pc problems

[Filip.dahlberg]

Hello everyone at Computer Hope.

I have been having some computer problems of late, i do believe it started a month ago or so with some thing called: packed.generic.200 or something like that and also some other smaller problems that i dont quite remember one might have been vundo at some point and other trojans i thought my antivirus at the time(fsecure) had taken care of it, however my license ended the other day and now ive got all kinds of problems, ive attempted to remove fsecure and have installed one of the free antiviruses which are recommended on this site (clamwin i believe its called)

ive been using Super anti spyware, malwarebytes and hijackthis previously and have had them installed on the computer along with spybot search and destroy, ccleaner also uniblues `speed up my pc` and `registry booster` all to try and keep my pc running well. However now its not going so well anymore.

Im not sure what the exact problem is i have followed the instructions provided on the post:
http://www.computerhope.com/forum/index.php/topic,46313.0.html

The only found `threat`from the scans is:Rootkit.Mailer/Gen which i have no clue what it is but its currently quarantined by super antispyware

Problems im currently experiencing: Websites not loading/no response at all(using firefox), system reboots for no apparent reason, program crashes also for no reason at unpredictable times, programs not starting...

and i have attached the three logs from: super antispyware, malwarebytes and hijackthis.

Ive also done a `dxdiag-log` if you require information about my system and can post this later if need be.

Thanks in advance for the work you do.

/Filip



[attachment deleted by admin]

[Mulreay]

I'm no expert mate but have you tried using a pay for system protect like Norton? The ones you pay for tend to sort out a few problems that others wont. Some viruses can be nearly impossible to remove but it just sounds like you need to pull the wallet out and get a proper anti-virus etc software. Someone will come back with a free programme but I find Norton top dollar. Like I say no expert but put a price on your system.

[evilfantasy]

it just sounds like you need to pull the wallet out and get a proper anti-virus etc software.

No offense but that is just not true. I use only free antivirus, firewall and other security software. User error is what gets you infected.

Download the Norton Removal Tool (SymNRT) to your Desktop.

Once downloaded please close ALL open browsers, also save any work because this may require a restart.

• Go to your desktop and double click on the removal tool and then click Setup.
  
• Once open Click Next
  
• Accept the license agreement and click Next
  
• Type in the letters/numbers that you see into the text box then click Next.
  
• Then click Next and the tool will start running.
  
• Once finished restart the PC.
• Delete Nortonremoval tool from your Desktop.

.
----------

There is still some F-Secure antivirus to remove.

To remove the rest of F-Secure go here http://support.f-secure.com/enu/corporate/downloads/removeav.shtml

----------

I suggest uninstalling ClamWin and using another free antivirus. ClamWin does not offer real-time blocking so you are open to a malware attack.

Personally I use and recommend Avast. It's free and very good.

Remember to only install one antivirus!
 
1) Avast! Home Free Edition
2) AVG Free Edition
3) Avira AntiVir Personal

----------

After all of that please post the two logs from DDS.

Download from DDS by sUBs and save it to your Desktop. Alternate DDS download link

Vista users right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)

* XP users Double click on dds to run it.
* If your antivirus or forewall try to block DDS then please allow it to run.
* When finished DDS will open two (2) logs:

1) DDS.txt
2) Attach.txt

* Save both logs to your desktop.
* Please include the entire contents of both logs in your next reply.

Note: DDS will instruct you to post the Attach.txt log as an attachment.
Please just post it as you would any other log by copy and pasting it into the reply.

[Mulreay]

I stand corrected but I find Norton really good. You know more than me hence me telling him I'm no expert.

[Filip.dahlberg]

okey i have followed your advice and gotten `avast Antivirus` have not yet run a complete scan will do so while at work today.

i have followed the instructions for removing fsecure and norton, tho i have performed those steps previously...so dont know why it wont remove it completely..anyway hope it is now removed.

Here is the dds log for the time being.


Thanks

/Filip

[attachment deleted by admin]

[evilfantasy]

Go to Add or Remove Programs and uninstall:

• Java(TM) 6 Update 2
• MyIdentityDefender Toolbar (CyberDefender Corporation) <- This is a rouge product
  
• Spybot - Search & Destroy 1.5.2.20
• Uniblue RegistryBooster 2009 <- Unless paid for
  
• Uniblue SpeedUpMyPC 2009 <- Unless paid for

.
----------

Delete your copy of ComboFix and download the new version.

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note:  It is important that it is saved directly to your Desktop

DO NOT run it yet!

