Need assistance, computer trouble after my AV stopped virus

[rditto48801]

Another update (via my friend's laptop still).
The moment things were restored on my PC, my anti-virus went bonkers yet again, and I again cannot connect to internet. Luckily, it did not interupt existing downloads, and Malwarebyte's Anti-Malware updated fully (it was downloading an update when things went odd again). I got a full scan with it going, it found 1 infection so far.

Frontier Security Suite -> Advanced Protection quarintined the following files.
P17DEF.EXE
CONHOST.EXE
EEX.EXE (same one from before).

Time to search for extra clues as to what I am dealing with.

[rditto48801]

A brief update.
P17DEF was running directly in the Windows folder. There are reports of a virus hiding as that file name.
CONHOST was runnng from Documents and Settings\(username)\Application Data\Microsoft (not WIndows\system32). I have turned up reports that if it is not in Windows\system32, it is a virus, and one person reported finding the virus version in the same directory.
EEX.EXE was in the same place as before, Documents and Settings\(username)\Local Settings\Application Data. I still cannot find any mention of it outside of the MYDOOM worm.

[Blín D'ñero]

BitDefender has some virus removal tools too.

Free Virus Removal Tools
PC infected with a specific virus? Get rid of it now, for free! Simply browse through our database of known viruses below and hit the download button to start the virus removal process!

HERE. bitdefender.com/
But not the ones you name there.

Yes i read the same:
Conhost.exe = Console Window Host.
It’s a completely legitimate executable—as long as it’s running from the system32 folder, and is signed by Microsoft. Source: http://www.howtogeek.com/howto/4996/wha ... t-running/
Conhost in the system32 folder is OK, but if you find it anywhere else it is not OK.

This is your Frontier Security suite, right? https://www.ncnetwork.net/Residential/S ... ySuite.htm Does it seem to be able to kill the viruses?

[rditto48801]

BitDefender has some virus removal tools too.

Free Virus Removal Tools
PC infected with a specific virus? Get rid of it now, for free! Simply browse through our database of known viruses below and hit the download button to start the virus removal process!

HERE. bitdefender.com/
But not the ones you name there.

Yes i read the same:
Conhost.exe = Console Window Host.
It’s a completely legitimate executable—as long as it’s running from the system32 folder, and is signed by Microsoft. Source: http://www.howtogeek.com/howto/4996/wha ... t-running/
Conhost in the system32 folder is OK, but if you find it anywhere else it is not OK.

That is one of the links I found myself.

This is your Frontier Security suite, right? https://www.ncnetwork.net/Residential/S ... ySuite.htm Does it seem to be able to kill the viruses?

Yes, that is it.

The present virus find has stuff that is different from the last one, aside from the eex.exe. I did get a warning that the definition files for my Frontier Security Suite might be out of date, a warning which appeared after I applied the fix.reg file and rebooted, right after it stopped the second batch of problems. It did appear to have fixed the first viruses, and the eex.exe file was quarintined and deleted, although the second instance was found in the same place as the first instance.

At present, Malwarebyte's Anti-Malware is sitting at 2 infected objects found, with almost 2 hours of scanning. Not sure how much more it has to scan.

[rditto48801]

I left my PC running overnight while it scanned. I am so glad the anti-malware program was able to update before my computer again had other stuff 'loose' the ability to detect the internet connection.

Code: Select all

Malwarebytes' Anti-Malware 1.51.0.1200
http://www.malwarebytes.org

Database version: 6705

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/4/2011 7:04:05 AM
mbam-log-2011-06-04 (07-04-04).txt

Scan type: Full scan (C:\|E:\|)
Objects scanned: 1133894
Time elapsed: 6 hour(s), 40 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Value: (default) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer (PUM.Bad.Proxy) -> Value: ProxyServer -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Owner\Local Settings\Application Data\eex.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Owner\Local Settings\Application Data\eex.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Owner\Local Settings\Application Data\eex.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\my backup stuff\my download files\startopia\ddsconvgui\ddsconvgui.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\application data\Sun\Java\deployment\cache\6.0\55\5c6d73b7-1e1ea7d4 (Backdoor.Cycbot.Gen) -> Quarantined and deleted successfully.
c:\RECYCLER\s-1-5-21-1275210071-2111687655-725345543-1003\Dc34.exe (Backdoor.Cycbot.Gen) -> Quarantined and deleted successfully.
c:\system volume information\_restore{9cf680c0-4e84-4b27-b9b9-7d968691c9a6}\RP737\A0124886.exe (Backdoor.Cycbot.Gen) -> Quarantined and deleted successfully.
c:\system volume information\_restore{9cf680c0-4e84-4b27-b9b9-7d968691c9a6}\RP704\A0121429.exe (RiskWare.Tool.CK) -> Quarantined and deleted successfully.
e:\system volume information\_restore{7f31efc5-e91d-48ff-84ca-7eab72e07df4}\RP183\A0034944.exe (Malware.Gen) -> Quarantined and deleted successfully.

