PDA

View Full Version : Gala Redirect Windows Protection Suite Trojan



felicalittle
2009-12-20, 10:21
Hello,

I believe I have the Windows Protection Suite Trojan/Gala redirect virus. My husband was using my computer and infected it with something. It went to gala search and keeps redirecting my google searches. He uses internet explorer and clicks strange links even though I've told him NOT to ~.~;

I've tried to fix the problem myself by using Housecall,SpybotSD, and Malware bytes. Malwarebytes stated it removed the problem as did Housecall however the problem still exists. I no longer have the fake security/protection pop ups however I still have the redirect problem. I also tried to rewrite my hosts file but it won't let me (it also won't let spybotSD) I tried restarting my computer in safe mode and running the removal tools that I could and fixing the hosts file. Lastly I tried a system restore to a few days prior to the virus... It just removed my newly downloaded removal tools (I have redownloaded SpybotSD)

Here is my hijackthis log and all error messages I got from it:

For some reason your system denied write access to the Hosts file. If any hijacked domains are in this file, HijackThis may NOT be able to fix this.

If that happens, you need to edit the file yourself. To do this, click Start, Run and type:

notepad C:\WINDOWS\System32\drivers\etc\hosts

and press Enter. Find the line(s) HijackThis reports and delete them. Save the file as 'hosts.' (with quotes), and reboot.

For Vista: simply, exit HijackThis, right click ont he HijackThis icon, choose 'Run as administrator'.


Please help us improve HijackThis by reporting this error

Details:
An unexpected error has occurred at procedure: modMain_FixUNIXHostsFile()
Error#75 - Path/file access error

Windows version: Windows NT 5.01.2600
MSIE version: 7.0.5730.13
HijackThis version: 2.0.2

Hosts file has invalid linebreaks and hijackthis is unable to fix this O1 items will not be displayed.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:12:04 AM, on 12/20/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Verizon\Verizon Internet Security Suite\Fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Verizon\Verizon Internet Security Suite\SafeConnect\Bin\SanaAgent.exe
C:\Program Files\Verizon\Verizon Internet Security Suite\rps.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Verizon\VSP\VerizonServicepointComHandler.exe
C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
C:\Program Files\interMute\SpamSubtract\SpamSub.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe
C:\Program Files\Verizon\Verizon Internet Security Suite\RpsSecurityAwareR.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Verizon\Verizon Internet Security Suite\SafeConnect\Bin\SanaMonitor.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\notepad.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Verizon\Verizon Internet Security Suite\pkR.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1233282273406
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PD91Agent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
O23 - Service: PD91Engine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe
O23 - Service: Verizon Internet Security Suite (Radialpoint Security Services) - Verizon - C:\Program Files\Verizon\Verizon Internet Security Suite\RpsSecurityAwareR.exe
O23 - Service: Verizon Internet Security Suite SafeConnectAgent (RadialpointSafeConnectAgent) - Sana Security - C:\Program Files\Verizon\Verizon Internet Security Suite\SafeConnect\Bin\SanaAgent.exe
O23 - Service: Verizon Internet Security Suite Firewall (RP_FWS) - Verizon - C:\Program Files\Verizon\Verizon Internet Security Suite\Fws.exe

--
End of file - 9799 bytes

shelf life
2009-12-23, 22:59
hi felicalittle,

Your log is a few days old. If you still need help simply reply to my post.

felicalittle
2009-12-27, 07:15
I still need help.

Thanks! I hope you had a Merry Christmas.

shelf life
2009-12-27, 21:28
hi,

ok. We will get a download to use. Its called Combofix. There is a guide you need to read first. Read the guide, download combofix to your desktop, disable any running AV etc as explained in the guide. Double click the icon on your desktop and follow the prompts. Post the log in your reply.

Guide to using Combofix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

felicalittle
2009-12-28, 01:02
ComboFix 09-12-26.05 - Owner 12/27/2009 14:47:11.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.306 [GMT -8:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: Verizon Internet Security Suite Anti-Virus *On-access scanning disabled* (Updated) {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}
FW: Verizon Internet Security Suite Firewall *disabled* {80593BF4-D969-4EC5-ADAE-A22F2DFC7A22}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Mozilla Firefox\searchplugins\search.xml
c:\windows\COUPON~1.OCX
c:\windows\CouponPrinter.ocx
c:\windows\system32\iAlmcoin.dll
c:\windows\system32\ps2.bat
c:\windows\viassary-hp.reg
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-11-27 to 2009-12-27 )))))))))))))))))))))))))))))))
.