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

Driver::
.norton2009Reset
BackWeb Plug-in - 7681197
EraserSvc10824
5218c864
eqe700b
fskc481
hai6df3
mfra96c
gdtbadb

Folder::
c:\documents and settings\all users\application data\norton
c:\program\f-secure
c:\program\norton antivirus
c:\program\CyberDefender
c:\program\EMCO Malware Destroyer

File::
c:\windows\system32\drivers\knmc401.sys
c:\windows\system32\drivers\ggg621f.sys
c:\windows\system32\drivers\dgk7b04.sys
c:\windows\system32\drivers\gbb9fe8.sys
c:\windows\system32\drivers\bfma825.sys
c:\windows\system32\drivers\eeef475.sys
c:\windows\system32\drivers\ggg84b1.sys

DDS::
uSearch Bar = hxxp://safesearch.cyberdefender.com/smallsearch.html
uURLSearchHooks: H - No File
uURLSearchHooks: MyIdentityDefender: {a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} - c:\documents and settings\filip\lokala inställningar\application data\cyberdefender\cdmyidd.dll
BHO: MyIdentityDefender: {a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} - c:\documents and settings\filip\lokala inställningar\application data\cyberdefender\cdmyidd.dll
TB: MyIdentityDefender: {a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} - c:\documents and settings\filip\lokala inställningar\application data\cyberdefender\cdmyidd.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [HijackThis startup scan] c:\program\trend micro\hijackthis\HijackThis.exe /startupscan
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program\messenger\msmsgs.exe

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

[Filip.dahlberg]

just a note while im following the instructions:
i got that when i was getting avast from the link provided by u previously by clicking the download button on that page it linked on to that: which i removed, but not all it seems
MyIdentityDefender Toolbar (CyberDefender Corporation) <- This is a rouge product

oh well on with the work will get back to u asap

[evilfantasy]

The malware probably redirected you to the bad web site.

[Filip.dahlberg]

ye thats probably it, its been doing that some lately :/

uniblue softwares are payed for

okay the instructions have been followed and i have attached the log,

btw one small problem im also having is that i get a `logitech error message x2 everytime i restart the computer, does that have to do with the problems that seem to be effecting my computer?

thanks

[attachment deleted by admin]

[evilfantasy]

You may have to reinstall your Logitec software after we are finished.

Suspicious files to scan

Please go to VirSCAN.org FREE on-line scan service
(If more than one file needs scanned they must be done separately and logs posted for each one)

1. Copy and paste the following file path into the Suspicious files to scan box on the top of the page.

Code: [Select]

c:\windows\system32\drivers\5218c864.sys2. At the upload site, click once inside the window next to Browse.
3. Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
4. Click on the Upload button.
This will perform a scan across multiple different virus scanning engines.
Your file will possibly be entered into a queue which normally takes less than a minute to clear.
[color="Red"]Important:[/color] Wait for all of the scanning engines to complete.
5. Once the Scan is completed scroll down and click on the Copy to Clipboard button. This will copy the link of the report into the Clipboard.
6. Paste the contents of the Clipboard in your next reply.

[Filip.dahlberg]

i get: ERROR: Can't find upload file!

when i go to the site, click in the window, paste c:\windows\system32\drivers\5218c864.sys `open it` and then click uppload.

am i doing something wrong?

[evilfantasy]

Try this.

Go to My Computer->Tools->Folder Options->View tab:

• Under the Hidden files and folders heading:
• Select Show hidden files and folders.
  
• Uncheck Hide protected operating system files (recommended) option.
  
• Also, make sure there is no checkmark beside Hide file extensions for known file types.
  
• Click OK

.
Now try uploading it again.

[Filip.dahlberg]

didnt work says the same thing.

[evilfantasy]

Download the OTMoveIt3 by OldTimer

Note: If you are running on Vista, right-click on OTMoveIt3.exe and choose Run As Administrator.

* Save it to your Desktop.
* Double-click OTMoveIt3.exe to run it.
* Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy)

Code: [Select]

:Processes
explorer.exe

:services
jim2235

:files
c:\windows\system32\drivers\5218c864.sys

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

* Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
* Click the red Moveit! button.
* Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes.

[Filip.dahlberg]

*censored*!! it made a log, i closed it by mistake and now i cant find it any ideas where its saved?

[evilfantasy]

It should be in C:\OTMoveIt3

There will be a text file with a bunch of numbers. Probably including todays date.

[Filip.dahlberg]

thanks ye there they are, there were 2, one i think done before reboot the second after, i have added both of them

[attachment deleted by admin]

[evilfantasy]

OK that looks good.

We will do some cleanup and then do an actual antivirus scan to make sure nothing else is hiding.

• Click START then RUN
  
• Now type Combofix /u in the runbox
  
• Make sure there's a space between Combofix and /u
• Then hit Enter.

.
.
The above procedure will:

• Delete: ComboFix and its associated files and folders.
• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Set a new, clean Restore Point.

