I CANT UPDATE AVAST HOME EDITION! CONFICKER??? PLEASE HELP

[ASAR25]

today i downloaded this http://www.bdtools.net/
bit defender removal tool for conficker ...hopping it will remove it .but mozilla instantlly crash on that page ...so i opened again and download it run a scan and in the midle of the progress bar on scaner..the program just informs ..no problem found....hm strange behaviour..
 

[micky77]

To fix O1 - Hosts: 66.98.148.65 auto.search.msn.es, open HJT choose scan only, put a tick in the box next to that entry,then choose fix selected.Although I think there maybe  another underlying problem elsewhere

[ASAR25]

This is hijack this new log i made today..
i selected all scaners and files that you have sugested me and fix them all from the old hjt log...
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:37:31, on 4.4.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.hr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\CCleaner.exe" /AUTO
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Ispuni obrasce - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Prilagodi izbornik - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: RF Alatna traka - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Spremi obrasce - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Ispuni obrasce - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Ispuni obrasce - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Spremi - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Spremi obrasce - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RF Alatna traka - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1238439717937
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Update Service (gupdate1c987047ad7ad86) (gupdate1c987047ad7ad86) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

--
End of file - 7262 bytes


I instaled super anti spyware profesional and ...guess what.......cant update... .
the message i was geting was:

generic host processfor win32 services has encountered a problem and needs to close we are sorry ....

and in thechnical descriptions this locations was shown

c:/DOCUME~1/sasa/LOCALS~1/TEMP/WER fbfc.dir00/cvchost.exe.mdmp
and
c:/DOCUME~1/sasa/LOCALS~1/TEMP/WER fbfc.dir00/appcompat.txt

But i did complete scan with Super anti spyware and he found 2 viruses...here is thhe log

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/04/2009 at 10:26 PM

Application Version : 4.26.1000

Core Rules Database Version : 3816
Trace Rules Database Version: 1770

Scan type       : Complete Scan
Total Scan Time : 00:14:28

Memory items scanned      : 380
Memory threats detected   : 0
Registry items scanned    : 4691
Registry threats detected : 1
File items scanned        : 12518
File threats detected     : 1

Trojan.DNSChanger-Codec
   HKU\S-1-5-21-1757981266-963894560-725345543-1003\Software\WinSpyControlDownloader

Trojan.SVCHost/Fake
   C:\DOCUMENTS AND SETTINGS\SASA\APPLICATION DATA\THINSTALL\CSDATA\1000000600002I\SVCHOST.EXE

[ASAR25]

now Ill remove Java and instal new

[CharleyO]

***

Your latest HJT log looks good ... nothing to report except the absence of a firewall and I suppose your are using Windows firewall.


***

[micky77]

Thats excellent SAS has found the pigs thats stopping you updating your programs

 You can update SAS manually ( use another pc ) http://www.superantispyware.com/definitions.html

I take it you removed both threats, try another scan,if they return,reboot in safe mode ( f8 ) key and scan 

[ASAR25]

I instaled http://www.freedrweb.com

dr web found:
ZAN2EA.exe.bac_a01120\data005;C:\Documents and Settings\Sasa\.housecall6.6\Quarantine\ZAN2EA.exe.bac_a01120;Trojan.Popclick.44;;
ZAN2EA.exe.bac_a01120;C:\Documents and Settings\Sasa\.housecall6.6\Quarantine;Archive contains infected objects;Moved.;
ZAN2EA.exe.bac_a02428\data005;C:\Documents and Settings\Sasa\.housecall6.6\Quarantine\ZAN2EA.exe.bac_a02428;Trojan.Popclick.44;;
ZAN2EA.exe.bac_a02428;C:\Documents and Settings\Sasa\.housecall6.6\Quarantine;Archive contains infected objects;Moved.;
bd_rem_tool_console.exe;C:\Documents and Settings\Sasa\Desktop\New Folder;Probably MULDROP.Trojan;Moved.;

some problems where automaticaly moved to quarantine and some where moved ..where (dont know)

i did not understand how can i update  superantispyware manually with another computer

[micky77]

All those files named ZAN2EA.exe.bac, appear to be from what Trend Micros housecall online scanner found  Did  housecall find anything  ? Or maybe its something to do with the scanner.
http://forum.avast.com/index.php?topic=43784.msg366285#msg366285
The last 'threat' found by Drweb is the tool you used
http://forum.avast.com/index.php?topic=43784.msg367582#msg367582 from bit defender

So all in all looks like everything Drweb found was no harm at all

To update SAS manually, download the definitions from another pc, and transfer to the infected one via cd, make sure SAS is not running and double click on the update file.This is only necessary if you cannot update automatically.
So after SAS found those two threats, are you still not able to update programs ?

[ASAR25]

ok i will update sas manually tomorow when ill be on other pc....

yes it seems that that's it ..those files were from bit bdefender tool...and yes trend micro found 3 or four problems ...but since it was not stated as big problems or viruses ..i did not posted that on forum..and it was one of the first scans and somethimes trend micro found even those potential problems..so it did not seems something important..sorry....

all problems are still here..

i updated java allso..removed skype  and msn programs and half of pc ..but still mozilla crash from time to time and cant update avast sas and mbam.
also  when i go to update page for windows the page freeze?! i dont have original windows so dont know if thats the virus that prevenhing me to update or microsoft.

besides updating sas and runing scan in safe mode is there any thing i can do more .maybe trend micro scan again or kasperski.?
thanks

[Lisandro]

Read the instructions, download and burn (maybe from another computer), finally use one of this rescue CD's:
1. Avira
2. Kaspersky
3. BitDefender
4. F-Secure
5. Dr. Web

[micky77]

Well I am not too familiar with the hosts file, but I been experimenting a little with a program called hostsxpert. It allows all sorts of modifications to the hosts file.Something I think malware has already done to you.
Before you consider that program,can you look at your hosts file. Carefully, navigate to C/windows/system32/drivers/etc ( etc is a folder ) after opening etc you should see the hosts file.
Right click on the hosts file and choose open, when you are asked what program to use, choose notepad.

The contents will appear in notepad. Right click choose ' select all' which will highlight everything in blue, then right click and select 'copy'
Come back here and open a thread, right click and choose paste
Mine looks like this

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

127.0.0.1       localhost

[Lisandro]

Your hosts file is clean and ok.
Problem could be in some drivers into Windows folder that prevent avast to update, so, I've suggested the CD scanning.
You can also try a full computer on-line scanning:
BitDefender
ESET NOD32
F-Secure

For detection-only, not cleaning:
Kaspersky
Trendmicro housecall

[micky77]

Your hosts file is clean and ok.

Thats my file Tech, not the OP

[Lisandro]

Thats my file Tech, not the OP

[micky77]

Thats my file Tech, not the OP

Tech maybe i misunderstood you. Seeing as ASAR25 has already removed zlob with MBAM a dodgy HJT entry O1 - Hosts: 66.98.148.65 auto.search.msn.es, SAS found Trojan.DNSChanger-Codec and Trojan.SVCHost/Fake not to mention what Housecall removed. Also he cannot update windows, SAS, MBAM, I thought it possible that maybe he's already removed the threat, but his Host file has been changed and was manually blocking sites. No offence intended to you