Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93085 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] windows update error: code 80244019

Started by seriouscode , Jun 16 2009 11:55 PM

  • This topic is locked This topic is locked
80 replies to this topic

#1 seriouscode

seriouscode

    Authentic Member

  • Authentic Member
  • PipPip
  • 115 posts

Posted 16 June 2009 - 11:55 PM

Ok here goes.... :pullhair:
I am not a newb on the "puter," but I am completely and utterly stumped with this nasty virus which i believe is either a Trojan or a root kit. It all started when i was

downloading a "Torrent" (which i will never do again cause it has scared me for life as you soon tell) when the sneaky badboy jumped up and bit me on the cyber rear. Its

very sneaky in the sense that Norton, CA, or windows live anti virus programs could not catch it. This particular anomaly will not allow me to enter certain sites and no i

am not talking about porn sites, this "Thing" as I call it will not even allow me to access Microsoft help sites, tool removal sites, or update sites for my anti viruses or OS.

That was my first hint at it being a serious bad rear virus. Next, I don't know where to even start looking, seeing as to how Reg edit ( which i have not changed, nor will i

touch for fear serious damage) and my self do not speak the same language. I have tried to update my OS and my (Various) anti virus programs, but with continuous

failure. I have tried using a non infected computer and downloading the much needed updates so i can at least try to install them manually but whenever i try to install the

updates on my computer an error pops up saying insufficient memory!!! WHY!!???? I have plenty of room i will let you know. The same goes for Microsoft approved tools!

I don't know what else to do. Here is the HJT report, if you need any more info on the subject from what else I've tried please let me know.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:30:34 AM, on 6/17/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...n&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...n&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...a...n&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: HP Print Clips - {FFFFFFFF-FF12-44C5-91EC-068E3AA1B2D7} - c:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [OnScreenDisplay] C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [WAWifiMessage] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: HP Smart Select - {58ECB495-38F0-49cb-A538-10282ABF65E7} - c:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O13 - Gopher Prefix:
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - http://cdn.scan.onec...S/wlscctrl2.cab
O16 - DPF: {E6BB2089-163F-466B-812A-748096614DFD} (CAScanner Control) - http://cainternetsec...r/cascanner.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.185,85.255.112.193
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.185,85.255.112.193
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.185,85.255.112.193
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: QuickPlay Background Capture Service (QBCS) (QPCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
O23 - Service: QuickPlay Task Scheduler (QTS) (QPSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 6546 bytes

    Advertisements

Register to Remove

#2 Tomk

Tomk

    Beguilement Monitor

  • Global Moderator
  • 20,451 posts

Posted 19 June 2009 - 11:53 PM

Hi seriouscode,

:welcome:

My name is Tomk. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research, so please be patient and I'd be grateful if you would note the following:

  • I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for the issues on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.

Download Rooter.exe to your desktop

  • Then doubleclick it to start the tool
  • A Notepad file containing the report will open, also found at %systemdrive%\Rooter.txt. Post that here

Download TFC to your desktop
  • Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job
  • Once its finished it should automatically reboot your machine,
  • if it doesn't, manually reboot to ensure a complete clean

Then

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
  • Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot (shut down your computer then restart it).
Also "copy/paste" a new HijackThis log file into this thread.

Also please describe how your computer behaves at the moment.
Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014
 

#3 seriouscode

seriouscode

    Authentic Member

  • Authentic Member
  • PipPip
  • 115 posts

Posted 20 June 2009 - 01:08 AM

Tomk thank you so much for your reply to help me out. I was beginning to worry that i wasn't going to get any help. Here is the Rooter notepad post you asked for:

