I am getting repeated warnings about a virus of this family type in the windows update download from microsoft. I never get an option to clean or isolate the problem, just an “abort connection” option which doesn’t seem to abort anything… and the warning again in 30 seconds or so.
Are you sure that you’re going to a legitimic Windows Update site?
If so, you can disable WebShield provider for a while and see if you can finish the update…
Can you post the results?
Hi Dewbacca,
The warning you got is from the new avast webshield which only became available in 4.6.
The webshield stops the infection (by letting you press abort), way before it even gets near to your system, so if you got this warning, you are not infected.
I have just tried windows update and it seems fine, also this sounds like malware, i suggest you run though the steps/instructions at the link below to make sure your system is clean, after post a hijackthis log (assesable from the link below as well) here so we can confirm your system is clean.
http://members.home.nl/edeijl/ache/cleaning.htm
If so, you can disable WebShield provider for a while and see if you can finish the update... Can you post the results?
Surly this would just allow the user to be infected, therefore defeating the objective of the webshield?
And the windows update server is working fine to me, i do however believe she has been hijacked (most likely his/her host files) to a fake windows update site.
–lee
Ok, you’re right in some way.
I was just trying to allow the user to update Windows…
If the Standard Shield is set to High sensitivity (which is the default) the user should not fear to disable WebShield 8)
Ok, the download is complete and installed so you are correct sir, that the problem is not the windows update or its site.
I have run AdawareSE and removed a fair number of objects, including a few browser hijack attempts, but still getting the virus alert from Avast.
“h:t:t:p://au.download.windowsupdate.com/msdownload/update/v5/psf/windowsxp-kb887742-x86-enu_726044e097a719719d048eb87bd9cc199e6d0116.psf” is what the warning is calling the “File” affected.
Here is my hijack this log
Logfile of HijackThis v1.99.1
Scan saved at 8:50:37 PM, on 3/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\S3apphk.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\LXSUPMON.EXE
C:\Program Files\BellSouth\Connection Tool\IPClient.exe
C:\Program Files\BellSouth\Connection Tool\IPMon32.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\FASTDE~1\FAST2.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\BellSouth Accelerator Technology\propelac.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Roxane\LOCALS~1\Temp\Rar$EX0c.c10\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.bellsouth.net/brw_minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.bellsouth.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://home.bellsouth.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Bellsouth® Internet Service
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: (no name) - {82315A18-6CFB-44a7-BDFD-90E36537C252} - (no file)
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM..\Run: [S3apphk] S3apphk.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
O4 - HKLM..\Run: [IPInSightLAN 01] “C:\Program Files\BellSouth\Connection Tool\IPClient.exe” -l
O4 - HKLM..\Run: [IPInSightMonitor 01] “C:\Program Files\BellSouth\Connection Tool\IPMon32.exe”
O4 - HKLM..\Run: [Propel Accelerator] “C:\Program Files\BellSouth Accelerator Technology\trayctl.exe” /STARTUPLAUNCH
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU..\Run: [seticlient] C:\Program Files\SETI@home\SETI@home.exe -min
O4 - HKCU..\Run: [FAST Defrag] C:\PROGRA~1\FASTDE~1\FAST2.EXE -tray
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\BellSouth Accelerator Technology\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\BellSouth Accelerator Technology\pac-image.html
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra ‘Tools’ menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://home.bellsouth.net
O16 - DPF: Yahoo! Bingo - http://download.games.yahoo.com/games/clients/y/xt0_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {99802379-7362-40E2-9D28-8A3B9AF880B7} - http://hotsearchbar.com/toolbar2/winhot32.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip..{B1E02E19-01EF-4123-AF03-054BC22212EF}: NameServer = 205.152.37.254 205.152.132.235
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
Ohhh and Dewbacca is a he, and this is from his (my) wifes computer… AND I AM NOT A LLAMA. hahaha
ok running spybot S&D turned up an error, a first for me that it has ever failed.
Error during check!: Xuron55.Installdollars (Datei C:\WINDOWS\win.ini kann nicht geöffnet werden. The process cannot access the file because it is being used by another process) ()
ClearSearch.Net: Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface{0F2A4ADC-DABF-4980-8DB4-19F67D7B1F95}
eAcceleration: Program group (Directory, nothing done)
C:\Documents and Settings\Roxane\Start Menu\Programs\filesubmit\
IE Plugin: Picture (File, nothing done)
C:\WINDOWS\logo.ico
Going to try to fix what I can here and reboot.
Hi Dewbacca,
THESE ITEMS ARE EITHER HARMFULL OR A SECURITY RISK
WE STRONGLY RECOMMEND TO FIX THEM :
r1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.bellsouth.net/brw_minisearch
r1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.bellsouth.net
r1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://home.bellsouth.net/
r3 - default urlsearchhook is missing
o2 - bho: (no name) - {82315a18-6cfb-44a7-bdfd-90e36537c252} - (no file)
o4 - HKLM..\Run: [IPInSightLAN 01] “C:\Program Files\BellSouth\Connection Tool\IPClient.exe” -l
o16 - dpf: yahoo! bingo - http://download.games.yahoo.com/games/clients/y/xt0_x.cab
o16 - dpf: {00b71cfb-6864-4346-a978-c0a14556272c} (checkers class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
o16 - dpf: {0e5f0222-96b9-11d3-8997-00104bd12d94} (pcpitstop utility) - http://pcpitstop.com/pcpitstop/pcpitstop.cab
o16 - dpf: {99802379-7362-40e2-9d28-8a3b9af880b7} - http://hotsearchbar.com/toolbar2/winhot32.cab
o16 - dpf: {a17e30c4-a9ba-11d4-8673-60db54c10000} (yahooymailto class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
o16 - dpf: {b38870e4-7ecb-40da-8c6a-595f0a5519ff} (msnmessengersetupdownloadcontrol class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
HARMFULL ITEMS IN THE DOCUMENTS AND SETTINGS FOLDER(S) :
Nothing found.
THE FOLLOWING ITEMS ARE NOT NEEDED TO LOAD
AT BOOTTIME FOR THE SYSTEM TO WORK PROPERLY :
o4 - global startup: microsoft office.lnk = c:\program files\microsoft office\office\osa9.exe
o4 - HKLM..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
This is not windows update:
"h:t:t:p://au.download.windowsupdate.com/msdownload/update/v5/psf/windowsxp-kb887742-x86-enu_726044e097a719719d048eb87bd9cc199e6d0116.psf" is what the warning is calling the "File" affected.
this is: http://windowsupdate.microsoft.com , (does it go to to the fake update site you gave above, when you click on the window update icon?)
Anyway, now reboot your system, then re-run spybot and ad-aware SE
Also i suggest you download, install, update and run Spywareblaster: http://www.wilderssecurity.net/spywareblaster.html (keep it upto date), it will help prevent spyware.
Also i see no active firewall, if you don’t have a hardware firewall, (usaly in a router) i suggest you get a free software firewall called Zonealarm: http://download.zonelabs.com/bin/free/1012_zl/zlsSetup_55_062_011.exe
After that i suggest a Boot-Time scan with avast set to scan within archives (open avast scanner > Menu (top left hand corner) >Boot-Time scan).
Then your system should be clean/fine, if not, post back with a new hijackthis log and let us know.
–lee