2009-12-20 08:03 . 2009-12-20 08:04 -------- d-----w- c:\program files\ERUNT
2009-12-20 02:42 . 2009-12-20 02:42 -------- d-----w- c:\windows\system32\wbem\Repository
2009-12-19 21:42 . 2009-12-19 21:42 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-12-19 03:08 . 2009-12-19 03:08 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-12-19 03:08 . 2009-12-19 03:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-19 03:08 . 2009-12-20 02:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-18 03:12 . 2009-12-20 03:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-12-18 03:12 . 2009-12-20 03:05 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-18 01:04 . 2009-12-18 01:04 -------- d-----w- c:\windows\McAfee.com

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-27 10:31 . 2009-04-25 23:21 1335072 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-12-27 10:31 . 2009-04-25 23:21 125228 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-12-27 10:31 . 2009-04-25 23:21 484268 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-12-27 10:31 . 2009-04-25 23:21 36323872 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-12-21 02:40 . 2009-12-21 02:40 -------- d-----w- c:\documents and settings\Owner\Application Data\WildTangent
2009-12-21 02:40 . 2009-12-21 02:31 -------- d-----w- c:\documents and settings\All Users\Application Data\WildTangent
2009-12-21 02:39 . 2009-12-21 02:30 -------- d-----w- c:\program files\WildGames
2009-12-21 01:44 . 2009-05-27 21:51 -------- d-----w- c:\documents and settings\Owner\Application Data\HPAppData
2009-12-20 08:05 . 2009-12-20 08:05 -------- d-----w- c:\program files\Trend Micro
2009-12-15 11:35 . 2009-01-31 22:23 -------- d-----w- c:\documents and settings\Owner\Application Data\Apple Computer
2009-11-03 14:40 . 2009-11-03 14:39 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-11-03 14:40 . 2009-11-03 14:39 -------- d-----w- c:\program files\iTunes
2009-11-03 14:39 . 2009-11-03 14:39 -------- d-----w- c:\program files\iPod
2009-11-03 14:39 . 2009-01-31 22:21 -------- d-----w- c:\program files\Common Files\Apple
2009-11-03 14:36 . 2009-11-03 14:35 -------- d-----w- c:\program files\QuickTime
2009-11-03 14:26 . 2009-11-03 14:26 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-10-29 07:46 . 2003-11-05 23:26 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2004-08-04 07:56 78336 ------w- c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2003-11-06 00:04 17408 ----a-w- c:\windows\system32\corpol.dll
2009-10-21 05:38 . 2004-08-04 07:56 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 07:56 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 06:00 265728 ------w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2006-05-14 09:13 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2003-11-06 00:07 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2003-11-06 00:07 79872 ----a-w- c:\windows\system32\raschap.dll
2004-10-01 02:11 . 2009-01-28 00:51 0 --sha-w- c:\windows\SMINST\HPCD.SYS
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIEW"="nview.dll" [2003-08-19 852038]
"BackupNotify"="c:\program files\HP\Digital Imaging\bin\backupnotify.exe" [2003-06-23 24576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LTMSG"="LTMSG.exe 7" [X]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-07 114688]
"CamMonitor"="c:\program files\HP\Digital Imaging\Unload\hpqcmon.exe" [2002-10-07 90112]
"HPHmon05"="c:\windows\System32\hphmon05.exe" [2003-05-23 483328]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2003-10-11 151597]
"AutoTKit"="c:\hp\bin\AUTOTKIT.EXE" [2003-06-19 53248]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-08-19 4841472]
"nwiz"="nwiz.exe" [2003-08-19 323584]
"Sunkist2k"="c:\program files\Multimedia Card Reader\shwicon2k.exe" [2003-08-15 139264]
"mmtask"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [2003-07-23 53248]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]
"VerizonServicepoint.exe"="c:\program files\Verizon\VSP\VerizonServicepoint.exe" [2009-03-12 2303216]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-03 61440]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
AutoTBar.exe [2003-6-18 53248]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
spamsubtract.lnk - c:\program files\interMute\SpamSubtract\SpamSub.exe [2003-10-13 557056]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-10-16 214360]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Quicken Scheduled Updates.lnk - c:\program files\Quicken\bagent.exe [2003-7-30 57344]
Updates from HP.lnk - c:\program files\Updates from HP\137903\Program\BackWeb-137903.exe [2003-10-10 16384]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\137903\\Program\\BackWeb-137903.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 PD91Agent;PD91Agent;c:\program files\Raxco\PerfectDisk2008\PD91Agent.exe [9/22/2008 4:58 PM 693512]
R2 RadialpointSafeConnectAgent;Verizon Internet Security Suite SafeConnectAgent;c:\program files\Verizon\Verizon Internet Security Suite\SafeConnect\bin\SanaAgent.exe [11/14/2008 6:28 PM 4937752]
R3 RadialpointSafeConnectDriver;RadialpointSafeConnectDriver;c:\program files\Verizon\Verizon Internet Security Suite\SafeConnect\Driver\platform_XP\SafeConnectDriver.sys [11/14/2008 6:28 PM 161304]
R3 RadialpointSafeConnectFilter;RadialpointSafeConnectFilter;c:\program files\Verizon\Verizon Internet Security Suite\SafeConnect\Driver\platform_XP\SafeConnectFilter.sys [11/14/2008 6:28 PM 29720]
R3 RadialpointSafeConnectShim;RadialpointSafeConnectShim;c:\program files\Verizon\Verizon Internet Security Suite\SafeConnect\Driver\platform_XP\SafeConnectShim.sys [11/14/2008 6:28 PM 27376]
S2 mrtRate;mrtRate; [x]
S3 PD91Engine;PD91Engine;c:\program files\Raxco\PerfectDisk2008\PD91Engine.exe [9/22/2008 4:58 PM 910600]
S3 Radialpoint Security Services;Verizon Internet Security Suite;c:\program files\Verizon\Verizon Internet Security Suite\RpsSecurityAwareR.exe [4/22/2009 10:38 AM 170736]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uDefault_Search_URL = hxxp://srch-us10.hpwis.com/
mSearch Bar = hxxp://srch-us10.hpwis.com/
uInternet Settings,ProxyOverride = localhost;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office10\EXCEL.EXE/3000
LSP: SpSubLSP.dll
Trusted Zone: verizon.com\essentialsandextras
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\cn5l6l6e.default\
FF - prefs.js: browser.search.selectedEngine - Google (Language: EN)
FF - prefs.js: browser.startup.homepage - hxxp://www.sproutonline.com/sprout/games/
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava14.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJPI142.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprpjplug.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\Verizon\VSP\nprpspa.dll
FF - plugin: c:\program files\Virtools\3D Life Player\npvirtools.dll
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-RecordNow! - (no file)
HKLM-Run-HPHUPD05 - c:\program files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
HKLM-Run-VTTimer - VTTimer.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-27 14:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1072)
c:\windows\system32\SpSubLSP.dll
.
Completion time: 2009-12-27 14:56:24
ComboFix-quarantined-files.txt 2009-12-27 22:56

