Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Cannot update windows, anti-virus, etc

  • This topic is locked This topic is locked
8 replies to this topic

#1 alkusoittow


  • Members
  • 9 posts
  • Local time:05:26 AM

Posted 29 May 2009 - 04:02 PM

Hello, I have an HP a1430n desktop computer. The machine has a D: drive for recovery, etc. I have backed up all my personal data on another hard drive which has been removed for the time being, so any reformating or deleting will not be an issue. Just this morning I wiped the C: drive and re-installed Windows.


Amazingly I cannot update Windows, or any of my anti-virus or anti-virus programs (Nod32, Malwarebytes, Windows Update website, etc).

When I try to go to Windows Update, I get re-directed to google and neither Malwarebytes nor Nod32 has fixed the problem. I have since re-formated the C: drive, re-installed windows, and have not installed Nod32 or Malwarebytes so I'm free and clear to run anything else you might suggest.

My best guess is that the virus/malware is buried somewhere on my D: drive, which does have space you can use despite being a recovery drive.

Below is my HijackThis log, and thank you ahead for ANY help you can offer


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:50:59 PM, on 5/29/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\Program Files\DISC\DiscUpdateMgr.exe
C:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\Java\jre1.5.0_05\bin\jucheck.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: HpWebHelper - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [DISCover] C:\Program Files\DISC\DISCover.exe
O4 - HKLM\..\Run: [DiscUpdateManager] C:\Program Files\DISC\DiscUpdateMgr.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [StartCCC] "c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5483.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

End of file - 6880 bytes

BC AdBot (Login to Remove)



#2 Farbar


    Just Curious

  • Security Developer
  • 21,671 posts
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:26 PM

Posted 29 May 2009 - 04:50 PM

Hi alkusoittow,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.

The log seems clean. While it is vial to have the protection of an antivirus program, you should get to Windows update first and install Service Pack 3. We will take a deeper look first to see what is wrong.
  • Make sure Windows firewall in turned on (start => Control Panel => Windows firewall).

  • Tell me what was the reason you reformatted? Was the computer infected? If yes do you happen to know the type of infection? Could you update Windows before reformatting?

  • Please download Malwarebytes' Anti-Malware from MajorGeeks
    • Double Click mbam-setup.exe to install the application. Then close it.
    • Please update MBAM manually. To do that download mbam-rules.exe.
    • Double-click mban-rules.exew to run it.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.
    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

  • If MBAM didn't find or removed anything, or if you still have the issue please perform this step:

    Go to start > Run copy/paste the following line in the run box and click OK.

    cmd /c (ipconfig /all&nslookup google.com&ping -n 2 google.com&route print) >log.txt&log.txt& del log.txt

    A command window opens. Wait until a log.txt file opens. Please post the content to your reply.

#3 alkusoittow

  • Topic Starter

  • Members
  • 9 posts
  • Local time:05:26 AM

Posted 29 May 2009 - 05:17 PM

Thank you for the response! I have a little more hope now...

Windows Firewall is turned on

The reason for the re-format was that my machine was infected, I couldn't go to the malwarebytes website, windows update, etc... pretty much the same problems I'm having now. Some sites like malwarebytes.org just don't load (i.e. "Page Load Error") and others would be re-directs (such as windows update going to google)

I cannot download Malwarebytes from that link as it is blocked by whatever virus I have... However, I have a version (1.35) backed up on CD, and I used that instead. Log is below:

Malwarebytes' Anti-Malware 1.35
Database version: 1904
Windows 5.1.2600 Service Pack 2

5/29/2009 3:04:33 PM
mbam-log-2009-05-29 (15-04-33).txt

Scan type: Quick Scan
Objects scanned: 72556
Time elapsed: 2 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{495cbb7f-2e28-4823-9c3d-c7c5e4e17a17}\DhcpNameServer (Trojan.DNSChanger) -> Data: -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{495cbb7f-2e28-4823-9c3d-c7c5e4e17a17}\DhcpNameServer (Trojan.DNSChanger) -> Data: -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{495cbb7f-2e28-4823-9c3d-c7c5e4e17a17}\DhcpNameServer (Trojan.DNSChanger) -> Data: -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.