.
----------

1. Double click OTMoveIt3.exe to launch it.
Vista users right click and choose Run As Administrator
2. Click on the CleanUp! button.
3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)
5. Once complete exit out of OTMoveIt3

----------

Use the ESET Online Antivirus Scanner

This scanner requires Internet Explorer

1. Check the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the activex control to install
4. Click Start
5. Make sure that the option Remove found threats and the option Scan unwanted applications is check marked.
6. Click Scan
7. Wait for the scan to finish
8. Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
9. Add the C:\Program Files\EsetOnlineScanner\log.txt log into your next reply.

[Filip.dahlberg]

scan complete, nothing found...

[attachment deleted by admin]

[evilfantasy]

Looks like we got all of the malware.

Use the Secunia Software Inspector to check for out of date software.

• Click Start Now
  
• Check the box next to Enable thorough system inspection.
  
• Click Start
  
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.

.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

[Filip.dahlberg]

when running the  secunia scan i get 3 items: Adobe Reader 7.x, Adobe Flash Player 9.x and     Mozilla Firefox 2.0.x

i download the update, and use the update which works fine for adobe flash and mozila, however the adobe reader complains that the software doesnt exist, and the update of the mozila and flash dont seem to work either. After running the updates and installing them and rebooting i do the scan again and the same 3 `insecure` softwares are still there.  Also in  `about` under help in mozila it says i have the 3.0.8 version..


edit: hmm also when trying to update windows, i get problems...it just wont let me :S

also when installing WOT to firefox..i doesnt stay after i restart firefox and im getting firefox crashes again..they had stopped while we were doing the checks and things..

[evilfantasy]

Do this to remove all unstable older versions of Flash.

Download the Flash Player Uninstaller and save it to your desktop.

Run the uninstaller program and then reboot your computer to complete the uninstall.

Download and install the latest version of Flash Player

----------

Download the Firefox installer to your desktop. Don't run it yet.

Uninstall Firefox and then go to C:\Program Files\Mozilla Firefox and delete the Mozilla Firefox folder.

Now install a new the version of Firefox.

----------

Download Dial-a-Fix by djlizard, save it to the desktop then extract it to it's own folder.

• Open the folder and run Dial-a-fix.exe
• 2 windows will open. Close the one in the background labeled Restrictive Policies
• Check the box in section 1, Empty temp folders.
  
• Check the box in section 2, Fix Windows Installer.
  
• Check the box in section 3, Fix Windows Update.
  
• Check the box in section 4, labeled SSL/HTTPS/Cryptography. The 4 boxes under it should be pre-checked
  
• Check all boxes in section 5, labeled Registration Center.
  
• Click Go
  
• OK any error messages if received, but write them down and post them here.
• Restart the computer when done.

.
Now try the Windows Updates.

[Filip.dahlberg]

received the following errors:

Error-2137024891 was encountered while trying to unregister C:/WINDOWS/system32/wuaueng,dll.

An error occurred durign registration of the file C:/WINDOWS/system32/wuaueng.dll(version7.2.6001.788) `the next dialog will contain an error code and possible suggestions

Error 0x80070005: `access denied`. it is suggested that you run `repair permissions` which is found in the toos dialog. windows XP home users will need secedit.exe to peform the repair


(didnt write down all text as it couldnt be copy pasted but wrote down what seemed neccessary)

gonna reboot and then try windows update

edit: tried windows update didnt work.

also the secunia scan only gives me:    Adobe Reader 7.x as an insecure software

[evilfantasy]

In the Secunia results under the Adobe Reader results there should be a file path that indicates which file is being flagged as out of date or insecure. You can manually delete the file and it should stop saying that Adobe is insecure.

Open Dial-a-fix and click the hammer icon.
Select Repair Permissions and click Go

If at any time you are prompted for the XP CD, insert it
Make note of any error messages and post them here
Reboot when complete and let me know if there's any change with Windows Updates.

[Filip.dahlberg]

arr, xp-cd is gonna be a problem atm, i recently moved and the cd is in a box some where..will have to look for it. is it possible without it?

[evilfantasy]

It may not ask for the CD.

[Filip.dahlberg]

ok it didnt ask for the cd, it didnt give any error codes, tho avast `denied`a bunch of things to fast for me to catch and write down..

windows update does the same thing gives me the Felnummer: 0x80070002 error code.

[evilfantasy]

Try the suggestions here please. http://support.microsoft.com/kb/910336

Any error codes you can get will help. Also locating the Windows XP CD is a good idea if it's possible.

[Filip.dahlberg]

ive been attempting the sugestions there and it fails from the start, the Automatic update service is allready stopped and it wont start because it claims the file is missing and so the rest doesnt work either..