Pre-Run: 138,432,077,824 bytes free
Post-Run: 138,452,652,032 bytes free

- - End Of File - - 81B857921E249F41B4C99052B4796F81

shelf life
2009-12-28, 04:48
hi,

ok thanks for the info. Still getting redirected? Now check malwarebytes for updates, then do a full scan with it. Please post the log:

Once the program has loaded check for updates first then under the scan tab; select Perform FULL SCAN, then click Scan.

When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click *Remove Selected.*

*A restart of your computer may be required to remove some items. If prompted please restart your computer to complete the fix.*

When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt

Post the log in your reply.

felicalittle
2009-12-28, 08:32
I'm still getting redirected when I click on links from Google. The Malwarebytes scan came back with nothing. The log is posted below.

I could provide my first log when I was trying to repair the issue if that would help. Around the 18th the log showed something that malwarebytes fixed.

Malwarebytes' Anti-Malware 1.42
Database version: 3442
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

12/27/2009 10:26:01 PM
mbam-log-2009-12-27 (22-26-01).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 233088
Time elapsed: 1 hour(s), 59 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

felicalittle
2009-12-28, 08:35
I just realized I have 11 items in quarantine from the 18th scan should I delete these? Could these still have some effect on the computer from quarantine?

shelf life
2009-12-28, 22:05
hi,

Items in quarantine are harmless, but you can delete them if you want. We will get another download to use. link and directions:

Please download: RootRepeal

http://ad13.geekstogo.com/RootRepeal.exe
Click the icon on your desktop to start.
Click on the Report tab at the bottom of the window
Next, Click on the Scan button
In the Select Scan Window check everything:

Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services

Click the OK button
In the next dialog window select all the drives that are listed
Click OK to start the scan


May take some time to complete.
When done click the Save Report button.
Save the report to your desktop
To Exit RootRepeal: click File>Exit
Post the report in your reply

felicalittle
2009-12-29, 04:24
Rootrepeal restarted my computer when I first tried to run it. Windows said there was a large error.

The report had the error message below.
Warning - the number of SSDT entries from the kernel and the number on-disk different (297 and 284)

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/12/28 18:07
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xED75D000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF89E9000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF6D27000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

SSDT
-------------------
#: 025 Function Name: NtClose
Status: Hooked by "C:\Program Files\Verizon\Verizon Internet Security Suite\SafeConnect\Driver\platform_XP\SafeConnectShim.sys" at address 0xf87c88b0

#: 047 Function Name: NtCreateProcess
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xed8cd930

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xed8cdaa0

#: 050 Function Name: NtCreateSection
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xed8ce540

#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xed8ce190

#: 053 Function Name: NtCreateThread
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xed8cee20

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xed8cdd60

#: 097 Function Name: NtLoadDriver
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xed8cc2a0

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\Program Files\Verizon\Verizon Internet Security Suite\SafeConnect\Driver\platform_XP\SafeConnectShim.sys" at address 0xf87c88e0

#: 125 Function Name: NtOpenSection
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xed8ce370

#: 173 Function Name: NtQuerySystemInformation
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xed8cead0

#: 206 Function Name: NtResumeThread
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xed8cedd0

#: 213 Function Name: NtSetContextThread
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xed8cf150

#: 224 Function Name: NtSetInformationFile
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xed8cf770

#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xed8d3160

#: 237 Function Name: NtSetSecurityObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xed8caec0

#: 254 Function Name: NtSuspendThread
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xed8ced80

#: 255 Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xed8cc600

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\Verizon\Verizon Internet Security Suite\SafeConnect\Driver\platform_XP\SafeConnectShim.sys" at address 0xf87c8990

#: 258 Function Name: NtTerminateThread
Status: Hooked by "C:\Program Files\Verizon\Verizon Internet Security Suite\SafeConnect\Driver\platform_XP\SafeConnectShim.sys" at address 0xf87c8a30

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "C:\Program Files\Verizon\Verizon Internet Security Suite\SafeConnect\Driver\platform_XP\SafeConnectShim.sys" at address 0xf87c8ad0

Shadow SSDT
-------------------
#: 013 Function Name: NtGdiBitBlt
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xed8cc4d0

#: 378 Function Name: NtUserFindWindowEx
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xed8cbe70

#: 383 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "C:\Program Files\Verizon\Verizon Internet Security Suite\SafeConnect\Driver\platform_XP\SafeConnectShim.sys" at address 0xf87c8450

#: 414 Function Name: NtUserGetKeyboardState
Status: Hooked by "C:\Program Files\Verizon\Verizon Internet Security Suite\SafeConnect\Driver\platform_XP\SafeConnectShim.sys" at address 0xf87c83c0

#: 416 Function Name: NtUserGetKeyState
Status: Hooked by "C:\Program Files\Verizon\Verizon Internet Security Suite\SafeConnect\Driver\platform_XP\SafeConnectShim.sys" at address 0xf87c8400

#: 460 Function Name: NtUserMessageCall
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xed8cbd70

#: 475 Function Name: NtUserPostMessage
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xed8cf550

#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xed8cbe20

#: 502 Function Name: NtUserSendInput
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xed8cb300

#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "C:\Program Files\Verizon\Verizon Internet Security Suite\SafeConnect\Driver\platform_XP\SafeConnectShim.sys" at address 0xf87c8340

#: 552 Function Name: NtUserSetWinEventHook
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xed8cf5a0

==EOF==

shelf life
2009-12-29, 04:40
thanks for the info. Not seeing any malware. You mentioned your host file. We can try resetting it with Hoster.

