Hijacked and can't update Defender,no auto Windows update, no manual WIn update,

Posted on 2008-11-12
Last Modified: 2013-12-09
Hi Folks& I need help. Im new here. Ive been working on a friends computer. If I dont include the hijackthis on this message, I will on the next. He had Avast and Defender running (as I am told). He kept getting popups or actually redirections opening up a browser window to random URLs. It seems the url is something like

I found that MS Updates would not work and the automatic update was disabled and I couldnt enable it (gave an error). Ditto Defender update.

I updated and ran Avast in the schedule boot time scan. It found numerous viruses and I had them moved to the chest. The ones that I made note of was Fabot, SmithFraud, Virtumonde and Fasec. Maybe this last one I wrote down wrong since I couldnt find anything on google. However, it said, kdusk.exe was infected and was in the /system32 directory. This one reappeared in a subsequent scan.

I then ran spybot, removed a number of spyware and then did the same in the safe mode. I then an SuperAntiSpyware, and I think it found Vundo and claimed to removed it.

I still had the same problems as far as the MS auto update wouldnt turn on; I couldnt got an error (and followed instruction to fix the error, which didnt work) when I manually went to the MS Windows update site. Same thing again with Defender, and even deleted defender and reinstalled. It would not update& and gave an error.

I dont know how important this is but it also hangs when shutting down with the file sprtcmd.exe (I really thought I disabled this at one point in msconfig startup).

I decided to install Firefox. This really puzzled me as it gets hijacked too, like IE.

Some things wont stay set in IE such as allow or dont allow all cookies. Seems to set back to allow all.

Also, it seems the desktop refreshes a lot& sometimes when I run Avast, it runs through its memory check and then instead of running I have to click on it again. I think Avast and Defender both have to run twice before the main screen comes up.

Any help would be much appreciated. Also if you could give me as much in advance as you can, it would be most helpful since my friend lives about an hour away and expects if I cant get it fixed in a couple of hours, then just reinstall windows. I would like to make some headway in the next visit so we dont go down that path of reinstalling windows (and ALL the numerous things of, gee& you mean we have to reinstall that too and the, where is my such and such game?).

Thanks for looking& here is the hijack file:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:50:31 PM, on 11/11/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal

Running processes:








C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe




C:\Program Files\Microsoft LifeCam\MSCamS32.exe


C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe

C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe


C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\Program Files\Dell Support Center\bin\sprtcmd.exe

C:\Program Files\Dell Support Center\bin\sprtsvc.exe





C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Siemens\SpeedStream Wireless USB\SSUSBCfg.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe


C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe


C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL =

O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"


O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"

O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"

O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"

O4 - HKLM\..\Run: [Tracker] C:\Program Files\MySoftware\MyInvoices\tracker.exe

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter

O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"

O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe

O4 - HKLM\..\Run: [94de8ade] rundll32.exe "C:\WINDOWS\system32\wduvmpsr.dll",b

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter

O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: Siemens SpeedStream Wireless USB.lnk = C:\Program Files\Siemens\SpeedStream Wireless USB\SSUSBCfg.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{1CF7F17D-B228-4CCB-B0ED-509891BC5A72}: NameServer =, 

O17 - HKLM\System\CCS\Services\Tcpip\..\{55E53D4A-B002-4E62-9F2A-35307E927156}: NameServer =, 

O17 - HKLM\System\CS1\Services\Tcpip\..\{1CF7F17D-B228-4CCB-B0ED-509891BC5A72}: NameServer =, 

O17 - HKLM\System\CS2\Services\Tcpip\..\{1CF7F17D-B228-4CCB-B0ED-509891BC5A72}: NameServer =, 

O20 - AppInit_DLLs: znrssf.dll

O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe

O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe

O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe


End of file - 7830 bytes

Open in new window

Question by:AnselAdams
    LVL 59

    Accepted Solution

    I analyzed the HijackThis log at the following site, and no errors were found:

    One of the best free products for getting rid of malware is this:

    Author Comment

    Thanks for the links. I don't know what it could be. Mabye it's some of the addons. I hate to think that I will have to reinstall WIN to make this browser behave right. I would really like to know what is causing it. Of course he keeps asking me why he got the virusus when he had Avast and Defender running.
    LVL 59

    Assisted Solution

    As you say:  It could be an add-on that is messing things up.  Have you tried it with Internet Explorer (No Add-ons), which you will find on your Start Menu under All Programs -> Accessories -> System Tools.  If this works, then you can troubleshoot your normal IE connections by selecting Tools menu -> Manage Add-ons -> Enable or disable Add-ons.
    LVL 50

    Assisted Solution

    AnselAdams--With respect to Lee Tutor, the following look suspicious to me
    O4 - HKLM\..\Run: [94de8ade] rundll32.exe "C:\WINDOWS\system32\wduvmpsr.dll",b
    O20 - AppInit_DLLs: znrssf.dll
    I cannot find information on them.  Unless others feel otherwise, I would have HJT fix them.
    If that does not fix the problems,  by all means run Malwarebytes.
    Specific to the problems with being hijacked, in IE click Tools|Internet Explorer|General tab.  What do you see in the Home Page line?  Unless that is, change it to a webpage you prefer.  Close IE.  What happens the next time you open IE?  If still a problem, I think I would delete the two R0 entries that HiJackThis has found.  Then go through the procedure to set Home Page again.
    And if all that does not fix things I think you should consider a Repair Install of Windows--assuming your friend has the Windows CD.  There are still so many problems.

    Author Comment

    Good point LeeTutor! I will try that. I don't know what may be in the API, but I had the same problem with Firefox, so I was thinking it was OS related.

    One thing that I am wondering is that I think I've seen this before on another computer.... it takes the form of

    Author Comment

    Thanks jcimarron!

    The redirect doesn't happen when the browser is first loaded... it happens usually after you go to google, do a search, and then the browser opens without some of he bars at the top... and the tabs are gone.

    I know that is a red flag but I concentrated on trying to get MS updates to work and it would consistantly fail... where the popups seemed very random. Also fiddled with Defender getting updates, which always failed.

    Author Comment

    I've been up all night installing a network in a commercial building so after my 8 or 10 hrs sleep, I will check back.

    Thanks you guys for all your help. Once I get some sleep I'll have some questions about access points, I'll ask in another thread/topic.
    LVL 59

    Assisted Solution

    For the windows update problem, a few pages to look at:

    A still currently open E-E similar question.  Particularly look at  Phototropic's advice:
    Cannot update Windows, Virus or Spyware Protection after removing AntiVirus 2009
    LVL 50

    Assisted Solution

    AnselAdams--I know you are hoping not to have reinstall Windows.  Remember that the Repair Install should not affect personal data, though you could back that up just in case.
    BTW--sprtcmd.exe is part of the Dell Support software.  If it is not being used, you can uninstall from Add/Remove.

    Author Closing Comment

    I had my friend install and run the malwarebytes and run it. It found around 20 objects. His computer will now not boot, but I wasn't there to see what he did. I will go over tonight and reinstall or fix win. Thanks for all the help. I will put malwarebytes in my bag of tricks as it seemed to find more problems even in the fast mode than the others.

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    Join & Write a Comment

    Bada platform is becoming more and more famous this days and people talking about same. Some friends included those who have bada OS mobile asked me "what is bada?"and "what its features?". That encouraged me to research and write this article. [st…
    If you have done a reformat of your hard drive and proceeded to do a successful Windows XP installation, you may notice that a choice between two operating systems when you start up the machine. Here is how to get rid of this: Click Start Clic…
    This Micro Tutorial will demonstrate how to add subdomains to your content reports. This can be very importing in having a site with multiple subdomains.
    How to create a custom search shortcut to site-search Experts Exchange using Google in the Firefox browser. This eliminates the need to type out whenever you want to search the site. Launch your Bookmark Menu: Press 'Ctrl +…

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now