[evilfantasy]

* Download the following tool: RootRepeal - Rootkit Detector
* Direct download link is here: RootRepeal.rar
* If you don't already have a program to open a .RAR compressed file you can download 7-Zip which is a free compression tool.
* Extract the program file to a new folder such as C:RootRepeal
* Run the program RootRepeal.exe and go to the REPORT tab and click on the Scan button
* Select ALL of the checkboxes and then click OK and it will start scanning your system.
* If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
* When done, click on Save Report
* Save it to the same location where you ran it from, such as C:RootRepeal
* Save it as your_name_rootrepeal.txt - where your_name is your forum name
* This makes it more easy to track who the log belongs to.
* Then open that log and select all and copy/paste it back on your next reply please.
* Close RootRepeal.

[Filip.dahlberg]

i have let that run over night..but it doesnt seem to have worked, it has been stuck at `initializing please wait` at the same spot all the time...

[evilfantasy]

That's odd.

Download Rooter.exe to your desktop

* Double click Rooter.exe to start the tool.
* A DOS window will appear and show the scan progress.
* Once complete a notepad file containing the report will open.
* Copy & paste the results in your next reply.
* Close notepad and Rooter will close.

A log will also save at %systemdrive%\Rooter.txt (Where %systemdrive% is usually C: or the drive that you have Windows installed).

[Filip.dahlberg]

that worked:

Microsoft Windows XP Home Edition (5.1.2600) Service Pack 3

A:\ [Removable] (Total:0 Mo/Free:0 Mo)
C:\ [Fixed] - NTFS - (Total:35291 Mo/Free:490 Mo)
D:\ [CD-Rom] (Total:0 Mo/Free:0 Mo)
E:\ [CD-Rom] (Total:0 Mo/Free:0 Mo)
F:\ [Fixed] - NTFS - (Total:190771 Mo/Free:840 Mo)
G:\ [CD-Rom] (Total:0 Mo/Free:0 Mo)
H:\ [Fixed] - NTFS - (Total:476938 Mo/Free:3375 Mo)

2009-04-09|15:27

----------------------\\  Processes..

--Locked-- [System Process]
---------- System
---------- \SystemRoot\System32\smss.exe
---------- \??\C:\WINDOWS\system32\csrss.exe
---------- \??\C:\WINDOWS\system32\winlogon.exe
---------- C:\WINDOWS\system32\services.exe
---------- C:\WINDOWS\system32\lsass.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\Program\Alwil Software\Avast4\aswUpdSv.exe
---------- C:\Program\Alwil Software\Avast4\ashServ.exe
---------- C:\WINDOWS\Explorer.EXE
---------- C:\Program\ASUS\Ai Booster\OverClk.exe
---------- C:\Program\Analog Devices\Core\smax4pnp.exe
---------- C:\Program\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
---------- C:\Program\ASUS\Ai Nap\AiNap.exe
---------- C:\WINDOWS\system32\RUNDLL32.EXE
---------- C:\Program\ALWILS~1\Avast4\ashDisp.exe
---------- C:\Program\Java\jre6\bin\jusched.exe
---------- C:\WINDOWS\system32\ctfmon.exe
---------- C:\Program\Windows Live\Messenger\msnmsgr.exe
---------- C:\WINDOWS\system32\spoolsv.exe
---------- C:\Program\Logitech\GamePanel Software\LCD Manager\Applets\LCDCountdown.exe
---------- C:\Program\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
---------- C:\Program\Logitech\GamePanel Software\LCD Manager\Applets\LCDPop3.exe
---------- C:\Program\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe
---------- C:\Program\Java\jre6\bin\jqs.exe
---------- C:\WINDOWS\system32\nvsvc32.exe
---------- C:\WINDOWS\system32\PnkBstrA.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\WINDOWS\system32\UAService7.exe
---------- C:\Program\Alwil Software\Avast4\ashMaiSv.exe
---------- C:\Program\Alwil Software\Avast4\ashWebSv.exe
---------- C:\WINDOWS\System32\alg.exe
---------- C:\Program\Windows Live\Contacts\wlcomm.exe
---------- C:\Program\Mozilla Firefox\firefox.exe
---------- C:\WINDOWS\system32\cmd.exe
---------- C:\Rooter$\RK.exe

----------------------\\  Search..

----------------------\\  ROOTKIT !!



1 - "C:\Rooter$\Rooter_1.txt" - 2009-04-09|15:27

----------------------\\  Scan completed at 15:27

[evilfantasy]

OK lets try something please.


* Download and run the following file to repair file and registry permissions: fixacl.exe

Download FixPolicies.exe by Bill Castner

Double-click FixPolicies.exe.
Click the Install button on the bottom toolbar of the box that will open.
The program will create a new Folder called FixPolicies.
Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd
A black box will briefly appear and then close.
Restart the computer so the changes can take effect.

