AVG won't connect to the internet... I use DSL, and the settings for the updater appear to work only with dialup?

I tried rebooting and scanning again... and the worms showed up on AdAware again. I've enclosed the following HJT log, but it doesn't appear (to me) to reveal anything.

After this, when I tried running taskmgr.exe in Run, it again told me that the program is already running.

I will download PrcViewer now, but I think it may solve the problem if I can just figure out how to update AVG :hotbounce

Attached Files

hijackthis.txt (4.9 KB, 1 views)

Ran PrcView, and here are the 'suspicious' processes running. (Suspicious = unfamiliar).

cisvc, claiming to be a MS Corp. "content index service"
cidaemon, claiming to be a MS Corp. "Indexing Service filter daemon"
6 scvhosts running, shouldn't there only be 3 or 4?
windows and symantec updates are both running... this seems odd to me.

That's all for now, thanks for recommending the program!

The worm is in a process called winupdates...

I'm able to use taskmgr after I've killed it in processes, but it reopens itself and I am again unable to open TM... any thoughts?

You should should not be running two anti-virus programs I'd favour AVG.

Turn system restore off. Restart in safe mode.
Run HJT and check the following in the box to their left.

O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [sasktelinstall] D:\install\Xtras\OE_Patch.exe
O4 - HKLM\..\Run: [myNetWatchman] C:\Program Files\myNetWatchman\NWClient.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by13fd.bay13.hotmail.msn.com/...s/MsnPUpld.cab
O23 - Service: NTBOOTMGR (NTBOOT) - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntuser.exe


Delete:
C:\Program Files\winupdates --all files and folders.
C:\WINDOWS\SYSTEM\DRIVER\ntuser.exe

Run Crap Cleaner & post new log.

Turn on system restore if all is clean.

If I might recommend another program to try, it's called "autoruns" and you can get it from sysinternals: http://www.sysinternals.com/Utilities/Autoruns.html

Check in each tab for your suspicious entries (in safe mode) and remove them there. Or post here first. You can save a log by using the save button, but it's not laid out very well, but post that here if you like. You can also check startups for each user account up in the menu. Note that this program almost literally checks EVERY conceivable startup location. Places in the registry you would never know contain a startup. Far more places then adware progs and hijackthis check. So it's a good prog to run.

Speaking of user accounts, make sure you run your virus scanner, adware scanners, and HJT in EACH user account, in Safe Mode. As each account can have it's own spyware and startups.

As for your AVG, you might read around this page: http://www.grisoft.com/doc/42/lng/us/tpl/tpl01

I think you may have a proxy set, or some other connection. Maybe you can change it by this info. Or maybe that will lead you somewhere. They also have instructions to manually update.

cheers

Cannot delete ntuser, access is denied... any way around it?

You need to stop the service first. If you can now use taskmgr you can stop it there. If not in the 'Run' box type services.msc . Stop the service and set it to disabled. You should then be able to delete it with HJT.

Ok, ntuser is taken care of. Thanks

Now, I've just realized that I can't run regedit... is this likely connected?

Error message: C:\WINDOWS\system32\regedit.com
C:\WINDOWS\SYSTEM32\AUTOEXEC.NET. The system file is not suitable for running MS-DOS and Microsoft Windows applications. Choose 'Close' to terminate the application.

Attached Files

hijackthis06-24-05.txt (6.2 KB, 2 views)

Yes this is connected.

Regedit.com is not a valid Windows application.

If you click start, run and type regedit.exe, it should work.

The reason you get the error message when you just type regedit, is because Windows looks for the first instance of regedit. In this case regedit.com.

If you can get the regedit programme to work, once you have finished, Post a fresh HJT log.

Regards Howard

Tried it, no dice

Exact same error message from trying to run regedit.exe.

Also tried going into system32 and running regedit.exe directly from the folder, but received the same error message again.

I was just looking at your last HJT log, and noticed a few entries that need fixing.

