Results 1 to 4 of 4

Thread: Help! MS Windows.RedirectionHosts and things I can't remove from SpyBot!

  1. #1
    Junior Member
    Join Date
    Dec 2010
    Posts
    1

    Default Help! MS Windows.RedirectionHosts and things I can't remove from SpyBot!

    Hello everyone.
    I have encountered a problem on Spybot search and destroy. There are 3 different types of items that Spybot can't remove. It says access denied when I try and remove it.

    I am currently running my computer and accessing the internet in SafeMode bc when I try and get on IE in regular mode I get the error saying "Page cannot be displayed."

    I have System Restore turned on. It was turned off though.

    I have downloaded and run the ERUNT program.


    Here is the DDS Log

    DDS (Ver_10-12-12.02) - NTFSx86 NETWORK
    Run by Administrator at 11:03:33.35 on Mon 12/27/2010
    Internet Explorer: 8.0.6001.18702
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.294 [GMT -6:00]

    AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\VGDIFXHU\dds[1].scr

    ============== Pseudo HJT Report ===============

    mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
    BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
    BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
    BHO: MSN Toolbar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\4.0.0379.0\npwinext.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
    TB: MSN Toolbar: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\4.0.0379.0\npwinext.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
    uRunOnce: [SpybotDeletingD7006] cmd.exe /c del "c:\program files\gamevance\gamevancelib32.dll"
    uRunOnce: [SpybotDeletingD5971] cmd.exe /c del "c:\program files\gamevance\gvtl.dll"
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [MSN Toolbar] "c:\program files\msn toolbar\platform\4.0.0379.0\mswinext.exe"
    mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [HP Software Update] "c:\program files\hewlett-packard\hp software update\HPWuSchd.exe"
    mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
    mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
    StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
    IE: {5CFA5B80-01F4-420F-B18B-545712C8A1C8} - http://www.playsushi.com/About.ps?l=27&t=nHH7DbKE8
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\pokerstars.net\PokerStarsUpdate.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1249474484468
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
    Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
    Notify: igfxcui - igfxsrvc.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    IFEO: image file execution options - svchost.exe
    Hosts: 74.125.45.100 4-open-davinci.com
    Hosts: 74.125.45.100 securitysoftwarepayments.com
    Hosts: 74.125.45.100 privatesecuredpayments.com
    Hosts: 74.125.45.100 secure.privatesecuredpayments.com
    Hosts: 74.125.45.100 getantivirusplusnow.com

    Note: multiple HOSTS entries found. Please refer to Attach.txt

    ============= SERVICES / DRIVERS ===============

    R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
    R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
    R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-9-7 299984]
    S0 cerc6;cerc6; [x]
    S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 249424]
    S1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
    S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2010-11-10 6127184]
    S2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
    S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2010-10-17 517448]
    S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]
    S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]
    S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 26192]

    =============== Created Last 30 ================

    2010-12-26 07:11:38 -------- d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
    2010-12-26 04:20:01 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\oDpOo05200
    2010-12-25 22:38:17 -------- d-sh--w- c:\docume~1\alluse~1.win\applic~1\PIQXYMNQAS
    2010-12-25 22:37:07 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\292e21

    ==================== Find3M ====================

    2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
    2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-11-06 00:26:58 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec
    2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys

    ============= FINISH: 11:04:36.03 ===============


    Here is the copy of the Spybot Search and Destroy log that I ran a few min ago.
    Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected host, nothing done)
    4-open-davinci.com=74.125.45.100

    Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected host, nothing done)
    securitysoftwarepayments.com=74.125.45.100

    Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected host, nothing done)
    privatesecuredpayments.com=74.125.45.100

    Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected host, nothing done)
    secure.privatesecuredpayments.com=74.125.45.100

    Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected host, nothing done)
    getantivirusplusnow.com=74.125.45.100

    Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected host, nothing done)
    secure-plus-payments.com=74.125.45.100

    Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected host, nothing done)
    www.getantivirusplusnow.com=74.125.45.100

    Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected host, nothing done)
    www.secure-plus-payments.com=74.125.45.100

    Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected host, nothing done)
    www.getavplusnow.com=74.125.45.100

    Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected host, nothing done)
    safebrowsing-cache.google.com=74.125.45.100

    Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected host, nothing done)
    urs.microsoft.com=74.125.45.100

    Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected host, nothing done)
    www.securesoftwarebill.com=74.125.45.100

    Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected host, nothing done)
    secure.paysecuresystem.com=74.125.45.100

    Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected host, nothing done)
    paysoftbillsolution.com=74.125.45.100

    Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected host, nothing done)
    protected.maxisoftwaremart.com=74.125.45.100

    Microsoft.Windows.RedirectedHosts: [SBI $B89FBA81] Redirected host (Redirected host, nothing done)
    www.securesoftwarebill.com=74.125.45.100

    Microsoft.Windows.RedirectedHosts: [SBI $19781685] Redirected host (Redirected host, nothing done)
    secure.paysecuresystem.com=74.125.45.100

    Microsoft.Windows.RedirectedHosts: [SBI $CEFF52BA] Redirected host (Redirected host, nothing done)
    paysoftbillsolution.com=74.125.45.100

    DoubleClick: Tracking cookie (Internet Explorer: Administrator) (Cookie, nothing done)


    Right Media: Tracking cookie (Internet Explorer: Administrator) (Cookie, nothing done)



    --- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

    2009-01-26 blindman.exe (1.0.0.8)
    2009-01-26 SDFiles.exe (1.6.1.7)
    2009-01-26 SDMain.exe (1.0.0.6)
    2009-01-26 SDShred.exe (1.0.2.5)
    2009-01-26 SDUpdate.exe (1.6.0.12)
    2009-01-26 SpybotSD.exe (1.6.2.46)
    2009-03-05 TeaTimer.exe (1.6.6.32)
    2010-09-08 unins000.exe (51.49.0.0)
    2009-01-26 Update.exe (1.6.0.7)
    2009-11-04 advcheck.dll (1.6.5.20)
    2007-04-02 aports.dll (2.1.0.0)
    2008-06-14 DelZip179.dll (1.79.11.1)
    2009-01-26 SDHelper.dll (1.6.2.14)
    2008-06-19 sqlite3.dll
    2009-01-26 Tools.dll (2.1.6.10)
    2009-01-16 UninsSrv.dll (1.0.0.0)
    2010-10-05 Includes\Adware.sbi (*)
    2010-11-30 Includes\AdwareC.sbi (*)
    2010-08-13 Includes\Cookies.sbi (*)
    2010-12-14 Includes\Dialer.sbi (*)
    2010-12-14 Includes\DialerC.sbi (*)
    2010-01-25 Includes\HeavyDuty.sbi (*)
    2010-11-30 Includes\Hijackers.sbi (*)
    2010-11-30 Includes\HijackersC.sbi (*)
    2010-09-15 Includes\iPhone.sbi (*)
    2010-12-14 Includes\Keyloggers.sbi (*)
    2010-12-14 Includes\KeyloggersC.sbi (*)
    2004-11-29 Includes\LSP.sbi (*)
    2010-12-14 Includes\Malware.sbi (*)
    2010-12-22 Includes\MalwareC.sbi (*)
    2010-05-18 Includes\PUPS.sbi (*)
    2010-12-14 Includes\PUPSC.sbi (*)
    2010-01-25 Includes\Revision.sbi (*)
    2009-01-13 Includes\Security.sbi (*)
    2010-12-14 Includes\SecurityC.sbi (*)
    2008-06-03 Includes\Spybots.sbi (*)
    2008-06-03 Includes\SpybotsC.sbi (*)
    2010-12-14 Includes\Spyware.sbi (*)
    2010-12-14 Includes\SpywareC.sbi (*)
    2010-03-08 Includes\Tracks.uti
    2010-11-02 Includes\Trojans.sbi (*)
    2010-12-17 Includes\TrojansC-02.sbi (*)
    2010-12-16 Includes\TrojansC-03.sbi (*)
    2010-12-16 Includes\TrojansC-04.sbi (*)
    2010-12-21 Includes\TrojansC-05.sbi (*)
    2010-12-16 Includes\TrojansC.sbi (*)
    2008-03-04 Plugins\Chai.dll
    2008-03-05 Plugins\Fennel.dll
    2008-02-26 Plugins\Mate.dll
    2007-12-24 Plugins\TCPIPAddress.dll

  2. #2
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default



    Happy New Year


    Please read Before You Post
    While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.

    Until we deem your system clean I am going to ask you not to install or uninstall any software or hardware except for the programs we may run.


    OTL by OldTimer
    • Download OTL to your desktop.
    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • When the window appears, underneath Output at the top change it to Minimal Output.
    • Check the boxes beside LOP Check and Purity Check.
    • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
      • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
        Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
      • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

  3. #3
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Still need help ???
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

  4. #4
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Due to inactivity, this thread will now be closed.

    If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened.

    At that point, if you still require help, please start a new topic and include a new DDS log with a link to your previous thread. Please do not add any logs that might have been

    requested in the closed topic, you would be starting fresh.
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •