unable to update Vista or AVG & misdirected when searching

[rosieb]

Hi Ken

Here's the Rooter log:

Rooter_2
Rooter.exe (v1.0.2) by Eric_71
.
seDebugprivilege granted successfully ...
.
windows vista. (6.0.6000)
[32_bits] - x86 Family 6 Model 15 stepping 10, GenUineIntel
.
[wscsvc] (security center) RUNNING (state:4)
[MpSSVC] RUNNING (state:4)
windows Firewall -> Enabled
windows Defender -> Enabled
User Account control (UAC) -> Enabled
.
Internet Explorer 7.0.6000.16830
.
C:\ [Fixed-NTFS] ( Total:80 Go - Free:43 Go )
D:\ [Fixed-NTFS] .. ( Total:63 Go - Free:27 Go )
F:\ [CD_Rom]
.
scan: 03:23.47
path : D:\userS\Kie\Desktop\Rooter.exe
User: Kie ( Administrator -> YES)
.
----------------------\\ Processes
.
Locked [system Process] (0)
Locked system (4)
_____ \systemRoot\system32\smss.exe (464)
_____ c:\windows\system32\csrss.exe (600)
_____ c:\windows\system32\wininit.exe (648)
_____ c:\windows\system32\csrss.exe (660)
_____ c:\windows\system32\services.exe (692)
_____ c:\windows\system32\lsass.exe (704)
_____ c:\windows\system32\lsm.exe (712)
_____ c:\windows\system32\winlogon.exe (780)
_____ c:\windoWs\system32\svchost.exe (932)
_____ c:\windows\Microsoft.Net\Framework\v3.0\wPF\presentationFontCache.exe (972)
_____ c:\windows\system32\svchost.exe (1016)
_____ c:\windows\system32\svchost.exe (1048)
_____ c:\windows\system32\Ati2evxx.exe (1152)
_____ c:\windows\system32\svchost.exe (1164)
_____ c:\windows\system32\svchost.exe (1204)
_____ c:\windows\system32\svchost.exe (1220)
Locked audiodg.exe (1336)
_____ c:\windows\system32\sLsvc.exe (1376)
_____ c:\windows\system32\svchost.exe (1468)
_____ c:\windows\system32\svchost.exe (1592)
_____ c:\windows\system32\Ati2evxx.exe (1700)
_____ c:\windows\system32\spoolsv.exe (1836)
_____ c:\windows\system32\svchost.exe (1860)
_____ C:\windows\system32\Dwm.exe (388)
_____ c:\windows\system32\taskeng.exe (592)
_____ c:\windows\Explorer.EXE (1000)
_____ c:\program Files\common Files\Acronis\schedule2\schedu12.exe (2044)
_____ c:\windows\system32\svchost,exe (1212)
_____ c:\program Files\TOSHIBA\ConfigFree\cFsvcs,exe (384)
_____ c:\program Files\olympus\DeviceDetector\DM1service.exe (904)
_____ c:\windows\system32\svchost.exe (1036)
_____ c:\program Files\Intel\Intel Matrix storage Manager\IAANTMon.exe (392)
_____ c:\windows\system32\svchost.exe (1412)
_____ c:\windows\system32\svchost.exe (2028)
_____ c:\windows\system32\svchost.exe (2056)
_____ c:\program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe (2084)
_____ c:\windows\system32\ToDDSrv.exe (2104)
_____ c:\program Fi 1 es\ TOSHIBA \power Saver\ TosCoSrv. exe (2172)
_____ c:\program Files\Toshiba\Bluetooth Toshiba stack\TosBtSrv.exe (2212)
_____ C;\windows\system32\uAservice7.exe (2284)
_____ c:\windows\system32\svchost.exe (2300)
_____ c:\windows\system32\Searchlndexer.exe (2332)
_____ c:\program Files\windows Defender\MsAscui.exe (3508)
_____ c:\program Files\TosHIBA\Toshiba online Product Information\TOPI.exe (3556)
_____ c:\windows\RtHDVCpl.exe (3564)
_____ c:\program Files\TOSHIBA\power Saver\TPWrMain.exe (3572)
_____ c:\program Files\TosHIBA\Smoothview\smoothview.exe (3592)
_____ c:\program Files\TOSHIBA\Flashcards\TcrdMain.exe (3600)
_____ c:\program Files\ToSHIBA\configFree\NDSTray.exe (3608)
_____ c:\program Files\Intel\I.ntel Matrix Storage Manager\IMnotif.exe (3624)
_____ c:\program Files\common Files\Acronis\schedule2\schedhlp.exe (3640)
_____ c:\program Files\QuickTime\qttask.exe (3648)
_____ D:\program Files\iTunes\iTunesHelper.exe (3656)
_____ c:\program Files\epson\creativity Suite\Event Manager\EEventManager.exe (3664)
_____ c:\program Files\HP\HP software update\hpwuschd2.exe (3672)
_____ c:\program Files\HP\Digital Imaging\bin\HpqsRmon.exe (3680)
_____ c:\program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (3700)
_____ c:\program Files\ipod\bin\iPodService.exe (2276)
_____ c:\program Files\ToSHIBA\ConfigFree\CFswMgr.exe (2916)
_____ c:\windows\system32\taskeng.exe (3488)
Locked dllhost.exe (3184)
D:\users\Kie\Desktop\Rooter.exe (1272)
.
----------------------\\ Device\Harddisk0\
.
\Device\Harddisk0 [sectors: 63 x 512 Bytes]
\Device\Harddisk0\partition1 (Start_offset:1048576 | Length:1572864000)
\Device\Harddisk0\part;tion2 --[ MBR ]-- (Start_offset:1573912576 | Length:86894444544)
\Device\Harddisk0\partition3 (Start_Offset:88468357120 | Length:68157440000)
\Device\Harddisk0\partition4 (Start_Offset:237850421760 | Length:12206315520)
.
----------------------\\ Scheduled Tasks
.
c:\Windows\Tasks\Applesoftwareupdate.job
c:\windows\Tasks\Google software updater.job
c:\windows\Tasks\SA.DAT
c:\windows\Tasks\sCHEDLGU.TXT
c:\windows\Tasks\user_Feed_synchronization-{364B15A7-9ABD-47BF-BD4E-c8850BA667FD }. job
.
----------------------\\ Registry
.
----------------------\\ Files & Folders
.
----------------------\\ Scan completed at 03:23.48
.
C:\Rooter$\Rooter_2.txt - (15/08/2009 I 03:23.48)