Rooter.exe (v1.0.1) by Eric_71
¨
Microsoft Windows Vista Home Edition (6.0.6001) Service Pack 1
32_bits - x86 Family 15 Model 104 Stepping 2, AuthenticAMD
¨
C:\ [Fixed-NTFS] .. ( Total:221 Go - Free:66 Go )
D:\ [Fixed-NTFS] .. ( Total:11 Go - Free:1 Go )
E:\ [CD_Rom]
¨
Scan : 02:19.47
Path : C:\Users\El Juan\Desktop\Rooter.exe
User : El Juan ( Administrator -> YES )
¨
----------------------\\ Processes
¨
Locked [System Process] (0)
Locked System (4)
Locked smss.exe (428)
Locked csrss.exe (508)
Locked wininit.exe (560)
Locked csrss.exe (572)
Locked services.exe (604)
Locked lsass.exe (620)
Locked lsm.exe (632)
Locked winlogon.exe (676)
Locked svchost.exe (808)
Locked nvvsvc.exe (856)
Locked svchost.exe (884)
Locked MsMpEng.exe (940)
Locked svchost.exe (1028)
Locked svchost.exe (1060)
Locked svchost.exe (1084)
Locked audiodg.exe (1156)
Locked svchost.exe (1176)
Locked SLsvc.exe (1192)
Locked svchost.exe (1240)
Locked svchost.exe (1348)
Locked spoolsv.exe (1536)
Locked svchost.exe (1564)
Locked InCDsrv.exe (1772)
Locked mdm.exe (1788)
Locked OcHealthMon.exe (1852)
Locked svchost.exe (1984)
Locked QPCapSvc.exe (1996)
Locked RichVideo.exe (516)
Locked svchost.exe (556)
Locked svchost.exe (868)
Locked SearchIndexer.exe (1184)
Locked XAudio.exe (1320)
Locked hpqWmiEx.exe (1944)
Locked msfwsvc.exe (336)
Locked winss.exe (744)
Locked QPSched.exe (2184)
Locked taskeng.exe (2708)
Locked WmiPrvSE.exe (3024)
Locked rundll32.exe (3240)
______ C:\Windows\system32\taskeng.exe (3588)
______ C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe (3616)
______ C:\Windows\system32\Dwm.exe (3688)
______ C:\Windows\Explorer.EXE (3736)
______ C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (3988)
______ C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe (4008)
______ C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe (4020)
______ C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe (624)
______ C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe (1012)
______ C:\WINDOWS\System32\rundll32.exe (836)
______ C:\Program Files\Java\jre6\bin\jusched.exe (2572)
______ C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (704)
______ C:\Program Files\Windows Media Player\wmpnscfg.exe (2528)
Locked wmpnetwk.exe (2628)
______ C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe (2680)
Locked SynTPHelper.exe (1572)
Locked HPHC_Service.exe (3364)
Locked taskeng.exe (3004)
______ C:\Program Files\Mozilla Firefox\firefox.exe (1736)
______ C:\Users\El Juan\Desktop\Rooter.exe (2772)
¨
----------------------\\ Device\Harddisk0\
¨
\Device\Harddisk0 [Sectors : 63 x 512 Bytes]
¨
\Device\Harddisk0\Partition1 --[ MBR ]-- (Start_Offset:32256 | Length:237504927744)
\Device\Harddisk0\Partition2 (Start_Offset:237504960000 | Length:12551777280)
¨
----------------------\\ Scheduled Tasks
¨
C:\Windows\Tasks\SA.DAT
C:\Windows\Tasks\SCHEDLGU.TXT
¨
----------------------\\ Registry
¨
¨
----------------------\\ Files & Folders
¨
----------------------\\ Scan completed at 02:19.49
¨
C:\Rooter$\Rooter_1.txt - (20/06/2009 | 02:19.49)


Ok this the Malwarebytes Notepad scan:

Malwarebytes' Anti-Malware 1.38
Database version: 2297
Windows 6.0.6001 Service Pack 1

6/20/2009 2:40:59 AM
mbam-log-2009-06-20 (02-40-59).txt

Scan type: Quick Scan
Objects scanned: 75433
Time elapsed: 4 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 12
Folders Infected: 2
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\HeroCodecSoft (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.10 85.255.112.123 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.185,85.255.112.193 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3ac63094-971e-43ad-bf3d-106c5b4adffe}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.10 85.255.112.123 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{eb06c10b-1f61-47ac-9ea3-28fc9dc8be65}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.10 85.255.112.123 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.10 85.255.112.123 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.185,85.255.112.193 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{3ac63094-971e-43ad-bf3d-106c5b4adffe}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.10 85.255.112.123 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{eb06c10b-1f61-47ac-9ea3-28fc9dc8be65}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.10 85.255.112.123 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.10 85.255.112.123 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.185,85.255.112.193 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{3ac63094-971e-43ad-bf3d-106c5b4adffe}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.10 85.255.112.123 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{eb06c10b-1f61-47ac-9ea3-28fc9dc8be65}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.10 85.255.112.123 -> Quarantined and deleted successfully.