Windows update site still re-directed, still can't get to malwarebytes.org, etc...
Log below:

Windows IP Configuration

Host Name . . . . . . . . . . . . : Voyager

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Hybrid

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : socal.rr.com

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : socal.rr.com

Description . . . . . . . . . . . : NVIDIA nForce Networking Controller

Physical Address. . . . . . . . . : 00-15-F2-F1-D3-31

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . :

Subnet Mask . . . . . . . . . . . :

Default Gateway . . . . . . . . . :

DHCP Server . . . . . . . . . . . :

DNS Servers . . . . . . . . . . . :

Lease Obtained. . . . . . . . . . : Friday, May 29, 2009 3:10:21 PM

Lease Expires . . . . . . . . . . : Saturday, May 30, 2009 3:10:21 PM


Name: google.com

Pinging google.com [] with 32 bytes of data:

Reply from bytes=32 time=47ms TTL=237

Reply from bytes=32 time=44ms TTL=237

Ping statistics for

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 44ms, Maximum = 47ms, Average = 45ms

Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 15 f2 f1 d3 31 ...... NVIDIA nForce Networking Controller - Packet Scheduler Miniport
Active Routes:
Network Destination Netmask Gateway Interface Metric 20 1 20 20 20 20 1
Default Gateway:
Persistent Routes:

Thank you again for your help!!

#4 alkusoittow

  • Topic Starter

  • Members
  • 9 posts
  • Local time:05:26 AM

Posted 29 May 2009 - 05:24 PM

If it helps, below is a screenshot of a re-direct from Microsoft's website while trying to download SP3:

Posted Image

#5 Farbar


    Just Curious

  • Security Developer
  • 21,671 posts
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:26 PM

Posted 29 May 2009 - 05:29 PM

Well done. :thumbup2:

We will install the latest MBAM later on as it is not updated to the recent version. But it doesn't matter.

All the pointers go to the same direction and support my initial suspicious. You could have reformatted as many times as you wanted without getting out of trouble.

I see your router is hijacked by a trojan DNS-Changer.
  • Please read this: Malware Silently Alters Wireless Router Settings

  • Consult this link to find out what is the default password of your router and how you can connect to internet after resetting the router to its factory default. You can print out the instructions for later reference: Route Passwords

  • Then rest your router to it's factory default settings:

    "If your machine has been infected by one of these Zlob/DNSchanger Trojans, and your router settings have been altered, I would strongly recommend that you reset the router to its default configuration. Usually, this can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled "reset" located on the back of the router. Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds)"

  • Now follow the steps you have already figured out in step 2 to use the default password, get connected and then set a strong password.

  • This is the difficult part.
    First get to the routers server. To that type http:\\ in the address bar and click Enter. You get the log in window.
    Fill in the password you have just set and you will get the configuration page.
    Configure the router to allow you to connect to your ISP server. In some routers it is done by a setup wizard. But you have to fill in the log in password your ISP have initially given to you.
    You can also call your ISP if you don't have your initial password.
    If after this you could not connect proceed with the following.

  • Go to Start -> Control Panel -> Double click on Network Connections.
  • Right click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and select Properties.
  • Select the General tab.
  • Double click on Internet Protocol (TCP/IP) under General tab:
  • Check Obtain an IP address automatically and Obtain DNS server address automatically.
  • Click OK twice to save the settings.
  • Reboot.

#6 alkusoittow

  • Topic Starter

  • Members
  • 9 posts
  • Local time:05:26 AM

Posted 29 May 2009 - 05:59 PM

You know that feeling when you've been working on something for hours on end, and it's been frustrating you to the point of yelling, and then it's fixed and you just wanna cry? I've got that feeling right now.

Wow, I did not even know that was possible (hijacking the router).

I reset the router, updated the firmware, and reset the router AGAIN. Then I changed the password to something I never use, wrote it down so I don't forget it, and ran Malwarebytes again. It removed 2 DNS changers... Don't know why it didn't catch that on the first pass, but it got it this time.

And now, I am updating my computer via Windows Update website! YAY!! :thumbup2:

Thank you SOOOOoooooooooooo much!

#7 Farbar


    Just Curious

  • Security Developer
  • 21,671 posts
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:26 PM

Posted 29 May 2009 - 06:26 PM

Great. :thumbup2:

You are most welcome. I can imagine how it feels.
I'll keep this open a while in case you needed assistance. Update MBAM to the latest version, the Database version will be 2194 or above. Run a quick scan until you get a clean log.
Download and install SP3 and IE 7.
Install your antivirus, update and run a scan.
Please let me know if you have any question before closing the topic.

#8 alkusoittow

  • Topic Starter

  • Members
  • 9 posts
  • Local time:05:26 AM

Posted 31 May 2009 - 12:59 PM

Updated to SP3, incl all security updates, etc... Updated Malwarebytes, Nod32, spybot S&D.
Everything shows clean now!

Thank you again

#9 Farbar


    Just Curious

  • Security Developer
  • 21,671 posts
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:26 PM

Posted 31 May 2009 - 01:15 PM


You are most welcome, glad I could help.

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a PM and I will reopen it for you.

If you should have a new issue, please start a new topic.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users