O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [url]http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409[/url]
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - [url]http://by13fd.bay13.hotmail.msn.com/resources/MsnPUpld.cab[/url]

O23 - Service: NTBOOTMGR (NTBOOT) - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntuser.exe (file missing)

Try fixing those and see if that helps.

Regards Howard

Ok, I fixed those three entries... but still no regedit.

Though, taskmgr has been working fine since I deleted winupdates.exe.

I've now noticed a suspicious process simply called System on taskmgr.

Also, regedit.exe would not work in safe mode either.

Please post a fresh HJT log.

The process you refer to is valid if it`s under the image name and user name, both of which should be called system. I have it on my computer and it uses approx 240k

Regards Howard

It's just that I don't recognize it... and I have a pretty good memory. It uses 44k, and I'd bet $10 that it wasn't on there before my problems began. So I'm about 60% sure that it's fishy.

I tried downloading RegistryFix, and noticed that every time it fixed something, regedit started to flip out, and hit me with a bunch of error windows. RF detected 460 problems with the registry.

I've enclosed a new HJT log, after the scan I removed the Windows Genuine-thingy and the MSN photo upload, and I tried 3 times to remove the NTBootmgr one, but no dice on that.

Attached Files

hijackthisNEW.txt (4.8 KB, 2 views)

You still have the winupdates.exe infection. O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto

Go to [url]http://www.mountainwave.com/avcenter/venc/data/pf/w32.hllw.gaobot.bc.html[/url] for removal instructions.

Once you`ve got rid of that, post another HJT log.

Regards Howard

I see you guys have been busy!
My post is only about WINUPDATES, the rest are unnecessary cosmetics, that waste CPU-time.

Boot in Safe Mode.
Make sure you can see ALL hidden and System files!
Switch System restore OFF.
Press Ctrl/Alt/Del simultaneously, select Taskmanager/Processes, select the process (if there), click "End Process" for:
winupdates.exe
UpdReg.EXE
realsched.exe
jusched.exe
qttask.exe
diagent.exe

Next, UNinstall (not delete yet) anything to do with:
C:\Program Files\winupdates\winupdates.exe
Check Control Panel/Add-Remove Programs, or if there is an uninstall in the Programs list.

Next, run a HJT scan and place a tick-mark in the little square before (if still there):
........................................................................... ........................
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by13fd.bay13.hotmail.msn.com/...s/MsnPUpld.cab
O23 - Service: NTBOOTMGR (NTBOOT) - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntuser.exe (file missing)
........................................................................... ........................
Now click on the Fix Checked button in HJT.

When done, from between the dotted lines, delete the two highlighted bold directories with everything in it, including that directory itself. (if you can find them).

Delete all entries from your Prefetch-area (I am not familiar with XP, so don't know exactly how).

Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
Repeat this for ALL [usernames].
Boot normal. When all OK, switch System Restore back on.

So it would seem mate lol.

You get into the prefetch folder by opening my computer, and clicking on your c-drive, then the windows folder, then the prefetch folder.

Regards Howard

If you still get an error about autoexec.nt, that is not going to fix itself. Again, this "problem" is an "effect", not a "cause". But you can fix the autoexec.nt and also likely config.nt by actually creating these files in your system32 folder.

Create a new file called "autoexec.nt" in the system32 folder. Put this in it and save it:

@echo off
lh %SystemRoot%\system32\mscdexnt.exe
lh %SystemRoot%\system32\redir
lh %SystemRoot%\system32\dosx

Once that is done, create another file and call it "config.nt" and put this in it:

dos=high, umb
device=%SystemRoot%\system32\himem.sys
files=40

Then save.
If these files already exist, just check them to make sure they only say something to this effect.
Also note that it is your virus problem that is likely killing these *.NT files. So you may have to create them again if you restart.

Once those files are created, try your regedit again. You shouldn't have to do anything except click start-run and type "regedit" and go.

Also guys, it doesn't matter AT ALL if regedit has an EXE extension or a COM extension, as long as it's the real, non-infected file. I know this because I get PCs sometimes with EXE file associations messed up. I just rename regedit.exe to regedit.com and it opens fine so I can fix the EXE association. Then rename it back again.