Folders Infected:
c:\Users\El Juan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HeroCodec (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HeroCodec (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\System32\gxvxccounter (Trojan.DNSChanger) -> Quarantined and deleted successfully.


Here is the new HJT report:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:56:51 AM, on 6/20/2009
Platform: Windows Vista SP1 (WinNT 6.00z.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Preserve
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...n&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...a...n&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: HP Print Clips - {FFFFFFFF-FF12-44C5-91EC-068E3AA1B2D7} - c:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [OnScreenDisplay] C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [WAWifiMessage] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O9 - Extra button: HP Smart Select - {58ECB495-38F0-49cb-A538-10282ABF65E7} - c:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O13 - Gopher Prefix:
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: QuickPlay Background Capture Service (QBCS) (QPCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
O23 - Service: QuickPlay Task Scheduler (QTS) (QPSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 5950 bytes


As far as how my computer is behaving at this moment, well it still does not really work correctly. I am starting to believe that it might be a in my router, this virus. I am still not able to enter certain websites, websites that are helpful to my computers health. When i try to access Microsoft.com website and go to the update section and then check to see if i can update my OS it goes directly to a Google error website. It's still the same. Also Tomk if you could, can you tell me what it is exactly that you think could be attacking my system? also, how can you find it by looking at all this code? Lol, I'm sorry but I like to learn about stuff like this, mostly cause i don't understand it at all. If its not to much trouble for you to explain that is. again thanks for helping me out.

#4 Tomk

Tomk

    Beguilement Monitor

  • Global Moderator
  • 20,451 posts

Posted 20 June 2009 - 07:37 AM

seriouscode,

What we are looking at in your logs is the files and registry points and how they are placed on your system. Malware often names the evil files the same as legitimate files but the are located in the "wrong" place. Some things we can tell just from the name.

The infection you have is called Wareout. It kidnaps your DNS. And you are correct, sometimes it corrupts the DNS in the router. Let's get a couple other logs to make sure that isn't happening.

Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

Disable resident protections (Antivirus...); you'll re-enable them after the scan

Download Lop S&D < here

Double-click Lop S&D.exe
Choose the language, then choose Option 1 (Search)
Wait till the end of the scan
Post the log which is created: (%SystemDrive%\lopR.txt)
Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014
 

#5 seriouscode

seriouscode

    Authentic Member

  • Authentic Member
  • PipPip
  • 115 posts

Posted 20 June 2009 - 02:17 PM

Cool thanks Tomk, I understand computers enough to know what it was that you explained about the virus. Thank you!

Ok here is the Smitfraudfix Log you asked for:

SmitFraudFix v2.422

Scan done at 16:10:27.25, Sat 06/20/2009
Run from C:\Users\El Juan\Desktop\SmitfraudFix
OS: Microsoft Windows [Version 6.0.6001] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe
C:\Windows\system32\svchost.exe
C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\El Juan\Desktop\SmitfraudFix\Policies.exe
C:\Windows\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\Windows


»»»»»»»»»»»»»»»»»»»»»»»» C:\Windows\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\Windows\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\Windows\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Windows\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Users\El Juan


»»»»»»»»»»»»»»»»»»»»»»»» C:\Users\ELJUAN~1\AppData\Local\Temp


»»»»»»»»»»»»»»»»»»»»»»»» C:\Users\El Juan\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\Users\ELJUAN~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\Windows\\system32\\userinit.exe,"

»»»»»»»»»»»»»»»»»»»»»»»» RK

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]




»»»»»»»»»»»»»»»»»»»»»»»» DNS

Your computer may be victim of a DNS Hijack: 85.255.x.x detected !

Description: Atheros AR5007 802.11b/g WiFi Adapter
DNS Server Search Order: 85.255.114.10
DNS Server Search Order: 85.255.112.123

HKLM\SYSTEM\CCS\Services\Tcpip\..\{3AC63094-971E-43AD-BF3D-106C5B4ADFFE}: DhcpNameServer=85.255.114.10 85.255.112.123


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End



And here is the Lop S&D log:


--------------------\\ Lop S&D 4.2.5-0 XP/Vista

Microsoft® Windows Vista™ Home Premium ( v6.0.6001 ) Service Pack 1
X86-based PC ( Multiprocessor Free : AMD Turion™ 64 X2 Mobile Technology TL-60 )
BIOS : PhoenixBIOS 4.0 Release 6.1
USER : El Juan ( Administrator )
BOOT : Normal boot
Antivirus : Windows Live OneCare 1.0.0 (Activated)
Firewall : Windows Live OneCare Firewall 1.0.0 (Activated)
C:\ (Local Disk) - NTFS - Total:221 Go (Free:66 Go)
D:\ (Local Disk) - NTFS - Total:11 Go (Free:1 Go)
E:\ (CD or DVD)

"C:\Lop SD" ( MAJ : 19-12-2008|23:40 )
Option : [1] ( Sat 06/20/2009|16:15 )

[ UAC => 1 ]

--------------------\\ Listing folders in Local

[03/25/2009|14:21] C:\Users\ELJUAN~1\AppData\Local\Adobe
[03/25/2009|03:18] C:\Users\ELJUAN~1\AppData\Local\Ahead
[03/24/2009|19:52] C:\Users\ELJUAN~1\AppData\Local\Application Data
[03/24/2009|20:05] C:\Users\ELJUAN~1\AppData\Local\AtStart.txt
[06/17/2009|00:35] C:\Users\ELJUAN~1\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[03/24/2009|19:58] C:\Users\ELJUAN~1\AppData\Local\Downloaded Installations
[03/24/2009|20:05] C:\Users\ELJUAN~1\AppData\Local\DSwitch.txt
[05/23/2009|19:51] C:\Users\ELJUAN~1\AppData\Local\FnF4.txt
[04/28/2009|22:19] C:\Users\ELJUAN~1\AppData\Local\GDIPFONTCACHEV1.DAT
[03/25/2009|00:10] C:\Users\ELJUAN~1\AppData\Local\Hewlett-Packard
[03/24/2009|19:52] C:\Users\ELJUAN~1\AppData\Local\History
[06/20/2009|02:45] C:\Users\ELJUAN~1\AppData\Local\IconCache.db
[04/29/2009|13:20] C:\Users\ELJUAN~1\AppData\Local\Microsoft
[03/25/2009|17:52] C:\Users\ELJUAN~1\AppData\Local\Microsoft Games
[03/25/2009|00:58] C:\Users\ELJUAN~1\AppData\Local\Mozilla
[03/30/2009|23:45] C:\Users\ELJUAN~1\AppData\Local\NCSoft
[03/24/2009|20:05] C:\Users\ELJUAN~1\AppData\Local\QSwitch.txt
[05/18/2009|20:09] C:\Users\ELJUAN~1\AppData\Local\QuickPlay
[03/24/2009|20:50] C:\Users\ELJUAN~1\AppData\Local\Seven Zip
[06/20/2009|16:14] C:\Users\ELJUAN~1\AppData\Local\Temp
[03/24/2009|19:52] C:\Users\ELJUAN~1\AppData\Local\Temporary Internet Files
[03/25/2009|23:57] C:\Users\ELJUAN~1\AppData\Local\VirtualStore

--------------------\\ Scheduled Tasks located in C:\Windows\Tasks

[06/20/2009 02:46][--ah-----] C:\Windows\tasks\SA.DAT
[06/20/2009 02:45][--a------] C:\Windows\tasks\SCHEDLGU.TXT

--------------------\\ Listing Folders in C:\ProgramData

[04/24/2008|22:40] C:\ProgramData\Adobe
[03/25/2009|02:33] C:\ProgramData\Ahead
[03/24/2009|20:10] C:\ProgramData\AOL
[03/24/2009|19:49] C:\ProgramData\Application Data
[05/16/2008|23:58] C:\ProgramData\Atheros
[04/28/2009|22:19] C:\ProgramData\CA
[05/17/2009|14:21] C:\ProgramData\CyberLink
[03/24/2009|19:49] C:\ProgramData\Desktop
[03/24/2009|19:49] C:\ProgramData\Documents
[03/24/2009|19:49] C:\ProgramData\Favorites
[03/24/2009|20:05] C:\ProgramData\Hewlett-Packard
[04/24/2008|22:38] C:\ProgramData\HP
[03/25/2009|03:15] C:\ProgramData\hpzinstall.log
[06/20/2009|02:33] C:\ProgramData\Malwarebytes
[04/28/2009|22:20] C:\ProgramData\Microsoft
[03/24/2009|20:54] C:\ProgramData\Microsoft Help
[04/24/2008|22:22] C:\ProgramData\muvee Technologies
[03/25/2009|02:30] C:\ProgramData\Nero
[04/17/2009|04:01] C:\ProgramData\NVIDIA
[06/20/2009|16:06] C:\ProgramData\nvModes.001
[06/20/2009|16:06] C:\ProgramData\nvModes.dat
[03/24/2009|19:49] C:\ProgramData\Start Menu
[06/18/2009|10:25] C:\ProgramData\SUPERAntiSpyware.com
[03/24/2009|23:24] C:\ProgramData\Symantec
[03/24/2009|19:49] C:\ProgramData\Templates
[04/24/2008|22:00] C:\ProgramData\Viewpoint
[05/17/2008|00:11] C:\ProgramData\WildTangent

--------------------\\ Listing Folders in C:\Program Files

[04/24/2008|22:39] C:\Program Files\Adobe
[05/16/2008|23:58] C:\Program Files\Atheros
[04/24/2008|22:52] C:\Program Files\AWS
[06/18/2009|16:15] C:\Program Files\City of Heroes
[06/18/2009|10:23] C:\Program Files\Common Files
[05/16/2008|23:57] C:\Program Files\CONEXANT
[03/25/2009|02:25] C:\Program Files\CyberLink
[05/18/2009|03:10] C:\Program Files\Dell
[04/24/2008|22:51] C:\Program Files\earthlink totalaccess
[05/17/2008|00:04] C:\Program Files\Hewlett-Packard
[05/17/2008|00:01] C:\Program Files\HP
[05/17/2008|00:11] C:\Program Files\HP Games
[05/17/2008|00:03] C:\Program Files\HPQ
[04/06/2009|16:21] C:\Program Files\InstallShield Installation Information
[06/18/2009|12:45] C:\Program Files\Internet Explorer
[04/08/2009|13:33] C:\Program Files\Java
[06/20/2009|02:33] C:\Program Files\Malwarebytes' Anti-Malware
[03/25/2009|02:13] C:\Program Files\Microsoft ActiveSync
[11/02/2006|08:37] C:\Program Files\Microsoft Games
[03/25/2009|02:11] C:\Program Files\Microsoft Office
[03/25/2009|00:55] C:\Program Files\Microsoft Silverlight
[03/25/2009|02:12] C:\Program Files\Microsoft Visual Studio
[06/19/2009|11:55] C:\Program Files\Microsoft Windows OneCare Live
[03/24/2009|22:41] C:\Program Files\Microsoft Works
[01/20/2008|22:35] C:\Program Files\Movie Maker
[06/14/2009|09:10] C:\Program Files\Mozilla Firefox
[11/02/2006|08:37] C:\Program Files\MSBuild
[03/25/2009|00:05] C:\Program Files\MSXML 4.0
[03/25/2009|02:30] C:\Program Files\Nero
[05/16/2008|23:56] C:\Program Files\NetWaiting
[03/24/2009|20:00] C:\Program Files\Online Services
[04/06/2009|16:21] C:\Program Files\PH Train & Assess IT
[11/02/2006|08:37] C:\Program Files\Reference Assemblies
[03/24/2009|22:50] C:\Program Files\Sling Media
[06/18/2009|10:25] C:\Program Files\SUPERAntiSpyware
[05/16/2008|23:54] C:\Program Files\Synaptics
[04/28/2009|14:52] C:\Program Files\Trend Micro
[11/02/2006|09:01] C:\Program Files\Uninstall Information
[03/25/2009|00:57] C:\Program Files\uTorrent
[03/25/2009|02:19] C:\Program Files\VideoLAN
[04/24/2008|22:00] C:\Program Files\Viewpoint
[01/20/2008|22:35] C:\Program Files\Windows Calendar
[01/20/2008|22:35] C:\Program Files\Windows Collaboration
[01/20/2008|22:35] C:\Program Files\Windows Defender
[01/20/2008|22:35] C:\Program Files\Windows Journal
[06/18/2009|15:13] C:\Program Files\Windows Live Safety Center
[06/18/2009|12:45] C:\Program Files\Windows Mail
[03/24/2009|23:54] C:\Program Files\Windows Media Player
[11/02/2006|08:37] C:\Program Files\Windows NT
[01/20/2008|22:35] C:\Program Files\Windows Photo Gallery
[01/20/2008|22:35] C:\Program Files\Windows Sidebar
[05/05/2009|01:23] C:\Program Files\WinRAR
[05/16/2008|23:58] C:\Program Files\WinTV
[03/24/2009|20:11] C:\Program Files\Yahoo!