Download the Hoster from here: http://www.softpedia.com/get/Security/Security-Related/Hoster.shtml
Press 'Restore Original Hosts' and press 'OK'

Exit Program.

felicalittle
2009-12-29, 04:44
I get the following error:

ERROR: Cannot create file C:\WINDOWS\system32\DRIVERS\ETC\hosts

shelf life
2009-12-29, 22:57
not sure the hosts file is the problem. If you go to the host file here:
C:\WINDOWS\system32\DRIVERS\ETC\hosts
can you right click on it and select rename
then just add .txt to it so it becomes hosts.txt
then you can Copy it to your desktop.
Right click on the original one again, rename and remove the .txt
Copy/paste the copy you saved on the desktop in your reply.

also click on HostsXpert again and at the very top click on the pad lock locking icon to change it, then try the Restore MS host file button again

felicalittle
2009-12-30, 03:37
I wasn't able to change the file from a txt file back to what it was. However, when I tried HostsXpert it created a new file. It was writeable, clicking the locking icon made it read only. I clicked it and tried to restore but it didn't work. I clicked the locking icon again so it was writeable and restored it, then I locked it again... Not sure which action you wanted so I did both. I noticed that in the Host folder there are 50 Hosts "backup files" created at the same time the virus changed the hosts file.

I now have a new hosts file and the original is in txt format. Below is the copy of what was in it