* Note: Some malware will block the running of this tool. So if you cannot run Fixpolicies, then, rename the exe file to something like fixtool.exe and then run it.

----------

You may want to print this out for reference or copy it into a Notepad file then save it to your Desktop. Internet Explorer needs to be closed.

1. Close all instances of Internet Explorer.

2. Click Start > Run then type REGSVR32 ATL.DLL in the open box and click OK

Note: There is a space between REGSVR32 and ATL.DLL

3. Do the same with each of the below. (one at a time, note the space after REGSERV32)

• REGSVR32 MSXML3.DLL
• REGSVR32 WUAPI.DLL
• REGSVR32 WUAUENG.DLL
• REGSVR32 WUAUENG1.DLL
• REGSVR32 WUPS2.DLL
• REGSVR32 WUCLTUI.DLL
• REGSVR32 WUPS.DLL
• REGSVR32 WUWEB.DLL
• REGSVR32 QMGR.DLL
• REGSVR32 QMGRPRXY.DLL
• REGSVR32 JSCRIPT.DLL

.
Restart the computer when complete.

Try running Windows Updates again.

Let me know...

[Filip.dahlberg]

that had an interesting effect, it partly worked, when entering the windows update site through control panel i can now perform the search for updates without a problem(this was not possible before)  and so i can see which updates that are missing; which are the following:(7 updates needed)

 
Windows-verktyget Borttagning av skadlig programvara - mars 2009 (KB890830)
Hämtningsstorlek: 11.2 MB , mindre än 1 minut
 
Säkerhetsuppdatering för Windows XP (KB958690)
Typisk hämtningsstorlek: 613 kB , mindre än 1 minut

Uppdatering för Windows XP (KB959772)
Hämtningsstorlek: 5.5 MB , mindre än 1 minut
 
Säkerhetsuppdatering för Windows XP (KB960225)
Typisk hämtningsstorlek: 259 kB , mindre än 1 minut
 
Uppdateringspaket för Microsoft .NET Framework 3.5 Service Pack 1 och .NET Framework 3.5 (KB951847) x86
Hämtningsstorlek: 284.1 MB , 15 minuter
 
Säkerhetsuppdatering för Internet Explorer 6 för Windows XP (960714)
Hämtningsstorlek: 1.8 MB , mindre än 1 minut

Kumulativ säkerhetsuppdatering för Internet Explorer 6 för Windows XP (KB958215)


however when attempting to install/download it fails. i can also access my update history which seems to have been failing for sometime. some 21 failures.

edit: i get the following error code Felkod: 0x80246008 for each one

[evilfantasy]

edit: i get the following error code Felkod: 0x80246008 for each one

Yes that's helpful and what I was looking for, only not in a good way. This is a new problem that to this point has not been sorted out yet.

Please try this.

Go into your user account setting in Control Panel and create a new user account. Log onto the new account and try to run the updates again.

[Filip.dahlberg]

i created a second admin account, logged into it(i am logged into it atm) and went into control panel and pressed windows update. However with no result..it doesnt load the page

[evilfantasy]

This article is a bit more involved than the last one but at this point is what needs to be attempted from the old account, not the new one. http://support.microsoft.com/kb/910337

[Filip.dahlberg]

i try starting the `bits` through services manually but i receive the error message nr 2: `could not find the file` and reading through the document from microsoft i cant seem to find what to do

[evilfantasy]

I expected as much.

Download  & extract this file to it's own folder - Registry Search

Launch Registry Search
In the search box, enter:

fystemroot

Then click OK

Notepad will open with some text in it (the file will also be saved in the program's folder as well).

Post this text in your next reply

[Filip.dahlberg]

here it is, just a comment: *censored* there are a lot of these little small tools to use and get logs xD

Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.6.0

; Results at 2009-04-09 20:08:02 for strings:
;  'fystemroot'
; Strings excluded from search:
;  (None)
; Search in:
; Registry Keys  Registry Values  Registry Data 
; HKEY_LOCAL_MACHINE  HKEY_USERS 
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BITS]
; Contents of value:
;   %fystemRoot%\System32\svchost.exe -k netsvcs
"ImagePath"=hex(2):25,00,66,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
  00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
  6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wuauserv]
; Contents of value:
;   %fystemroot%\system32\svchost.exe -k netsvcs
"ImagePath"=hex(2):25,00,66,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,00,6f,00,\
  74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
  00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
  6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\BITS]
; Contents of value:
;   %fystemRoot%\System32\svchost.exe -k netsvcs
"ImagePath"=hex(2):25,00,66,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
  00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
  6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\BITS]
; Contents of value:
;   %fystemRoot%\System32\svchost.exe -k netsvcs
"ImagePath"=hex(2):25,00,66,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
  00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
  6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS]
; Contents of value:
;   %fystemRoot%\System32\svchost.exe -k netsvcs
"ImagePath"=hex(2):25,00,66,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
  00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
  6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

; End Of The Log...

