?
Solved

Hijacked and can't update Defender,no auto Windows update, no manual WIn update, abcdepage.com

Posted on 2008-11-12
10
Medium Priority
?
1,137 Views
Last Modified: 2013-12-09
Hi Folks& I need help. Im new here. Ive been working on a friends computer. If I dont include the hijackthis on this message, I will on the next. He had Avast and Defender running (as I am told). He kept getting popups or actually redirections opening up a browser window to random URLs. It seems the url is something like abcdepage.com.

I found that MS Updates would not work and the automatic update was disabled and I couldnt enable it (gave an error). Ditto Defender update.

I updated and ran Avast in the schedule boot time scan. It found numerous viruses and I had them moved to the chest. The ones that I made note of was Fabot, SmithFraud, Virtumonde and Fasec. Maybe this last one I wrote down wrong since I couldnt find anything on google. However, it said, kdusk.exe was infected and was in the /system32 directory. This one reappeared in a subsequent scan.

I then ran spybot, removed a number of spyware and then did the same in the safe mode. I then an SuperAntiSpyware, and I think it found Vundo and claimed to removed it.

I still had the same problems as far as the MS auto update wouldnt turn on; I couldnt got an error (and followed instruction to fix the error, which didnt work) when I manually went to the MS Windows update site. Same thing again with Defender, and even deleted defender and reinstalled. It would not update& and gave an error.

I dont know how important this is but it also hangs when shutting down with the file sprtcmd.exe (I really thought I disabled this at one point in msconfig startup).

I decided to install Firefox. This really puzzled me as it gets hijacked too, like IE.

Some things wont stay set in IE such as allow or dont allow all cookies. Seems to set back to allow all.

Also, it seems the desktop refreshes a lot& sometimes when I run Avast, it runs through its memory check and then instead of running I have to click on it again. I think Avast and Defender both have to run twice before the main screen comes up.

Any help would be much appreciated. Also if you could give me as much in advance as you can, it would be most helpful since my friend lives about an hour away and expects if I cant get it fixed in a couple of hours, then just reinstall windows. I would like to make some headway in the next visit so we dont go down that path of reinstalling windows (and ALL the numerous things of, gee& you mean we have to reinstall that too and the, where is my such and such game?).

Thanks for looking& here is the hijack file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:50:31 PM, on 11/11/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\vVX3000.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Siemens\SpeedStream Wireless USB\SSUSBCfg.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4080126
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4080126
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [Tracker] C:\Program Files\MySoftware\MyInvoices\tracker.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe
O4 - HKLM\..\Run: [94de8ade] rundll32.exe "C:\WINDOWS\system32\wduvmpsr.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Siemens SpeedStream Wireless USB.lnk = C:\Program Files\Siemens\SpeedStream Wireless USB\SSUSBCfg.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{1CF7F17D-B228-4CCB-B0ED-509891BC5A72}: NameServer = 208.67.220.220,208.67.222.222 
O17 - HKLM\System\CCS\Services\Tcpip\..\{55E53D4A-B002-4E62-9F2A-35307E927156}: NameServer = 208.67.220.220,208.67.222.222 
O17 - HKLM\System\CS1\Services\Tcpip\..\{1CF7F17D-B228-4CCB-B0ED-509891BC5A72}: NameServer = 208.67.220.220,208.67.222.222 
O17 - HKLM\System\CS2\Services\Tcpip\..\{1CF7F17D-B228-4CCB-B0ED-509891BC5A72}: NameServer = 208.67.220.220,208.67.222.222 
O20 - AppInit_DLLs: znrssf.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
 
--
End of file - 7830 bytes

Open in new window

0
Comment
Question by:AnselAdams
  • 5
  • 3
  • 2
10 Comments
 
LVL 59

Accepted Solution

by:
LeeTutor earned 1200 total points
ID: 22941641
I analyzed the HijackThis log at the following site, and no errors were found:

http://www.hijackthis.de/index.php?langselect=english

One of the best free products for getting rid of malware is this:

http://www.malwarebytes.org/mbam.php
0
 

Author Comment

by:AnselAdams
ID: 22941853
Thanks for the links. I don't know what it could be. Mabye it's some of the addons. I hate to think that I will have to reinstall WIN to make this browser behave right. I would really like to know what is causing it. Of course he keeps asking me why he got the virusus when he had Avast and Defender running.
0
 
