD'EM]

Step 3 is an invalid argument option.

 

Something to do with the ".xml" on the end?

[SOD'EM]

That link doesn't work either:confused:

[dx100uk]

try:

http://forums.techarena.in/showthread.php?p=3050763

 

dx

 

[dx100uk]

old post old link

 

have you got a pending.xml?

 

dx

[SOD'EM]

I can get it to accept step 3, but only because I removed the space before .xml at the end.

 

I can't get it to accept step 4, there must be a spacing error, I will follow the link and double check.

[SOD'EM]

No joy with that link either:(

[dx100uk]

poss

cacls C:\Windows\winsxs\pending.xml /G fredbloggs :F

 

at the C: prompt

 

type in cacls /?

 

that will give the format you should use on this command.

 

dx

[SOD'EM]

I've tried all that. The problem is section 4. There is a space wrong or something. Did as you say and got a complete list of gobbledygook that I wouldn't understand in a million years.

 

Something about ACL's and SDDLS and stuff:confused:

[dx100uk]

ok i've looked

 

the line poss should read:

cacls C:\Windows\winsxs\pending.xml /G username:F

 

where username is an administrator.

 

just remember the forum software here will insert spaces to stop the code running here

dx

Edited October 3, 2009 by dx100uk

[SOD'EM]

Right. Got the Del pending and then rebooted. Didn't notice any difference though. It still said configuring updates on shut down and reboot. I will now install from the link you gave me.

[SOD'EM]

It won't complete installation as Windows Update is already installed:(.

[dx100uk]

ok so does pending.xml still exist?

 

dx

[dx100uk]

just been going thru my last virus log book

 

this is the beasty you got BTW:

 

virut virus - Yahoo! Search Results

 

AVG do a removal tool that worked

called remvirut.exe

 

too late now

 

hope you get the updates sorted.

 

dx

[SOD'EM]

ok so does pending.xml still exist?

 

dx

 

 

If I try repeating the process under Command Prompt, it won't let me. I believe that it still exists somewhere. I need to know how to get rid of the existing Windows Update Installer before I can start again with a new installation.

 

It's not the end of the world (I don't think) to have to put up with it configuring non existent updates all the time. I'm just worried that it won't install any future updates that may be important.