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost
74.125.45.100 4-open-davinci.com
74.125.45.100 securitysoftwarepayments.com
74.125.45.100 privatesecuredpayments.com
74.125.45.100 secure.privatesecuredpayments.com
74.125.45.100 getantivirusplusnow.com
74.125.45.100 secure-plus-payments.com
74.125.45.100 www.getantivirusplusnow.com
74.125.45.100 www.secure-plus-payments.com
74.125.45.100 www.getavplusnow.com
74.125.45.100 safebrowsing-cache.google.com
74.125.45.100 urs.microsoft.com
74.125.45.100 www.securesoftwarebill.com
74.125.45.100 secure.paysecuresystem.com
74.125.45.100 paysoftbillsolution.com
74.125.45.100 protected.maxisoftwaremart.com
67.215.245.21 www.google-analytics.com
88.198.247.68 google.ae
88.198.247.68 google.as
88.198.247.68 google.at
88.198.247.68 google.az
88.198.247.68 google.ba
88.198.247.68 google.be
88.198.247.68 google.bg
88.198.247.68 google.bs
88.198.247.68 google.ca
88.198.247.68 google.cd
88.198.247.68 google.com.gh
88.198.247.68 google.com.hk
88.198.247.68 google.com.jm
88.198.247.68 google.com.mx
88.198.247.68 google.com.my
88.198.247.68 google.com.na
88.198.247.68 google.com.nf
88.198.247.68 google.com.ng
88.198.247.68 google.ch
88.198.247.68 google.com.np
88.198.247.68 google.com.pr
88.198.247.68 google.com.qa
88.198.247.68 google.com.sg
88.198.247.68 google.com.tj
88.198.247.68 google.com.tw
88.198.247.68 google.dj
88.198.247.68 google.de
88.198.247.68 google.dk
88.198.247.68 google.dm
88.198.247.68 google.ee
88.198.247.68 google.fi
88.198.247.68 google.fm
88.198.247.68 google.fr
88.198.247.68 google.ge
88.198.247.68 google.gg
88.198.247.68 google.gm
88.198.247.68 google.gr
88.198.247.68 google.ht
88.198.247.68 google.ie
88.198.247.68 google.im
88.198.247.68 google.in
88.198.247.68 google.it
88.198.247.68 google.ki
88.198.247.68 google.la
88.198.247.68 google.li
88.198.247.68 google.lv
88.198.247.68 google.ma
88.198.247.68 google.ms
88.198.247.68 google.mu
88.198.247.68 google.mw
88.198.247.68 google.nl
88.198.247.68 google.no
88.198.247.68 google.nr
88.198.247.68 google.nu
88.198.247.68 google.pl
88.198.247.68 google.pn
88.198.247.68 google.pt
88.198.247.68 google.ro
88.198.247.68 google.ru
88.198.247.68 google.rw
88.198.247.68 google.sc
88.198.247.68 google.se
88.198.247.68 google.sh
88.198.247.68 google.si
88.198.247.68 google.sm
88.198.247.68 google.sn
88.198.247.68 google.st
88.198.247.68 google.tl
88.198.247.68 google.tm
88.198.247.68 google.tt
88.198.247.68 google.us
88.198.247.68 google.vu
88.198.247.68 google.ws
88.198.247.68 google.co.ck
88.198.247.68 google.co.id
88.198.247.68 google.co.il
88.198.247.68 google.co.in
88.198.247.68 google.co.jp
88.198.247.68 google.co.kr
88.198.247.68 google.co.ls
88.198.247.68 google.co.ma
88.198.247.68 google.co.nz
88.198.247.68 google.co.tz
88.198.247.68 google.co.ug
88.198.247.68 google.co.uk
88.198.247.68 google.co.za
88.198.247.68 google.co.zm
88.198.247.68 google.com
88.198.247.68 google.com.af
88.198.247.68 google.com.ag
88.198.247.68 google.com.ar
88.198.247.68 google.com.au
88.198.247.68 google.com.bn
88.198.247.68 google.com.br
88.198.247.68 google.com.by
88.198.247.68 google.com.bz
88.198.247.68 google.com.cu
88.198.247.68 google.com.ec
88.198.247.68 google.com.fj
88.198.247.68 www.google.ae
88.198.247.68 www.google.as