Thanks again for your help,

Rosie

[ken545]

Hello Rosie,

Rooter did not find anything bad.

Outside of no internet, how is your system running now??

[rosieb]

Apart from the Internet, it seems to be fine, Ken.

Rosie

[ken545]

Rosie,

I am going to leave this thread open for you for a week or so in case you need to post back, What I would like you do to is post on this windows forum, its our sister site, tell them you have no internet, that you posted here and we removed Vundo, a Rouge Antimalware Program and a Rootkit and that now you cannot access the internet. They can help you get back online. We just do malware removal in this forum. You can also link them to this thread so they can see what we have done.

http://forums.spybot.info/showthread.php?t=50685



Post here, let me know if they helped you
http://forums.whatthetech.com/Browse...mail_f123.html

Good Luck,

Ken

[rosieb]

I'm very grateful for all your help, Ken. Thank you!

I'll do as you advise re: posting on the other site and let you know the outcome.

What security protection would you advise my nephew to have on his now clean laptop to stop re-infection? Programs which update automatically might be advisable, perhaps

Rosie

[ken545]

Looks like you have Symantec Anti Virus installed, just keep in updated and run a scan at least once a week

Malwarebytes <-- This is the free version and yours to keep, open a few times a month, check for updates and run the Quick Scan removing what it finds

Windows Defender <-- You also have this installed, you can find it to run on Start > All Programs > Windows Defender.

• How did I get infected in the first place ?
  Read these links and find out how to prevent getting infected again.
• Tutorial for System Restore <-- Do this first to prevent yourself from being reinfected.
• WhattheTech
• Grinler BleepingComputer
• GeeksTo Go
• Dslreports

Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster and Spyware Guard, they will conflict with the TeaTimer in Spybot , you can still install Spybot Search and Destroy but do not enable the TeaTimer .

Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community

• Spybot Search and Destroy 1.6
  Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.
  
• Spyware Blaster It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.
  
• Spyware Guard It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.
  
• IE-Spyad
  IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.
  
• Firefox 3 It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.

Rosie, when you post in the other forum, post the link back here in this thread so I can follow along.

Ken

[rosieb]

Thanks for the advice, Ken. Once I can get him on-line again I'll download your suggestions.

The Symantic, like the F-secure were time-limited programs that came with his laptop. He usually uses AVG which I have reinstalled and updated via CD from my laptop.

How do I get rid of the remnants of these old programs, I wonder? Will they interfere with AVG?

Rosie

[rosieb]

Hi Ken

Here's the link to the other forum (I think!):
http://forums.whatthetech.com/LAN_co...s_t106157.html

Rosie

[ken545]

Rosie,

I am linked to WTT so I can follow along.

Post a new HJT log and let me see whats installed.

Let me ask you a couple of questions also.

1. Do you have DSL or Cable Internet?
2. Do you use a Router ?

[rosieb]

Hello Ken

I use a cable modem. I do not have a router.

I'll post a new HJT log later tonight or tomorrow.

Thanks for your help,

Rosie