[evilfantasy]

*censored* there are a lot of these little small tools to use and get logs xD

We wouldn't be able to do this without some brilliant malware fighters out there

OK are you familiar with editing the registry?

[Filip.dahlberg]

resonably familiar with regedit, not an expert tho

[evilfantasy]

OK I will outline the problem here.

Under each key there is a line that looks like this.

%fystemRoot%\System32\svchost.exe -k netsvcs

I highlighted in red the f and that is the problem. You need to change each f to an s to repair this. So it should read systemROOT and not fystemROOT.

[evilfantasy]

P.S. I'm off to the dentist and will return later.

[Filip.dahlberg]

and the log we created a few moments ago are the items i need to find and change?

[evilfantasy]

Yes, under each key you need to change the fystemROOT to read systemROOT.

[Filip.dahlberg]

okey will do that, then perform another scan with the regsearch 

edit: em i have tried the first two entries, but i get an error message when trying to change the `f` to an `s` and it wont change it. it says an error occurred when the new value was going to be written

edit: tried all..none work

[evilfantasy]

I haven't forgotten you. I'm looking into some possible solutions to this.

It's a know problem but so far there is no clear solution.

[Filip.dahlberg]

no worries, didnt think u had forgotten me. *crosses fingers* that u find a solution because it really is annoying. havent had any crashes of firefox lately, tho some programs crash. Also it feels very insecure to be using the computer when its not updated..

[evilfantasy]

Hopefully I will hear something soon.

For now using Firefox go here http://windizupdate.com/ and see if you can install the updates that way.

[evilfantasy]

OK found a new solution to investigate.

Download GMER and save it your desktop.

* Extract it to your desktop and double-click GMER.exe
* Click the rootkit tab and then scan.
* Don't check the Show All box while scanning in progress!
* When scanning is finished click Copy.
* This copies the log to clipboard
* Post the log in your reply.

[Filip.dahlberg]

tried that firefox thing, didnt work got the following error:

Firefox could not install the file at

http://windizupdate.com/files/windizupdate.xpi

because: Install script not found
-204
running the other scan as we speak

edit: here is the scan attached

[attachment deleted by admin]

[evilfantasy]

Download and run this tool to try and regain the ability to edit the registry. http://www.dougknox.com/security/scripts_desc/regtools.htm

Now try to edit the fystemROOT keys again.

Here is a brief description on how to do it. Obviously you will need to follow each registry key that was listed in the previous post. http://www.computerhope.com/forum/index.php/topic,80867.msg534151.html#msg534151

Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS

In the right Window pane look for Imagepath.

In the data column it should have the %fystemRoot%\system32\svchost.exe -k netsvcs

Doubleclick on Imagepath and change it to %SystemRoot%\system32\svchost.exe -k netsvcs.

[Filip.dahlberg]

em what do i download? there is no file to download it simply gives me a list of code, and the regedit instruction is exactly what i was doing

[evilfantasy]

Read the instructions on this page -> http://www.dougknox.com/security/scripts_desc/regtools.htm

You might also try changing the keys and running the .vbs file in Safe Mode for a better chance at it working.

[Filip.dahlberg]

regtools.vbs - Disable/Enable Registry Editing tools in Windows
© Doug Knox - rev 01/10/2000
This code may be freely distributed/modified.

Usage: Download regtools.vbs Save the file to the folder of your choice. Double click the VBS file. The VB Script file will check for the appropriate value and if not found will create it. If the value was found, it will be toggled to its opposite state and you will be informed that you need to log off/back on or restart your computer. One note. This change is made in HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System. Disabling the tools takes effect immediately. Enabling requires a restart.  This script can be viewed in Notepad or any text editor, as to the specific Registry key and value that are updated. Your antivirus software may report this script as potentially malicious, or a possible virus. This is because the script writes to the System Registry.

This page last updated 11/25/2005 21:17
All material © Doug Knox

i cant `download regtools.vbs clicking the link at the top gives me a page of code, clicking the `download button` gives me a page of code:

'Enable/Disable Registry Editing tools
'© Doug Knox - rev 12/06/99

Option Explicit

'Declare variables
Dim WSHShell, n, MyBox, p, t, mustboot, errnum, vers
Dim enab, disab, jobfunc, itemtype

Set WSHShell = WScript.CreateObject("WScript.Shell")
p = "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\"
p = p & "DisableRegistryTools"
itemtype = "REG_DWORD"
mustboot = "Log off and back on, or restart your pc to" & vbCR & "effect the changes"
enab = "ENABLED"
disab = "DISABLED"
jobfunc = "Registry Editing Tools are now "

'This section tries to read the registry key value. If not present an
'error is generated.  Normal error return should be 0 if value is
'present
t = "Confirmation"
Err.Clear
On Error Resume Next
n = WSHShell.RegRead (p)
On Error Goto 0
errnum = Err.Number

if errnum <> 0 then
'Create the registry key value for DisableRegistryTools with value 0
   WSHShell.RegWrite p, 0, itemtype
End If

'If the key is present, or was created, it is toggled
'Confirmations can be disabled by commenting out
'the two MyBox lines below

If n = 0 Then
   n = 1
WSHShell.RegWrite p, n, itemtype
Mybox = MsgBox(jobfunc & disab & vbCR & mustboot, 4096, t)
ElseIf n = 1 then
   n = 0
WSHShell.RegWrite p, n, itemtype
Mybox = MsgBox(jobfunc & enab & vbCR & mustboot, 4096, t)
End If

that i get from both links on that page, am i doing something wrong? am i meant to copy that code into a file or something?

[evilfantasy]

Ahh, I see what you mean now. You need to use IE to download .vbs files.

[Filip.dahlberg]

okey download of the tool worked better in IE , however it didnt help still cant edit the `f` to an `s` gives the same error message as described earlier. Even tried it in safemode

ps. dentist went well ?

[evilfantasy]

Yea the dentist was OK. I had a tooth pulled and then developed dry socket so this week has been a painful one...

I'm done for tonight. Tomorrow I will have to get into the registry on another computer and look at those keys and try to come up with something. Others are working on this also so maybe an automated fix will be available soon. Everyone else has been able to edit the keys so this is a real head twister as to why you can't.

[Filip.dahlberg]

okey thanx, sounds painful that with the teeth :S, well ok im heading to bed to. so hopefully we can solve this soon thanks

[evilfantasy]

Just to b esure, this is what you are seeing when you try to edit those keys?

Click the images to enlarge.



[attachment deleted by admin]

[Filip.dahlberg]

exactly that yes, however the `s` is a nasty little ´f` :S

[evilfantasy]

Go tto the first key Bits and post the contents of it here.

Go to [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BITS]

Right click on Bits and choose Export and choose to save it to your desktop.

Right click on it and choose Open with > Notepad and copy/paste all of the text back here.

[Filip.dahlberg]

here it is:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BITS]
"Type"=dword:00000020
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):25,00,66,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
  00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
  6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
"DisplayName"="Background Intelligent Transfer Service"
"DependOnService"=hex(7):52,00,70,00,63,00,73,00,73,00,00,00,00,00
"DependOnGroup"=hex(7):00,00
"ObjectName"="LocalSystem"
"Description"="Överför filer i bakgrunden genom att använda ledig nätverksbandbredd. Om tjänsten stoppas kommer funktioner såsom Windows Update och MSN Explorer inte att automatiskt hämta program eller annan information. Om den här tjänsten inaktiveras kommer inga tjänster som uttryckligen beror på denna att kunna överföra filer om de inte har någon annan funktionalitet för att överföra filer direkt genom Internet Explorer om BITS har inaktiverats."
"FailureActions"=hex:00,00,00,00,00,00,00,00,00,00,00,00,03,00,00,00,68,e3,0c,\
  00,01,00,00,00,60,ea,00,00,01,00,00,00,60,ea,00,00,01,00,00,00,60,ea,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BITS\Parameters]
"ServiceDll"=hex(2):25,00,73,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,00,6f,\
  00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
  71,00,6d,00,67,00,72,00,2e,00,64,00,6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BITS\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
  00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
  00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
  05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
  20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
  00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
  00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

btw, im swedish and im running a swedish windows xp. if u need any of the swedish translated just ask.

[evilfantasy]

Well I had an idea but that won't work.

How about logging in in Safe Mode under the Administrator account and trying to edit the key?

[Filip.dahlberg]

tried that

okey download of the tool worked better in IE , however it didnt help still cant edit the `f` to an `s` gives the same error message as described earlier. Even tried it in safemode

ps. dentist went well ?

[evilfantasy]

OK I'm back to waiting on a reply from someone else. I'm hoping that the people smarter than me figure something out for this because it is happening to a lot of computers.

[evilfantasy]

OK a fix has been released.

Use the following tool: http://users.telenet.be/marcvn/tools/WUS_Fix.exe

Just download and run it.

Let me know...

[Filip.dahlberg]

haha was writing the following:

^^ okey, really seems to be a big problem then...lucky me :S.  well hopefully we find a solution in the end. at the moment the computer seems to be running at least; reasonably. insecure but more stable than before. So i guess you will get back to me if you find something?

seems we make another attempt then.