88.198.247.68 www.google.at
88.198.247.68 www.google.az
88.198.247.68 www.google.ba
88.198.247.68 www.google.be
88.198.247.68 www.google.bg
88.198.247.68 www.google.bs
88.198.247.68 www.google.ca
88.198.247.68 www.google.cd
88.198.247.68 www.google.com.gh
88.198.247.68 www.google.com.hk
88.198.247.68 www.google.com.jm
88.198.247.68 www.google.com.mx
88.198.247.68 www.google.com.my
88.198.247.68 www.google.com.na
88.198.247.68 www.google.com.nf
88.198.247.68 www.google.com.ng
88.198.247.68 www.google.ch
88.198.247.68 www.google.com.np
88.198.247.68 www.google.com.pr
88.198.247.68 www.google.com.qa
88.198.247.68 www.google.com.sg
88.198.247.68 www.google.com.tj
88.198.247.68 www.google.com.tw
88.198.247.68 www.google.dj
88.198.247.68 www.google.de
88.198.247.68 www.google.dk
88.198.247.68 www.google.dm
88.198.247.68 www.google.ee
88.198.247.68 www.google.fi
88.198.247.68 www.google.fm
88.198.247.68 www.google.fr
88.198.247.68 www.google.ge
88.198.247.68 www.google.gg
88.198.247.68 www.google.gm
88.198.247.68 www.google.gr
88.198.247.68 www.google.ht
88.198.247.68 www.google.ie
88.198.247.68 www.google.im
88.198.247.68 www.google.in
88.198.247.68 www.google.it
88.198.247.68 www.google.ki
88.198.247.68 www.google.la
88.198.247.68 www.google.li
88.198.247.68 www.google.lv
88.198.247.68 www.google.ma
88.198.247.68 www.google.ms
88.198.247.68 www.google.mu
88.198.247.68 www.google.mw
88.198.247.68 www.google.nl
88.198.247.68 www.google.no
88.198.247.68 www.google.nr
88.198.247.68 www.google.nu
88.198.247.68 www.google.pl
88.198.247.68 www.google.pn
88.198.247.68 www.google.pt
88.198.247.68 www.google.ro
88.198.247.68 www.google.ru
88.198.247.68 www.google.rw
88.198.247.68 www.google.sc
88.198.247.68 www.google.se
88.198.247.68 www.google.sh
88.198.247.68 www.google.si
88.198.247.68 www.google.sm
88.198.247.68 www.google.sn
88.198.247.68 www.google.st
88.198.247.68 www.google.tl
88.198.247.68 www.google.tm
88.198.247.68 www.google.tt
88.198.247.68 www.google.us
88.198.247.68 www.google.vu
88.198.247.68 www.google.ws
88.198.247.68 www.google.co.ck
88.198.247.68 www.google.co.id
88.198.247.68 www.google.co.il
88.198.247.68 www.google.co.in
88.198.247.68 www.google.co.jp
88.198.247.68 www.google.co.kr
88.198.247.68 www.google.co.ls
88.198.247.68 www.google.co.ma
88.198.247.68 www.google.co.nz
88.198.247.68 www.google.co.tz
88.198.247.68 www.google.co.ug
88.198.247.68 www.google.co.uk
88.198.247.68 www.google.co.za
88.198.247.68 www.google.co.zm
88.198.247.68 www.google.com
88.198.247.68 www.google.com.af
88.198.247.68 www.google.com.ag
88.198.247.68 www.google.com.ar
88.198.247.68 www.google.com.au
88.198.247.68 www.google.com.bn
88.198.247.68 www.google.com.br
88.198.247.68 www.google.com.by
88.198.247.68 www.google.com.bz
88.198.247.68 www.google.com.cu
88.198.247.68 www.google.com.ec
88.198.247.68 www.google.com.fj
88.198.247.68 google.com
88.198.247.68 www.google.com
88.198.247.68 bing.com
88.198.247.68 www.bing.com
88.198.247.68 search.yahoo.com
88.198.247.68 www.search.yahoo.com
88.198.247.68 search.live.com
88.198.247.68 search.msn.com
88.198.247.68 uk.search.yahoo.com
88.198.247.68 ca.search.yahoo.com
88.198.247.68 de.search.yahoo.com
88.198.247.68 fr.search.yahoo.com
88.198.247.68 au.search.yahoo.com

