Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Update redirects to Google/Can't update Windows


  • This topic is locked This topic is locked
2 replies to this topic

#1 jsetzler

jsetzler

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:34 PM

Posted 05 May 2009 - 11:51 PM

I have had what I thought was a simple virus for a few days. It didn't seem that threatening, so I didn't do much at first, as it was finals time. Now that finals are over, I got fed up today by my Norton Corporate saying over and over again that I had the same infection that it cleaned 30 seconds earlier. I am running Windows Media Center Edition, SP2(can't update).

I reformatted my machine, only to find that I could not update windows. Windows Update redirects me to Google(with a grey English underneath it). Thinking that I had done something wrong, I reformatted again immediately after the first time. Sadly, it happened again.

I have spent the last 10 hours scouring google, reading lots of forum posts here and other forums detailing the problem. I have tried every solution that everyone gave, but nothing has worked. This thing has also infected my wife's laptop. After I get my machine taken care of, I am going to deal with hers. Thanks in advance. I read the post guidelines, and made the two log files, the DDS.txt and Attach.txt. DDS.txt follows.


DDS (Ver_09-03-16.01) - NTFSx86
Run by HP_Administrator at 22:55:10.71 on Tue 05/05/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1682 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\HP\KBD\KBD.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\HP_Administrator\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = about:blank
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\Iaanotif.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [PCDrProfiler] "c:\program files\pc-doctor 5 for windows\RunProfiler.exe" -r
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [Reminder] "c:\windows\creator\Remind_XP.exe"
mRun: [TrojanScanner] c:\program files\trojan remover\Trjscan.exe /boot
mRun: [SpyHunter Security Suite] c:\program files\enigma software group\spyhunter\SpyHunter3.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-4-28 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-4-28 72944]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-4-28 7408]
S3 CXFALCON;Conexant Falcon II NTSC Video Capture;c:\windows\system32\drivers\cxfalcon.sys [2006-7-12 82048]
S3 WN5301;LIteon Wireless PCI Network Adapter Service;c:\windows\system32\drivers\wn5301.sys [2006-7-12 468768]

=============== Created Last 30 ================

2009-05-05 20:35 <DIR> --d----- c:\documents and settings\hp_administrator\DoctorWeb
2009-05-05 20:20 1,668 a------- c:\windows\system32\tmp.reg
2009-05-05 20:09 <DIR> --d----- c:\program files\Enigma Software Group
2009-05-05 19:51 162,304 a------- c:\windows\system32\ztvunrar36.dll
2009-05-05 19:51 153,088 a------- c:\windows\system32\UNRAR3.dll
2009-05-05 19:51 77,312 a------- c:\windows\system32\ztvunace26.dll
2009-05-05 19:51 75,264 a------- c:\windows\system32\unacev2.dll
2009-05-05 19:51 69,632 a------- c:\windows\system32\ztvcabinet.dll
2009-05-05 19:51 <DIR> --d----- c:\program files\Trojan Remover
2009-05-05 19:51 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\Simply Super Software
2009-05-05 19:51 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Simply Super Software
2009-05-05 19:38 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-05-05 19:38 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-05-05 19:38 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\SUPERAntiSpyware.com
2009-05-05 19:38 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-05-05 18:35 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\Malwarebytes
2009-05-05 18:35 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-05-05 18:35 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-05 18:35 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-05 18:35 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-05-05 18:00 <DIR> --d----- c:\program files\Trend Micro
2009-05-05 17:54 <DIR> --ds---- c:\documents and settings\hp_administrator\UserData
2009-05-05 16:41 12,160 a------- c:\windows\system32\drivers\mouhid.sys
2009-05-05 16:41 9,600 a------- c:\windows\system32\drivers\hidusb.sys
2009-05-05 16:41 31,616 a------- c:\windows\system32\drivers\usbccgp.sys
2009-05-05 16:38 246 a------- c:\windows\system\hpsysdrv.dat
2009-05-05 16:30 <DIR> --d--r-- c:\documents and settings\all users\Documents
2009-05-05 16:29 <DIR> --d--r-- c:\windows\Offline Web Pages
2009-05-05 16:27 <DIR> --dshr-- c:\windows\system32\dllcache
2009-05-05 15:11 <DIR> --d----- c:\windows\system32\appmgmt
2009-05-05 14:49 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-05 14:49 73,728 a------- c:\windows\system32\javacpl.cpl
2009-05-05 14:48 <DIR> --dsh--- C:\cmdcons
2009-05-05 14:48 <DIR> --d----- c:\windows\setup.pss
2009-05-05 14:47 1,865 a--shr-- c:\windows\system32\drivers\103C_HP_CPC_EW175AV-ABA m7560y_YC_0Pavi_QMXG628_E63NAecMPA3_48_IEMERY2_SASUSTek Computer INC._V2.00_B3.15_T060623_WXP2_L409_M2047_J320_7Intel_8Pentium D_93.2_#060715_N808627DC_Z_G.MRK
2009-05-05 14:44 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\Intuit
2009-05-05 14:44 <DIR> --d----- c:\documents and settings\hp_administrator\WINDOWS
2009-05-05 14:44 <DIR> --d----- c:\documents and settings\HP_Administrator

==================== Find3M ====================


============= FINISH: 22:55:19.43 ===============


Kaspersky log:

Full Scan: completed 5/5/2009 23:45:15 (events: 27, objects: 409776, time: 00:22:25)
5/5/2009 23:16:44 Task completed
5/5/2009 23:15:52 Task started
Full Scan: completed 5/5/2009 23:45:15 (events: 27, objects: 409776, time: 00:22:25)
5/5/2009 23:22:50 Task started
5/5/2009 23:26:36 Password protected C:\Documents and Settings\HP_Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 05-05-2009 - 19-55-43.SBU/{2507EA8A-00D7-4EF9-86A7-7F5311C0EEF9}
5/5/2009 23:26:36 Password protected C:\Documents and Settings\HP_Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 05-05-2009 - 19-55-43.SBU/{4909B054-A322-4E59-82EB-826BB7F98F8E}
5/5/2009 23:26:36 Password protected C:\Documents and Settings\HP_Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 05-05-2009 - 19-55-43.SBU/{4D50112A-6714-496E-B886-6FD880ADCF25}
5/5/2009 23:26:36 Password protected C:\Documents and Settings\HP_Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 05-05-2009 - 19-55-43.SBU/{530947A5-2BEE-429C-AD34-EC7B812AE40B}
5/5/2009 23:26:36 Password protected C:\Documents and Settings\HP_Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 05-05-2009 - 19-55-43.SBU/{61281580-CEFB-4B70-8597-EEFFFCE53BD5}
5/5/2009 23:26:36 Password protected C:\Documents and Settings\HP_Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 05-05-2009 - 19-55-43.SBU/{63D3C387-1CB2-4F68-9D7C-21232ECBAD05}
5/5/2009 23:26:36 Password protected C:\Documents and Settings\HP_Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 05-05-2009 - 19-55-43.SBU/{6BEE1EC0-C71D-4F0E-BDFA-89125FB98D1F}
5/5/2009 23:26:36 Password protected C:\Documents and Settings\HP_Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 05-05-2009 - 19-55-43.SBU/{768A8031-E723-4C50-9B6A-48B9584C904F}
5/5/2009 23:26:36 Password protected C:\Documents and Settings\HP_Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 05-05-2009 - 19-55-43.SBU/{7F88633F-B72E-4BBD-987B-41C2E60A4F60}
5/5/2009 23:26:36 Password protected C:\Documents and Settings\HP_Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 05-05-2009 - 19-55-43.SBU/{880D25D1-1B7D-463B-A79B-7BEC12032D69}
5/5/2009 23:26:36 Password protected C:\Documents and Settings\HP_Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 05-05-2009 - 19-55-43.SBU/{B0572D0C-F6E6-46F8-B7A5-53D3822F05BA}
5/5/2009 23:26:36 Password protected C:\Documents and Settings\HP_Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 05-05-2009 - 19-55-43.SBU/{B1790239-8327-408B-B0BE-3C709F272973}
5/5/2009 23:26:36 Password protected C:\Documents and Settings\HP_Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 05-05-2009 - 19-55-43.SBU/{BC0CB8C1-204E-4C35-95B1-7724F72BABD1}
5/5/2009 23:26:36 Password protected C:\Documents and Settings\HP_Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 05-05-2009 - 19-55-43.SBU/{D4E510F2-FB8A-4725-B085-C1FDD0AD1FD1}
5/5/2009 23:26:36 Password protected C:\Documents and Settings\HP_Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 05-05-2009 - 19-55-43.SBU/{DA059CCF-67DA-4BB5-B421-1F6920AF5D78}
5/5/2009 23:26:36 Password protected C:\Documents and Settings\HP_Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 05-05-2009 - 19-55-43.SBU/backup.db
5/5/2009 23:28:34 Detected: http://www.viruslist.com/en/advisories/28083 C:\hp\recovery\wizard\SWR_Wizard.exe/#
5/5/2009 23:28:39 Detected: http://www.viruslist.com/en/advisories/30832 C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.dll
5/5/2009 23:28:44 Detected: http://www.viruslist.com/en/advisories/31010 C:\Program Files\Java\jre1.5.0_05\bin\javaws.exe
5/5/2009 23:28:44 Detected: http://www.viruslist.com/en/advisories/31010 C:\Program Files\Java\jre1.5.0_05\bin\java.exe
5/5/2009 23:32:32 Detected: http://www.viruslist.com/en/advisories/28083 C:\WINDOWS\system32\Macromed\Flash\swflash.ocx
5/5/2009 23:38:23 Password protected D:\RPG Books\Battletech\Mech Designers\HeavyMetal.com\HeavyMetal Map.rar/HeavyMetal Map\Program\HMMapV100R2A-Setup.exe/AutoPlay/autorun.cdd/_detect.dat
5/5/2009 23:38:23 Password protected D:\RPG Books\Battletech\Mech Designers\HeavyMetal.com\HeavyMetal Map.rar/HeavyMetal Map\Program\HMMapV100R2A-Setup.exe/AutoPlay/autorun.cdd/_proj.dat
5/5/2009 23:38:23 Password protected D:\RPG Books\Battletech\Mech Designers\HeavyMetal.com\HeavyMetal Map.rar/HeavyMetal Map\Program\HMMapV100R2A-Setup.exe/AutoPlay/autorun.cdd/_fonts.dat
5/5/2009 23:40:07 Detected: http://www.viruslist.com/en/advisories/25215 E:\I386\APPS\APP09730\src\NAV\External\NORTON\APP\NAVComUI.dll
5/5/2009 23:45:15 Task completed

Attached Files



BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:34 PM

Posted 19 May 2009 - 08:01 AM

Hello jsetzler,

Posted Image

Sorry about the delay.:thumbup2: If you still need help, please post a new HijackThis log to make sure nothing has changed, and I'll be happy to look at it for you.

Please do this:
1. Download HijackThis™ here:
http://www.trendsecure.com/portal/en-US/th.../hijackthis.php

2. Click 'Do a System Scan and Save log'.
The HJT log will open in notepad.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:34 PM

Posted 11 June 2009 - 11:11 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users