Expert: Brian Benosky - 2/15/2009

Question
QUESTION: Recently my Windows XP SP3 pc has apparently become affected by virus(es), and the only unusual behavior I am now experiencing is the inability to acquire updates from Windows Update, either automatically or manually via the Windows Update site.  My active anti-virus security program during these encounters with the viruses was Trend Micro PCcillin Internet Security, of which I had always been keeping regularly updated with all its most recent updates. In addition, prior to this unusual behavior, and currently as well, I have always kept the Windows Update set to automatic update on my pc, and always have routinely downloaded/installed all the important Windows updates from Windows Update in that manner.

Now I am noticing that whenever I go online with that pc, the yellow Windows Update shield icon soon appears down in the taskbar.  When I run the mouse pointer over the icon, the small info text appears stating "Downloading updates 0%."  However, regardless of how long I might wait, there is no increase beyond the 0%, and no updating occurs. If I go to the Microsoft Windows Update site and have it check my pc for needed updates, the result is now just the following info from the update site which I have quoted below to post here for description:  

"To use Microsoft Update, you must first install the latest version of
some Windows components. This will allow your computer to work with
these new features on the site:
More updates: Get updates for Windows and for popular Microsoft
programs such as Microsoft Office in one place.
Faster updates: The latest Windows Installer (MSI) improves the way
updates are installed, delivering updates in the smallest possible
packages in the shortest amount of time.
Easier navigation: Now you can find updates by priority or by product
while helpful links and important messages help ensure you are
installing all high-priority updates for your computer.
download and install now."
At the box where there is an option to select a button for either the Express or Custom method, either button pressed results in the following stated message "Software Upgrade for some Windows Components required," with details indicating that would be the Windows Genuine Advantage Validation Tool KB892130.
Below the above text is then an "Install Updates" button, and when pushed a box appears that says "Installing updates" and "updates are being downloaded and installed" and a downloading bar appears but then never begins downloading but just sits there stalled and never begins progressing at all.
For one thing, I'm fairly certain in the first place that I have already previously in the past downloaded and installed the "validation tool" as mentioned above, but not really sure if I actually require some new updated version of it or whether the Windows Update doesn't really detect what specific updates currently have or need on my pc at all.  Regardless, obviously the Windows Update will not function and the results are always now just as described.  
The virus log within the Trend Micro program contains the following item TROJ-KRYPTIC.GS in its "Quarantined" virus section of the log, logged on February 7 which is the date the program detected it.  It was not until Feb 11 or 12 when the Windows Update yellow shield icon in the taskbar began appearing when the pc was online, stating the "downloading updates 0%," info.  

Also, when online yesterday Feb 14 the Trend Micro program detected and then quarantined the following two additional virus(es), as shown in its log for that date:  TROJ_DROPPER.HBO, TROJ_FAKEALER.UN, and TROJ_FAKEALER.RV.  

As I mentioned, the only apparent unusual behavior so far since the pc has first encountered these viruses is the inability to acquire Windows updates.  Full scanning at this time with the Trend Micro program detects no infections and finishes with no problems detected.  For further investigation I downloaded and ran the Malwarebytes anti-malware program and it then detected/quarantined the following (copied from its log):

Malwarebytes' Anti-Malware 1.34
Database version: 1763
Windows 5.1.2600 Service Pack 3

2/14/2009 8:04:14 PM
mbam-log-2009-02-14 (20-04-14).txt

Scan type: Quick Scan
Objects scanned: 65455
Time elapsed: 4 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\xml.xml (Trojan.FakeAlert) -> Quarantined and
deleted successfully.
HKEY_CLASSES_ROOT\xml.xml.1 (Trojan.FakeAlert) -> Quarantined and
deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c}
(Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{500bca15-57a7-4eaf-8143-8c619470b13d}
(Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Cognac (Rogue.) -> Quarantined and deleted
successfully.
HKEY_CURRENT_USER\SOFTWARE\CrucialSoft Ltd (Rogue.MSantispyware2009)
-> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\All Users.WINDOWS\Application
Data\CrucialSoft Ltd (Rogue.Multiple) -> Quarantined and deleted
successfully.
C:\Documents and Settings\All Users.WINDOWS\Application
Data\CrucialSoft Ltd\MS AntiSpyware 2009 (Rogue.Multiple) ->
Quarantined and deleted successfully.