--------------------\\ Listing Folders in C:\Program Files\Common Files

[04/24/2008|22:40] C:\Program Files\Common Files\Adobe
[03/25/2009|02:32] C:\Program Files\Common Files\Ahead
[03/25/2009|02:12] C:\Program Files\Common Files\Designer
[04/24/2008|22:38] C:\Program Files\Common Files\HP
[04/24/2008|22:40] C:\Program Files\Common Files\InstallShield
[04/24/2008|23:01] C:\Program Files\Common Files\Java
[03/25/2009|02:08] C:\Program Files\Common Files\L&H
[04/28/2009|20:52] C:\Program Files\Common Files\microsoft shared
[04/28/2009|20:54] C:\Program Files\Common Files\PX Storage Engine
[11/02/2006|07:18] C:\Program Files\Common Files\Services
[11/02/2006|07:18] C:\Program Files\Common Files\SpeechEngines
[03/24/2009|23:56] C:\Program Files\Common Files\Symantec Shared
[03/25/2009|02:10] C:\Program Files\Common Files\System
[06/18/2009|10:23] C:\Program Files\Common Files\Wise Installation Wizard

--------------------\\ Process

( 64 Processes )

... OK !

--------------------\\ Searching with S_Lop

No Lop folder found !

--------------------\\ Searching for Lop Files - Folders

No Lop folder found !

--------------------\\ Searching within the Registry

..... OK !

--------------------\\ Checking the Hosts file

Hosts file CLEAN


--------------------\\ Searching for hidden files with Catchme

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-20 16:15:25
Windows 6.0.6001 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden files: 0

--------------------\\ Searching for other infections

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters]
DhcpNameServer REG_SZ 85.255.114.10 85.255.112.123
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters]
DhcpNameServer REG_SZ 85.255.114.10 85.255.112.123
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
DhcpNameServer REG_SZ 85.255.114.10 85.255.112.123
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\..\{3AC63094-971E-43AD-BF3D-106C5B4ADFFE}]
DhcpNameServer REG_SZ 85.255.114.10 85.255.112.123
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\..\{3AC63094-971E-43AD-BF3D-106C5B4ADFFE}]
DhcpNameServer REG_SZ 85.255.114.10 85.255.112.123
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\..\{3AC63094-971E-43AD-BF3D-106C5B4ADFFE}]
DhcpNameServer REG_SZ 85.255.114.10 85.255.112.123
==> WAREOUT <==



[F:11][D:2]-> C:\Users\ELJUAN~1\AppData\Local\Temp
[F:41][D:1]-> C:\Users\ELJUAN~1\AppData\Roaming\MICROS~1\Windows\Cookies
[F:31][D:4]-> C:\Users\ELJUAN~1\AppData\Local\MICROS~1\Windows\TEMPOR~1\content.IE5
[F:3][D:3]-> C:\$Recycle.Bin

1 - "C:\Lop SD\LopR_1.txt" - Sat 06/20/2009|16:16 - Option : [1]

--------------------\\ Scan completed at 16:16:08
[ UAC => 1 ]

Now.. Whats next?

#6 Tomk

Tomk

    Beguilement Monitor

  • Global Moderator
  • 20,451 posts

Posted 20 June 2009 - 03:48 PM

seriouscode,

Double-click SmitfraudFix.exe
Select option #5 - Search and Clean DNS Hijack by typing 5 and press "Enter" to delete infected files.

If you are prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool may need to restart your computer to finish the cleaning process. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new HijackThis log.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Are there any other computers hooked to your router?
If so, would you please download and run Malwarebytes antimalware on the other computer and post the log here.

If need be, do you know how to reset your router?
What brand and model do you have?

Edited by Tomk, 20 June 2009 - 03:56 PM.

Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014
 

#7 seriouscode

seriouscode

    Authentic Member

  • Authentic Member
  • PipPip
  • 115 posts

Posted 21 June 2009 - 08:30 AM

OK this is the new Smitfraudfix Log:

SmitFraudFix v2.422

Scan done at 10:19:36.12, Sun 06/21/2009
Run from C:\Users\El Juan\Desktop\SmitfraudFix
OS: Microsoft Windows [Version 6.0.6001] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» DNS Before Fix

Your computer may be victim of a DNS Hijack: 85.255.x.x detected !

Description: Atheros AR5007 802.11b/g WiFi Adapter
DNS Server Search Order: 85.255.114.10
DNS Server Search Order: 85.255.112.123

HKLM\SYSTEM\CCS\Services\Tcpip\..\{3AC63094-971E-43AD-BF3D-106C5B4ADFFE}: DhcpNameServer=85.255.114.10 85.255.112.123

»»»»»»»»»»»»»»»»»»»»»»»» DNS After Fix

Your computer may be victim of a DNS Hijack: 85.255.x.x detected !

Description: Atheros AR5007 802.11b/g WiFi Adapter
DNS Server Search Order: 85.255.114.10
DNS Server Search Order: 85.255.112.123

HKLM\SYSTEM\CCS\Services\Tcpip\..\{3AC63094-971E-43AD-BF3D-106C5B4ADFFE}: DhcpNameServer=85.255.114.10 85.255.112.123

Next here is the newest HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:24:20, on 6/21/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Preserve
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...n&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...a...n&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: HP Print Clips - {FFFFFFFF-FF12-44C5-91EC-068E3AA1B2D7} - c:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [OnScreenDisplay] C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [WAWifiMessage] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O9 - Extra button: HP Smart Select - {58ECB495-38F0-49cb-A538-10282ABF65E7} - c:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O13 - Gopher Prefix:
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: QuickPlay Background Capture Service (QBCS) (QPCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
O23 - Service: QuickPlay Task Scheduler (QTS) (QPSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 5849 bytes


Next, I do have other Computers connected to this router (Wirelessly) I will run the programs you are asking me to run and send a report as well.
I have a Linksys router, Model number: WRT54G. And no i do not know how to reset my router. Can you show me how?

#8 Tomk

Tomk

    Beguilement Monitor

  • Global Moderator
  • 20,451 posts

Posted 21 June 2009 - 09:08 AM

seriouscode,

Not knowing all of your required settings in your router, let's try "fixing" it first. If this doesn't work, we will do a factory reset on your router and you will need to find any security or ISP required settings in order to re-configure your router.

In the address block of your router instead of putting a web address (www.whatthetech.com) type in 192.168.1.1 and the hit enter.
That should bring up your routers setup/utility program. You will be asked for a username and Password. Leave the username blank and type admin in for the password and click OK.
The setup page should open. About two thirds down the page is will say Static DNS #1 followed by some numbers that are probably 85.255.114.10 which are the "bad" numbers. Change the numbers to 208.67.222.222. Then change Static DNS #2 to 208.67.220.220.
Click Save Settings at the bottom of the screen.

Now, go back and run a quick scan with Malwarebytes and post me the report.
Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014
 

#9 seriouscode

seriouscode

    Authentic Member

  • Authentic Member
  • PipPip
  • 115 posts

Posted 21 June 2009 - 07:25 PM

Tomk I did the router fixes and here is the Malware logs you asked for:

Malwarebytes' Anti-Malware 1.38
Database version: 2297
Windows 6.0.6001 Service Pack 1

6/21/2009 21:24:54
mbam-log-2009-06-21 (21-24-54).txt

Scan type: Quick Scan
Objects scanned: 75369
Time elapsed: 4 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.10 85.255.112.123 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3ac63094-971e-43ad-bf3d-106c5b4adffe}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.10 85.255.112.123 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.10 85.255.112.123 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{3ac63094-971e-43ad-bf3d-106c5b4adffe}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.10 85.255.112.123 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.10 85.255.112.123 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{3ac63094-971e-43ad-bf3d-106c5b4adffe}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.10 85.255.112.123 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#10 Tomk

Tomk

    Beguilement Monitor

  • Global Moderator
  • 20,451 posts

Posted 21 June 2009 - 11:29 PM

seriouscode, Is that MBAM log from the computer we're working on, or a different one?
Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014
 

    Advertisements

Register to Remove

#11 seriouscode

seriouscode

    Authentic Member

  • Authentic Member
  • PipPip
  • 115 posts

Posted 22 June 2009 - 12:56 AM

the one we've been working on. The next one that needs fixing i wanted to wait till we cleaned this one as best as we could first.

#12 Tomk

Tomk

    Beguilement Monitor

  • Global Moderator
  • 20,451 posts

Posted 22 June 2009 - 01:54 AM

seriouscode, Good. Please run Malwarebytes on the same computer again and post the log here.
Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014
 

#13 seriouscode

seriouscode

    Authentic Member

  • Authentic Member
  • PipPip
  • 115 posts

Posted 22 June 2009 - 08:42 AM

Tomk just to sure this malwarebytes new log is still from the same computer you've been helping me with. When you think that we've cleaned this computer well enough i will start sending logs of the next computer. Also, when you that I do send you those logs, which scans should i send you? In the mean time here is the Malware log:

Malwarebytes' Anti-Malware 1.38
Database version: 2297
Windows 6.0.6001 Service Pack 1

6/22/2009 10:40:53
mbam-log-2009-06-22 (10-40-53).txt

Scan type: Quick Scan
Objects scanned: 75628
Time elapsed: 4 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#14 Tomk

Tomk

    Beguilement Monitor

  • Global Moderator
  • 20,451 posts

Posted 22 June 2009 - 09:39 AM

seriouscode, Yes. You've given me the log from the same computer we've been working on. That's exactly what I wanted. As you can see, the wareout has not regenerated now that you repaired the settings in the router. :yeah: Please give me a new HijackThis log from that same computer and tell me how it is running now. As far as the other computers hooked to the router, I'd like you to download and run Malwarebytes Antimalware on each of them. It will probably find Trojan.DNSChanger. If it finds anything other than that, please post me the report from that computer, along with a HijackThis log from that computer.
Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014
 

#15 seriouscode

seriouscode

    Authentic Member

  • Authentic Member
  • PipPip
  • 115 posts

Posted 22 June 2009 - 10:55 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:53:47, on 6/22/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Preserve
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...n&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...a...n&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: HP Print Clips - {FFFFFFFF-FF12-44C5-91EC-068E3AA1B2D7} - c:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [OnScreenDisplay] C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [WAWifiMessage] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O9 - Extra button: HP Smart Select - {58ECB495-38F0-49cb-A538-10282ABF65E7} - c:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O13 - Gopher Prefix:
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: QuickPlay Background Capture Service (QBCS) (QPCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
O23 - Service: QuickPlay Task Scheduler (QTS) (QPSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 5882 bytes

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·