shelf life
2009-12-30, 22:56
So you got hostXpert to create a new file then? You can delete all the backup ones in the folder.

felicalittle
2009-12-31, 04:08
HostXpert created a new file. I deleted the backup ones.

Any other steps I should take? I have not noticed any Google redirects.

shelf life
2009-12-31, 20:22
hi,

Good, no redirects. Everything else looks ok. You can remove combofix with this utility:

Please download OTCleanIt and save it to desktop.

http://oldtimer.geekstogo.com/OTC.exe
Double-click OTC.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.
You can delete the Rootrepeal icon from your desktop. You can delete or keep hostXpert, up to you.
If all is good on your end, some tips for you:

10 Tips for Reducing/Preventing Your Risk To Malware:


1) It is essential to keep your OS (http://update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us),(Windows) browser (IE, FireFox) and other software up to date to "patch" vulnerabilities that could be exploited. Visit Windows Update frequently or use the auto-update feature. Staying updated is also necessary for web based applications like Java, Adobe Flash/Reader, QuickTime etc. Check there version status here. (http://secunia.com/vulnerability_scanning/online/)


2) Know what you are installing to your computer. Alot of software can come bundled with unwanted add-ons, like adware, toolbars and malware. Do not install any files from ads, popups or random links. Do not fall for fake warnings about virus and trojans being found on your computer and your then prompted to install software to remedy this. See also the signs (http://www.virusvault.us/signs1.html)that you may have malware on your computer.


3) Install and keep updated: one antivirus and two or three anti-malware applications. If not updated they will soon be worthless. If these are constantly finding malware then you should review your computer habits.


4) Refrain from clicking on links or attachments via E-Mail, IM, IRC, Chat Rooms, Blogs or Social Networking Sites, no matter how tempting or legitimate the message may seem. Even if you get a E-Mail from someone you know, its possible that there computer or account information has been compromised.


5) Don't click on ads/pop ups or offers from websites requesting that you need to install software, media players or codecs to your computer--for any reason.


6) Don't click on offers to "scan" your computer. Install ActiveX Objects with care. Do you trust the website?


7) Set up and use limited (non-privileged) accounts for everyday use, rather than administrator accounts. Limited accounts (http://www.microsoft.com/protect/computer/advanced/useraccount.mspx) can help prevent *malware from installing and lessen its potential impact.*


8) Install and understand the *limitations* of a software firewall.


9) A tool (http://nsslabs.com/general/ie8-hardening-tool.html)for automatically hardening and securing Internet Explorer 8.0. Requires site registration for downloading. Changes some of the default settings of IE 8.0, Read the FAQ's.


10) Warez, cracks etc are very popular for carrying malware payloads. Using them will cause you all kinds of problems. If you install files via p2p (http://www.virusvault.us/p2p.html) networks then you are much more likely to encounter malicious code. Do you trust the source of the file? Do you really need another malware source?

A longer version in link below.

Happy Safe Surfing.

felicalittle
2010-01-01, 21:41
Thank you!!!!! for your help an happy New Years!