Files Infected:
C:\Program Files\setup.exe (Rogue.Installer) -> Quarantined and
deleted successfully.
The issue continues as I explained involving the inability to obtain the Windows updates either through automatic or manual method, and with the yellow Windows update appearing in the taskbar and sitting at 0% progress.  Further scanning with either Trendmicro or Malewarebytes program comes up clean at this time. Current HiJackthis log (while machine is online but windows update icon not showing in taskbar) is as follows:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:08:54 PM, on 2/15/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Steve\Desktop\hijakthis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://www.att.net/ie4/search/index.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.att.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
= http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =
Microsoft Internet Explorer
R3 - URLSearchHook: &Yahoo! Toolbar -
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper -
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program
Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper -
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program
Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper -
{DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program
Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl -
{E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program
Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} -
C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program
Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common
Files\InstallShield\UpdateService\isuspm.exe" -scheduler
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program
Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend
Micro\Internet Security\UfSeAgnt.exe"
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google
Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583}
- C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -
{e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network
Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683}
- C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software
AutoUpdate) - http://www.creative.com/softwareupdate/su/ocx/15031/CTSUEng.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) -
http://ipgweb.cce.hp.com/rdqaio2/downloads/sysinfo.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide
ActiveX Control) -
http://www.lynden.com/aml/sars/mgaxctrl.cab?Version=6,5,5,15
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class)
- http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_si
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan)
- http://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document
4.0) - http://ipgweb.cce.hp.com/rdqaio/downloads/msxml4.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash
Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software
AutoUpdate Support Package) -
http://www.creative.com/softwareupdate/su/ocx/15035/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{68782A14-677A-4EA7-8BC3-72D1C8A32C37}:
NameServer = 209.112.128.2 204.17.139.2
O23 - Service: Creative Service for CDROM Access - Creative Technology
Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun
Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) -
Trend Micro Inc. - C:\Program Files\Trend Micro\Internet
Security\SfCtlCom.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program
Files\Common Files\Symantec Shared\Support Controls\ssrc.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service
(TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend
Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro
Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc.
- C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 6102 bytes

Any assistance to help resolve this issue would be greatly appreciated.  


ANSWER: Hi Steve

Please download ComboFix from this link:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Save it to your desktop.
Double-click on the ComboFix icon found on your desktop. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall.  You should now press the number 1 key and then press the enter key to continue.  ComboFix will now start scanning your computer for known infections. This procedure can take some time, so please be patient.  If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. ComboFix may also restart your computer.  Do not intervene.  Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.  It will then display the log file automatically for you.  Post me that log in a follow-up.  
Before posting, run the Windows Update to see if it works.

Brian

---------- FOLLOW-UP ----------

QUESTION: Hi Brian,
When I attempted to go to the site you mentioned to download ComboFix, I got a big page popping up on my screen that said Trend Micro blocked that site, that it was classified as undesirable website and credibility was dangerous.  Obviously I did not continue and I closed out trying to go the site. Please advise.  thank you

ANSWER: Hi Steve

It seems Trend does not like competition.  Make sure your browser is not being redirected...click directly on that link and the download should begin automatically.  I assure you that ComboFix is a safe tool for malware removal.  You can read about it below, where there are other sites listed to download the program from:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Brian

---------- FOLLOW-UP ----------

QUESTION: Hi Brian,
The bleepingcomputer link you initially provided to download Combofix I manually entered into the address bar of the affected computer, as I am online on another pc instead of the affected one while doing this correspondence with you about the issue.  I can go to the second bleepingcomputer page you mention (how-to-use-combofix) on the affected pc and try to access the download from the other sites listed there, and hopefully my Trend Micro program will not block those sites too.  I do not doubt your assurance that the Combo-Fix is a safe tool to use.  However, before I make further attempt to download and run the program, would you care to comment first on the info about Combo-Fix I came across at this site please:  http://www.scribd.com/doc/11258626/Combofix-is-It-Safe-Dont-Download-Combofix-Un

thanks again

Answer
Hi Steve

I'd be happy to comment on the article you mention.  It was written as an ad-link for Spyware Doctor, a spyware remover.  The owner of the website mentioned at the end of the "article":
http://www.thebestspywareremovers.com/
is paid by PCTools, maker of Spyware Doctor, for every link to download clicked from his site.  Any site which claims to have "the best spyware removers", yet only lists one, cannot be trusted.  Note also the other posts that this person made:
http://www.scribd.com/Antispyware%20Guide
They all link to a third party advertisement for Spyware Doctor.

I do not recommend ComboFix for every malware removal process, but judging by the infection you had and the symptoms, I believe that ComboFix is a good way to go.  Read through the bleepingcomputer.com instructions, and no harm will come.  If you still feel like you do not wish to run it, I understand and certainly won't ridicule you.  
You may attempt to fix Windows Genuine Advantage (which Microsoft updates every few months) directly by following these instructions:

1. Download psexec.exe from:
http://www.sysinternals.com/Utilities/PsExec.html and put the file in root directory (C:\)
2. Download the WGA update executable from:
http://www.download.windowsupdate.com/msdownload/update/v3-19990518/cabpool/wind and install into C:\temp.
3. Rename the file in C:\temp to WGA.exe (not necessary, but way shorter name than windowsxp-kb892130-enu-x86_7e1189ce89fb0c693cad6432a4c2f982dcea49a0.exe
4. Open a command line by clicking Start->Run->then type cmd and hit OK.
5. At DOS command prompt type (or copy and paste):
psexec -i -s c:\temp\WGA.exe
Hit Enter
6. Exit cmd.

If you run ComboFix, you may still need to use the method above to reset WGA and get your updates, so either way, let me know how you make out.

Brian