Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

microsoft update redirects to google, windows live apps stopped working, C:\ drive isn't responding right. unknown


  • This topic is locked This topic is locked
2 replies to this topic

#1 tomster11189

tomster11189

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:40 PM

Posted 22 March 2009 - 05:22 AM

I've been doing alot of tweaking and downloading the last few days, so it could be anything. i wanted to check Microsoft update because for whatever reason, Live Messenger was not logging on and SkyDrive wasn't accessible on my laptop, when both work fine on my desktop. i tried to get to Microsoft update through Google, the link in my start menu, and even the link on the Microsoft homepage but they all ended up on Google with the URL staying as "http://update.microsoft.com/". and it did this with both Chrome and IE7. also, for the last couple days, when i directly double click on the "(C:)" drive, an error pops up about not being able to find some "RECYCLER\S-1-1-14-100023495-100021663-100017297-4700.com" file, but when i type in "C:\" in the address bar, it gets there just fine. also, when i right click on "(C:)" i have the option to AutoPlay, and when i click "open" it asks me what program i would like to use to open "the file C:\". i am currently running an Avast virus scan, but it's a free program so i don't think it will get me very far... help would be greatly appreciated! oh and some programs i have been installing and uninstalling are Gladinet, windows live messenger from "http://www.softpedia.com/get/Internet/Chat/Instant-Messaging/Windows-Live-Messenger-9.shtml" because the actual Microsoft site wasn't working (was told it was a broken link), VLC Media Player, Avast, FreeUndelete, InfraRecorder, WAX 2.0, STOIK Video Converter, and Windows Movie Maker. i have uninstalled STOIK Video Converter, WAX 2.0, NHC ExpressBurn, Windows Live Messenger, and SuperDVD Video Editor.

-UPDATE-

i found the problem with the C:/ drive and Avast was able to fix it. it was a worm called BV:AutoRun-T. as for the other issues, i found another Trojan in my system files called "Win32:Fasec" and it seems to match my symptoms. it says it was deleted, but the problem is still there, even though when i run a thorough scan on the folder it was said to be in, there aren't any reported problems. maybe this was a separate issue and i still have undetected malware, i don't know... but here's an update on the DDS search



DDS (Ver_09-03-16.01) - NTFSx86
Run by Melena Fultz at 17:38:15.68 on Sun 03/22/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.703.340 [GMT -7:00]

AV: avast! antivirus 4.8.1335 [VPS 090322-0] *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\X3watch\x3watch.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\Melena Fultz\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Documents and Settings\Melena Fultz\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Alwil Software\Avast4\ashChest.exe
C:\Documents and Settings\Melena Fultz\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uWindow Title = Microsoft Internet Explorer
uSearch Bar = hxxp://www.att.net/ie4/search/index.html
uURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: Veoh Browser Plug-in: {d0943516-5076-4020-a3b5-aefaf26ab263} - c:\program files\veoh networks\veoh\plugins\reg\VeohToolbar.dll
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: {5CBE2611-C31B-401F-89BC-4CBB25E853D7} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [<NO NAME>]
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [x3watch] c:\program files\x3watch\x3watch.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} - hxxp://moe.ic.highline.edu:2082/lib/highlinelibrary/support/plugins/ebraryRdr.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://a1540.g.akamai.net/7/1540/52/20070711/qtinstall.info.apple.com/qtactivex/qtplugin.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 85.255.112.230,85.255.112.114
TCP: {BE8FBEBF-C94D-4899-9946-34AA1EAAB1D3} = 85.255.112.230,85.255.112.114
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {FA010552-4A27-4cb1-A1BB-3E2D697F1639} - No File
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-3-21 114768]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\documents and settings\melena fultz\desktop\tools\vcd\VCdRom.sys [2001-12-19 8576]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-3-21 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-3-21 138680]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2005-12-28 1174152]
R3 CALIAUD;Conexant AMC 3D Environmental Audio;c:\windows\system32\drivers\caliaud.sys [2004-2-17 292352]
R3 CALIHALA;CALIHALA;c:\windows\system32\drivers\calihal.sys [2004-2-17 273536]
R3 DP83815;National Semiconductor Corp. DP83815/816 NDIS 5.0 Miniport Driver;c:\windows\system32\drivers\DP83815.sys [2004-7-15 18432]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-3-21 254040]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-3-21 352920]
S3 WSIMD;wsimd Service;c:\windows\system32\drivers\wsimd.sys --> c:\windows\system32\drivers\wsimd.sys [?]

