i have a virus that causes my windows updates to be diabled and my windows firewall to be turned off, as well as kept off via "group policy" restrictions. it seems to be activated by browsing and either sends me a pop-up or runs a programs that messages everyone on my buddy list with a link to the site that infects you. i did download the virus myself, i know, not too bright a move:banghead: processes im almost positive did not run before the virus was downloaded and refuse to kill via cntrl-alt-del include: vekah, haqdrnc, wniapsrv, and futuhi.

i'm sorry i had thought hjt logs were only required if promped, but looking at other peoples threads it looks like theyre necessary. soory about the confusion.

Logfile of HijackThis v1.99.1
Scan saved at 4:26:06 PM, on 5/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\RioMSC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wmiapsrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\Evo\Desktop\hj ths\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\vekah.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,haqdrnc.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1148660078232
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.4.2_01) -
O16 - DPF: {CAFEEFAC-0014-0002-0001-ABCDEFFEDCBA} (Java Plug-in 1.4.2_01) -
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe
O23 - Service: Microsoft WMI Performance Adapter AddOn (WMIPerAddOn) - Unknown owner - C:\WINDOWS\wmiapsrv.exe

Welcome to the forum

Download and run aimfix
http://jayloden.com/aimfix.htm
Post its report and a new hijackthis log

Why do we see no active antivirus program

I never felt the need to find a new anti-viral program after my last one was lost in a crash a few months back. I do have Window's Defender installed but its constant demand to restart my computer leads me to have it off in order to accomplish anything. Thank you for support, this bug has been driving me absolutly crazy.

AIMFix version: 1.5.64.1336
SeDebug Privilege set successfully

***ANY VIRUS FILES REMOVED WILL BE LISTED BELOW***

Now checking for Block-Checker via BlockRemove(): .5
Checking for Block-Checker files...
Block-Checker not found
ServiceExists(): Found service WMIPerAddOn
StopService(): failed on call to ControlService() for "WMIPerAddOn": The service has not been started.

Service WMIPerAddOn successfully disabled
Service WMIPerAddOn successfully deleted
Now attempting quarantine of "WMIPerAddOn" executable: C:\WINDOWS\wmiapsrv.exe

***RUN COMPLETED. ANY FILES REMOVED LISTED ABOVE***
----------------------------------------------------------

AIMFix version: 1.5.64.1336
SeDebug Privilege set successfully

***ANY VIRUS FILES REMOVED WILL BE LISTED BELOW***

Now checking for Block-Checker via BlockRemove(): .5
Checking for Block-Checker files...
Block-Checker not found

***RUN COMPLETED. ANY FILES REMOVED LISTED ABOVE***
----------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 5:43:47 PM, on 6/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\RioMSC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Evo\Desktop\hj ths\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\vekah.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,haqdrnc.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1148660078232
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.4.2_01) -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CAFEEFAC-0014-0002-0001-ABCDEFFEDCBA} (Java Plug-in 1.4.2_01) -
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe

Please disable SpybotSD TeaTimer for now
To disable SpybotSD TeaTimer:
Open Spybot and click on Mode and check Advanced Mode
Check yes to next window.
Click on Tools in bottom left hand corner.
Click on Resident icon and Uncheck the box next to Teatimer.
"resident tea timer"protection of all-over system settings) active"
Close SpyBot.
We will remind you to turn it on later

Download FindQool, extract the files and place the FindQool folder it root, usualy thats C:\
http://downloads.subratam.org/Lon/FindQool.zip
It must be c:\FindQool now to work
Open that folder and run Qlocate.bat, post the text that will open please.. along with another hijackthis log.

Mon 06/05/2006
Running from: C:\FindQool\FindQool
PLEASE NOTE: LEGIT FILES MIGHT BE LISTED. IF YOU ARE UNSURE OF WHAT IS LISTED LEAVE THEM ALONE.

Known file names

MD5 Check....
C:\WINDOWS\system32\lsiys.dat
C:\WINDOWS\system32\futvhi.exe
C:\WINDOWS\system32\vekah.exe
C:\WINDOWS\system32\lcsvxqn.dll
C:\WINDOWS\system32\haqdrnc.exe

Files found with locate com.
C:\WINDOWS\SYSTEM32\HAQDRNC.EXE
C:\WINDOWS\SYSTEM32\LCSVXQN.DLL
C:\WINDOWS\SYSTEM32\LSIYS.DAT
C:\WINDOWS\SYSTEM32\FUTVHI.EXE
C:\WINDOWS\SYSTEM32\VEKAH.EXE
C:\DOCUME~1\ALLUSE~1\STARTM~1\PROGRAMS\STARTUP\XCFWN.EXE
Re-check using dir /a:-d
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
06/04/2006 05:31 PM 127,488 xcfwn.exe
...


...
Runs, Listed here as a Doublecheck for the locate com results
HKLM
"fmxngg"="C:\\WINDOWS\\system32\\futvhi.exe reg_run"
HKCU
"bjeoi"="C:\\WINDOWS\\system32\\futvhi.exe reg_run"
...

Files In Winlogon shell and userinit
Listed here as a Doublecheck for the locate com results
shell REG_SZ Explorer.exe, C:\WINDOWS\system32\vekah.exe
userinit REG_SZ C:\WINDOWS\system32\userinit.exe,haqdrnc.exe
...
SWReg utility
Written by Bobbi Flekman © 2005
Findqool edited 17/05/2006
------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 5:32:18 PM, on 6/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RioMSC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Evo\Desktop\hj ths\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\vekah.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,haqdrnc.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [fmxngg] C:\WINDOWS\system32\futvhi.exe reg_run
O4 - HKCU\..\Run: [bjeoi] C:\WINDOWS\system32\futvhi.exe reg_run
O4 - Global Startup: xcfwn.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1148660078232
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.4.2_01) -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CAFEEFAC-0014-0002-0001-ABCDEFFEDCBA} (Java Plug-in 1.4.2_01) -
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe

thank you kindly for your continued assistance

Disable windows defender's active protection , we can turn it on later

Delete findqool, we will use another method

Download Brute Force Uninstaller (http://www.merijn.org/files/bfu.zip) to your C:\
Unzip it to a folder of its own (C:\BFU). So BFU should be on your root. In most cases this is C:\
Download qoofix.bat (http://downloads.subratam.org/Lon/qooFix.bat) (rightclick on this link and choose save as)
Place qoofix.bat in your C:\BFU - folder. (Important!)
Doubleclick qooFix.bat, Close all browsers and explorer folders.
Choose option 1 (Qoolfix autofix) and follow the prompts.
Please be patient, it will take about five minutes.
After the PC has restarted please post another hijackthis log.

ahh thanks, that seems to have cleared all the offending files, although I'm still unsure how to reactivate the Windows firewall and security updates.

Logfile of HijackThis v1.99.1
Scan saved at 7:55:21 PM, on 6/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RioMSC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Documents and Settings\Evo\Desktop\hj ths\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1148660078232
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.4.2_01) -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CAFEEFAC-0014-0002-0001-ABCDEFFEDCBA} (Java Plug-in 1.4.2_01) -
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe

Something wrong with windowsupdate ?

Instead of using the built in firewall I suggest a third party program, several are mentioned in this post, Also You need an antivirus program asap.

http://forums.spybot.info/showthread.php?t=279

Id love to see a log after both an av and firewall program have been installed

Thank you Lonny. :)

As it is now June 15th this topic is closed.

keytud, if you need it re-opened please send me a pm and provide a link to the thread.