LVL 59

Assisted Solution

by:LeeTutor
LeeTutor earned 1200 total points
ID: 22941900
As you say:  It could be an add-on that is messing things up.  Have you tried it with Internet Explorer (No Add-ons), which you will find on your Start Menu under All Programs -> Accessories -> System Tools.  If this works, then you can troubleshoot your normal IE connections by selecting Tools menu -> Manage Add-ons -> Enable or disable Add-ons.
0
What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

 
LVL 50

Assisted Solution

by:jcimarron
jcimarron earned 300 total points
ID: 22941929
AnselAdams--With respect to Lee Tutor, the following look suspicious to me
O4 - HKLM\..\Run: [94de8ade] rundll32.exe "C:\WINDOWS\system32\wduvmpsr.dll",b
O20 - AppInit_DLLs: znrssf.dll
I cannot find information on them.  Unless others feel otherwise, I would have HJT fix them.
If that does not fix the problems,  by all means run Malwarebytes.
Specific to the problems with being hijacked, in IE click Tools|Internet Explorer|General tab.  What do you see in the Home Page line?  Unless that is yahoo.com, change it to a webpage you prefer.  Close IE.  What happens the next time you open IE?  If still a problem, I think I would delete the two R0 entries that HiJackThis has found.  Then go through the procedure to set Home Page again.
And if all that does not fix things I think you should consider a Repair Install of Windows--assuming your friend has the Windows CD.  There are still so many problems.
http://www.michaelstevenstech.com/XPrepairinstall.htm
0
 

Author Comment

by:AnselAdams
ID: 22941959
Good point LeeTutor! I will try that. I don't know what may be in the API, but I had the same problem with Firefox, so I was thinking it was OS related.

One thing that I am wondering is that I think I've seen this abcdepage.com before on another computer.... it takes the form of http://abcdepage.com/a-buch-of-stuff-here/andsuch
0
 

Author Comment

by:AnselAdams
ID: 22942055
Thanks jcimarron!

The redirect doesn't happen when the browser is first loaded... it happens usually after you go to google, do a search, and then the browser opens without some of he bars at the top... and the tabs are gone.

I know that is a red flag but I concentrated on trying to get MS updates to work and it would consistantly fail... where the popups seemed very random. Also fiddled with Defender getting updates, which always failed.
0
 

Author Comment

by:AnselAdams
ID: 22942094
I've been up all night installing a network in a commercial building so after my 8 or 10 hrs sleep, I will check back.

Thanks you guys for all your help. Once I get some sleep I'll have some questions about access points, I'll ask in another thread/topic.
0
 
LVL 59

Assisted Solution

by:LeeTutor
LeeTutor earned 1200 total points
ID: 22942180
For the windows update problem, a few pages to look at:

http://www.pctipsbox.com/cannot-update-windows-using-windowsupdate/

http://forums.techguy.org/malware-removal-hijackthis-logs/515831-solved-cannot-update-windows.html

A still currently open E-E similar question.  Particularly look at  Phototropic's advice:

http://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/Desktop_Anti-Virus/Q_23896683.html
Cannot update Windows, Virus or Spyware Protection after removing AntiVirus 2009
0
 
LVL 50

Assisted Solution

by:jcimarron
jcimarron earned 300 total points
ID: 22944083
AnselAdams--I know you are hoping not to have reinstall Windows.  Remember that the Repair Install should not affect personal data, though you could back that up just in case.
BTW--sprtcmd.exe is part of the Dell Support software.  If it is not being used, you can uninstall from Add/Remove.
0
 

Author Closing Comment

by:AnselAdams
ID: 31516013
I had my friend install and run the malwarebytes and run it. It found around 20 objects. His computer will now not boot, but I wasn't there to see what he did. I will go over tonight and reinstall or fix win. Thanks for all the help. I will put malwarebytes in my bag of tricks as it seemed to find more problems even in the fast mode than the others.
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

#Citrix #Internet Explorer #Enterprise Mode #IE 11 #IE 8
Several part series to implement Internet Explorer 11 Enterprise Mode
This Micro Tutorial will demonstrate how to add subdomains to your content reports. This can be very importing in having a site with multiple subdomains.
Shows how to create a shortcut to site-search Experts Exchange using Google in the Chrome browser. This eliminates the need to type out site:experts-exchange.com whenever you want to search the site. Launch the Search Engine Menu: In chrome, via you…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question