Izopyn, please just stay in Safe Mode with Networking (assuming XP). If you restart before it's clean, you WILL be reinfected upon startup until those startups, AND files, are gone for good.
Please run the autoruns program and tell us what is in the various tabs. I suspect you have a WininitDLLs or Notify entry that is reinfecting you with winupdates. Possibly a service as well. Which autoruns also lists.

We may have to employ more tools then just HJT, as the virus obviously puts itself back in immediately after killing the entries.

One thing I will say is that the virus, or whatever it is, is likely attached to explorer itself. To check that theory, while in safe mode, open up task manager (ctrl-alt-del) and CLOSE "explorer" and anything that says "explorer" in the name. This will make your icons and start bar and all, disappear.
Now, with task manager still open, close your "bad" processes. Right-click the name and select "end process tree".
Once your bad entries are gone, and they are NOT spawning back in. Click "File-new task" and browse to your Hijackthis program and open it. Do a scan and remove all the sticky ones again. Scan again and make sure they stay gone.
Then do new task again and run the "autoruns" program I told you about. Remove the bad service or whatever is causing this. Possibly in the "Notify" registry key. Once those startups are removed, and STAY removed, click new task again and run "explorer". This will bring back your icons and start bar.
Continue to watch the task manager and make sure your bad processes don't come back. Watch HJT and make sure those don't come back.

Next search for any noted "bad" files and delete the files. Go into your System32 folder. Click View-details. Then click to sort by date. Look for any files that were created TODAY, as in, the day your are looking. If they look funky, delete them. There really shouldn't be any brand new files in this folder (except autoexec.nt and config.nt that you made earlier).

Now that the startups are gone, the HJT entries are gone, and the files are gone; you may want to run a better registry cleaner. I suggest downloading RegSupreme 1.3 from http://www.macecraft.com/downloads/
Install that and open it. Click OK to optimize the registry. Then do a Normal scan. Clean all it finds.
The purpose of this scan is that, if the files on your hard drive are deleted, ANY entries in the registry that still point to them will be found and removed because the file is missing. Doing a registry scan like this will remove entries of missing files. That's the most important. If you like, once it finishes scanning, look through the "Problem" column and anything that says such and such file is missing. Look at those file names, you may see your bad files in there.
So clean all it finds.

Once you've ran all this stuff, check them all AGAIN, to make sure it's still gone. If the bad process starts up again, you may have to start over. It is important to do everything in the right order. The processes MUST be closed before removing startups or the entries will be put back in. You MUST delete files before cleaning the registry or the entries in the registry will still be there. Etc...

I hope this isn't information overload, but this is going in circles, you remove it, it comes right back, time for some higher-caliber guns.

Hope you can get rid of it!

Alright I have this same exact virus from Lime Wire. I posted a thread about this eariler today. I was given a way to open up my task manager lets see if it works for you

Boot in Safe Mode

click Start/Run and type services.msc and click OK. Look for the service:
dlbtcoms.exe
Doubleclick it, click Stop if it's running, and change the Startup type to Disabled.

this allowed mine to work but this same virus is based off of the
W32.PicrateA@mm virus.

hmmm... okay, I'd already deleted winupdates before you posted RBS, (unrelated: I share your love, I'm getting the harp tattoo'd on my chest this July), but it isn't showing up on HJT anymore, so huzzah.

Also got rid of everything except the NTBOOTMGR because HJT just doesn't seem to be able to delete that mother.

I found that I was able to open regedit.exe by opening it from the WINDOWS folder, and in there I manually deleted all the crap that looked out of place (Viewpoint, MediaAccess, etc.).

I did all this yesterday, I'll probably wait until tomorrow to get back at 'er as all this teching has seriously exhausted the generally unused left side of my brain. Can't wait for my mandatory computer science classes next semester!

Thanks for all your help, everyone, it's inspiring to see that for all the douchebags out there that use their tech-power to cause grief for others, there are also those that use it for good. I'll update tomorrow, toodles!