Edit:
okey ran the fix, opened a cmd window fast, couldnt read it. then it closed. i opened regedit and attempted to change a value, didnt work. restarted the pc. and attempted again. nothing seems to have been changed. maybe try it in safe mode?

question: Is this a single problem caused by a virus/malware/trojan or something? and if so is it possible that it can be infecting other parts of the computer as we speak? if so is it possible to detect this? avast hasnt picked up anything on scans so far.

[evilfantasy]

I'm not sure what is going on. You are the only one that these fixes have not worked for.

Try running the fix on the new account you created.

[Filip.dahlberg]

tried it in the new account and in safemode, neither worked... the error i get is that it fails to write the new value. it then changes the value on screen like in the window, but if i restart regedit then the `f` is back

how do i know that the fix has done anything?

[evilfantasy]

What it does is repair the permissions problem and should automatically fix the f to s so I'm puzzled as to why it isn't working on your computer.

Let's run another scanner. This will take a while to finish but should find anything that might be hiding.

Download DrWeb CureIt & save it to your desktop. Scan with DrWeb-CureIt as follows:

• Double-click on drweb-cureit.exe and then click Start
  
• An information notice will appear, click OK.
  
• This starts a short scan that will scan the files currently running in memory.
• If you get a prompt to buy the full version just exit out of the window. The scanner will still work without buying the full version
  
• If or when something is found, click the Yes button when it asks you if you want to cure it.

• Once the short scan has finished, Click Settings > Change Settings
  
• Under the Scanning tab UNcheck Heuristic analysis and click OK
  
• Back at the main window, select the Complete scan button and then click the Green Arrow Start Scanning button on the right and the scan will start.
  
• Click Yes to all if it asks if you want to cure/move any file(s).
  
• When the scan is done.
• In the Dr.Web CureIt menu on top left, click File and choose Save report list.
  
• Save the DrWeb.csv report to your Desktop.
  
• Exit Dr.Web Cureit.
• Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.

* After reboot, Right-click the Dr.Web log on the desktop and choose Open With > Notepad
* Copy and paste that log in the next reply

[Filip.dahlberg]

okay, done. That was a long wait for a very short log

RegUBP2b-Filip.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2;Trojan.StartPage.1505;Deleted.;

[evilfantasy]

That wasn't anything new.

I'm running out of ideas again. You can try this.

Avira AntiVir Rescue System

* Download the Avira AntiVir Rescue System
* Place a blank CD in your burner and double-click on the downloaded file.
* The program will automatically burn the CD for you.
* Place the burned CD into the affected computer and start the computer with the CD in the CD tray.
* On the bottom left side of the screen there are 2 flags.  Using your mouse click on the British flag to use English.
* Click on the Configuration button.

- Select Scan all files
- Select Try to repair infected files and Rename files, if they cannot be removed
- Select Scan for dialers
- Select Scan for joke programs (Jokes)
- Select Scan for games
- Select Scan for spyware (SPR)

* Click on Virus scanner
* Click on Start scanner at the bottom of the screen

Currently the program does not support saving a log. Please write down the list of items for Records, Suspect files, and Warnings then post them back here.

[Filip.dahlberg]

will have to get back to you on that one, as ill have to go to the store and buy a cd and im going to my grandmother for the rest of the weekend..so ill have to try this on monday. Hope u have some more ideas till then, will also look for my windows CD more when i get back.

[Filip.dahlberg]

right, its wierd..but its true, i logged on to my computer again today and all seems fixed/perfect windows update kicked in by itself and have had no problems for the past 2 days..so ye thanks Evilfantasy for the help! much appreciated.

[boris the spider]

Hi, Excuse me butting in on this topic but I have exactly the same problem and have been following the steps above to see if I can find a resolution. I'm at the point where I'm running a Dr Web scan. The express scan showed no faults and the full scan is running as I type. - To while away the time while waiting for the scan results, I went back into regedit to try to change the "f" to an "S" again. While rumaging around I found that you need to change Permissions in the Edit menu before it will let you change the image path description. Not too sure how I did it unfortunately but I had a list of names in the group/user name list and two grayed out ticked boxes showing level of permission. - I did something that changed it to one name i.e. Base/ADministrator, ticked the boxes for access and then it let me make the change.

The bad news however is that it only let me do this in "BITS" and denied the change to Permissions in "Wauserv". I don't want to continue messing with these Permissions as I don't really know what I'm doing. - The answer to "unable to edit registry" that Filip was experiencing seems to be here. Boris.

[worrywart2009]

i have had a problem installing  the  Microsoft.NET 3.5 service pack 1 and  NET Framework Family Update. it trys to install and fails to . the error code that comes up is 800B0100. i have been told that mozilla foxfire may be stoping it from installing, i also have internet explorer as well as mozilla firefox.