I do need to reboot to fully remove some stuff, but my anti-virus is presently scanning (today happens to be the day it does its weekly scan), it found one thing so far.
There are also some 19 items sitting in quarintine for the anti-malware program. It list all threats found and removed, and includes a number of things (5?) found from when my PC got taken out hard two months ago (virus related to scareware/fake anti-virus that cannot be shutdown). The PC shop installed the anti-malware program then, and it apparently just saved me from having to take my PC to the shop again.
It's interesting that I get my anti-virus working again just to get hit by more stuff than I did last time.

After reboot, my PC should hopefully be running fine.

[Blín D'ñero]

Keep up the fight, you're going strongly!

Make sure to make a most recent backup of your most important data, just incase you ever need to format and reinstall Windows!

[rditto48801]

Keep up the fight, you're going strongly!

Make sure to make a most recent backup of your most important data, just incase you ever need to format and reinstall Windows!

I got my present PC back online now.
Still got some errors.
Had to edit Firefox, it somehow got set to use some sort of proxy, which I managed to fix after IE started up normally and confirmed my PC is at least somewhat detecting the internet, and now so is Firefox after setting it to not use a proxy.

The last time I had to take my computer into the shop for repairs (in April) I bought an 8GB USB memory stick to backup some of my stuff on occasion, which was barely fitting part of on a 2GB I had before.

Spybot reported and fixed to registry things apparently disabling the security feature's ability to notify me of the status of my anti-virus and windows update.

Windows Security Center is reporting Automatic Updates is off. It will not turn back on. I get an error of "The website has encountered a problem and cannot display the page you are trying to view." when trying to use Windows Update via IE.
While typing this post, I realized there was a 'get now' sort of thing for Windows Update, I guess that virus/malware actually took out Windows Update somehow, which might explain why it is not working. Trying to get updated/downloaded gave me the same error above.

Windows Security Center was reporting my Anti-Virus is out of date, and was not detecting the internet at first. Oddly enough, after figuring out the proxy oddity with Firefox, my anti-virus seems to be able to detect internet now. It is updated now (no program update, but new definition files downloaded) and it is showing normal now.

The last update for Malwarebyte's Anti-Malware seems to have not registered, as it updated again. I noticed it was showing 5/28/2011 as the date of the last update. Now it is showing 6/4/2011 for the latest database info.

My security suite is not going crazy, no odd internet activity, nothing unusual noticed under Task Manager -> Processes.

So, at present, the main issue seems to be getting Windows Update working again.

[rditto48801]

Quick Update.

Found this.
http://forums.techarena.in/windows-update/355844.htm
Windows Update apparently working again, Windows Security Center now showing it is active.
However, when trying to do updates, IE goes a little 'odd'.
I end up with a blank page with just a small button for 'review and install updates'.
Trying express install just gives me a greyed out 'install updates' button.

[rditto48801]

Another update.
After doing some searching (mainly Yahoo search) I managed to get the Windows Update problem possibly fixed. It is properly downloading updates now. Due to the date on one of the updates, I wonder if either a file was taken out and needed to be replaced/re-updated, or if something may have been lurking on my system for some time and keeping automatic updates out of commission without warning for some time.

[rditto48801]

Another update, again.
Windows Update has gotten everything updated, also downloaded an up to date version of Java since it was one of the things affected by one of the viruses.
Then I rebooted my computer.

My computer is showing no signs of trouble at the moment, and seems to be working fine now.
I have apparently avoided the need to take it into a computer shop for professional work.

Thanks for the assist with confirming info for the exe association problem, and for 'keep up the fight' part.