=============== Created Last 30 ================

2009-03-22 03:26 <DIR> --d----- c:\docume~1\melena~1\applic~1\InfraRecorder
2009-03-21 20:56 <DIR> --d----- c:\program files\InfraRecorder
2009-03-21 20:54 <DIR> --d----- c:\program files\FreeUndelete
2009-03-21 20:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\OfficeRecovery
2009-03-21 20:47 <DIR> --d----- c:\documents and settings\melena fultz\Tracing
2009-03-21 05:04 <DIR> --d----- c:\program files\Gladinet
2009-03-21 02:06 <DIR> --d----- c:\program files\VideoLAN
2009-03-18 23:12 <DIR> --d----- c:\docume~1\melena~1\applic~1\STOIK
2009-03-18 22:07 0 a------- C:\WaxCrash.dmp
2009-03-18 19:28 8 ---shr-- c:\windows\system32\A055FF397E.sys
2009-03-18 19:28 2,516 a--sh--- c:\windows\system32\KGyGaAvL.sys
2009-03-18 19:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Corel
2009-03-18 19:00 <DIR> --d----- c:\program files\DebugMode
2009-03-17 21:15 2,686,104 a------- c:\windows\system32\drivers\LV302V32.SYS
2009-03-17 21:14 195,096 a------- c:\windows\system32\lvci11901262.dll
2009-03-17 21:14 768,024 a------- c:\windows\system32\drivers\lvrs.sys
2009-03-10 03:19 232 a---h--- C:\sqmdata18.sqm
2009-03-10 03:19 244 a---h--- C:\sqmnoopt18.sqm
2009-02-27 00:18 <DIR> --d----- c:\program files\e-Sword
2009-02-26 23:36 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-02-26 01:19 <DIR> --d----- c:\windows\system32\XPSViewer
2009-02-26 01:16 117,760 -------- c:\windows\system32\prntvpt.dll
2009-02-26 01:16 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-02-26 01:16 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-02-26 01:16 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-02-26 01:16 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-02-26 01:16 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-02-26 01:16 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-02-26 01:16 <DIR> --d----- C:\55137a36de68eb911cb1d1d8c1fe
2009-02-26 00:56 <DIR> --d----- c:\program files\CONEXANT

==================== Find3M ====================

2009-02-13 13:35 2,855 a------- c:\windows\pif\SETUP.PIF
2009-02-09 04:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-06 18:52 49,504 a------- c:\windows\system32\sirenacm.dll
2009-02-03 12:04 410,984 a------- c:\windows\system32\deploytk.dll
2008-08-27 23:17 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082720080828\index.dat

============= FINISH: 17:39:13.47 ===============

Attached Files


Edited by tomster11189, 22 March 2009 - 07:41 PM.


BC AdBot (Login to Remove)

 


#2 tomster11189

tomster11189
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:40 PM

Posted 24 March 2009 - 07:07 AM

so the trojan ended up not letting me run MalwareBytes, or any other powerful anti-malware software, and i was stuck. but after looking around the forums i decided to try renaming the "mbam.exe" file associated with MalwareBytes to mbam123.exe and it worked! it finally opened! however, it didn't let me update the rules file, but i was able to find a download from another post of a more recent update, and it installed just fine. with some anticipation i ran MalwareBytes and finally, it managed to beat this thing. or, i should say... these 12 things... here's the log:

Malwarebytes' Anti-Malware 1.34
Database version: 1863
Windows 5.1.2600 Service Pack 3

3/23/2009 11:16:58 PM
mbam-log-2009-03-23 (23-16-58).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 123886
Time elapsed: 50 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 8
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6fd31ed6-7c94-4bbc-8e95-f927f4d3a949} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{90b5a95a-afd5-4d11-b9bd-a69d53d22226} (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{8109fd3d-d891-4f80-8339-50a4913ace6f} (Adware.Zango) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.230,85.255.112.114 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{be8fbebf-c94d-4899-9946-34aa1eaab1d3}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.230,85.255.112.114 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.230,85.255.112.114 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{be8fbebf-c94d-4899-9946-34aa1eaab1d3}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.230,85.255.112.114 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.230,85.255.112.114 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{be8fbebf-c94d-4899-9946-34aa1eaab1d3}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.230,85.255.112.114 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\gaopdxcounter (Trojan.Agent) -> Quarantined and deleted successfully.



so PROBLEM SOLVED after three days of staying up 'till five AM searching frantically for the answer to my problems! thank you bleeping computer, you're a blessing for all us PC enthusiasts who just can't seem to fix their own problems...

#3 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:12:40 AM

Posted 24 March 2009 - 11:44 AM

Thanks for informing us.
Good luck.

This Topic is closed.

Should you need it reopened, please contact a Forum Moderator. Include the address of this thread in your request.

If you have a new issue, please start a New Topic.

This applies only to the original poster. Everyone else please begin a New Topic.

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users