View Full Version : Remove Windows.RedirectHosts & ProtectionSuite
Acer Aspire One computer comes home from college with foolish child and multiple infections. OS is Windows XP Home Edition
I ran Spybot and Malwarebyte's tools but can't seem to remove the following:
Microsoft.Windows.redirectHosts
Fraud.WindowsProtectionSuite
Spybot and HJT both gave messages about not being able to edit the Hosts file.
I have attempted to follow your instructions regarding disabling Teatimer and running ERUNT.
The HJT log is as follows:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:23:56 AM, on 1/2/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Cisco\Cisco NAC Agent\NACAgent.exe
C:\Program Files\Acer\Acer VCM\RS_Service.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\WINDOWS\PLFSetI.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Cisco\Cisco NAC Agent\NACAgentUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\WebCam\M3000\M3000Mnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\Acer\Acer VCM\AcerVCM.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0909&m=aspire_one
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0909&m=aspire_one
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0909&m=aspire_one
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: 74.125.45.100 safebrowsing-cache.google.com
O1 - Hosts: 74.125.45.100 urs.microsoft.com
O1 - Hosts: 74.125.45.100 www.securesoftwarebill.com
O1 - Hosts: 74.125.45.100 paysoftbillsolution.com
O1 - Hosts: 74.125.45.100 protected.maxisoftwaremart.com
O1 - Hosts: 67.215.245.21 www.google-analytics.com
O1 - Hosts: 88.198.247.67 google.ae
O1 - Hosts: 88.198.247.67 google.as
O1 - Hosts: 88.198.247.67 google.at
O1 - Hosts: 88.198.247.67 google.az
O1 - Hosts: 88.198.247.67 google.ba
O1 - Hosts: 88.198.247.67 google.be
O1 - Hosts: 88.198.247.67 google.bg
O1 - Hosts: 88.198.247.67 google.bs
O1 - Hosts: 88.198.247.67 google.ca
O1 - Hosts: 88.198.247.67 google.cd
O1 - Hosts: 88.198.247.67 google.com.gh
O1 - Hosts: 88.198.247.67 google.com.hk
O1 - Hosts: 88.198.247.67 google.com.jm
O1 - Hosts: 88.198.247.67 google.com.mx
O1 - Hosts: 88.198.247.67 google.com.my
O1 - Hosts: 88.198.247.67 google.com.na
O1 - Hosts: 88.198.247.67 google.com.nf
O1 - Hosts: 88.198.247.67 google.com.ng
O1 - Hosts: 88.198.247.67 google.ch
O1 - Hosts: 88.198.247.67 google.com.np
O1 - Hosts: 88.198.247.67 google.com.pr
O1 - Hosts: 88.198.247.67 google.com.qa
O1 - Hosts: 88.198.247.67 google.com.sg
O1 - Hosts: 88.198.247.67 google.com.tj
O1 - Hosts: 88.198.247.67 google.com.tw
O1 - Hosts: 88.198.247.67 google.dj
O1 - Hosts: 88.198.247.67 google.de
O1 - Hosts: 88.198.247.67 google.dk
O1 - Hosts: 88.198.247.67 google.dm
O1 - Hosts: 88.198.247.67 google.ee
O1 - Hosts: 88.198.247.67 google.fi
O1 - Hosts: 88.198.247.67 google.fm
O1 - Hosts: 88.198.247.67 google.fr
O1 - Hosts: 88.198.247.67 google.ge
O1 - Hosts: 88.198.247.67 google.gg
O1 - Hosts: 88.198.247.67 google.gm
O1 - Hosts: 88.198.247.67 google.gr
O1 - Hosts: 88.198.247.67 google.ht
O1 - Hosts: 88.198.247.67 google.ie
O1 - Hosts: 88.198.247.67 google.im
O1 - Hosts: 88.198.247.67 google.in
O1 - Hosts: 88.198.247.67 google.it
O1 - Hosts: 88.198.247.67 google.ki
O1 - Hosts: 88.198.247.67 google.la
O1 - Hosts: 88.198.247.67 google.li
O1 - Hosts: 88.198.247.67 google.lv
O1 - Hosts: 88.198.247.67 google.ma
O1 - Hosts: 88.198.247.67 google.ms
O1 - Hosts: 88.198.247.67 google.mu
O1 - Hosts: 88.198.247.67 google.mw
O1 - Hosts: 88.198.247.67 google.nl
O1 - Hosts: 88.198.247.67 google.no
O1 - Hosts: 88.198.247.67 google.nr
O1 - Hosts: 88.198.247.67 google.nu
O1 - Hosts: 88.198.247.67 google.pl
O1 - Hosts: 88.198.247.67 google.pn
O1 - Hosts: 88.198.247.67 google.pt
O1 - Hosts: 88.198.247.67 google.ro
O1 - Hosts: 88.198.247.67 google.ru
O1 - Hosts: 88.198.247.67 google.rw
O1 - Hosts: 88.198.247.67 google.sc
O1 - Hosts: 88.198.247.67 google.se
O1 - Hosts: 88.198.247.67 google.sh
O1 - Hosts: 88.198.247.67 google.si
O1 - Hosts: 88.198.247.67 google.sm
O1 - Hosts: 88.198.247.67 google.sn
O1 - Hosts: 88.198.247.67 google.st
O1 - Hosts: 88.198.247.67 google.tl
O1 - Hosts: 88.198.247.67 google.tm
O1 - Hosts: 88.198.247.67 google.tt
O1 - Hosts: 88.198.247.67 google.us
O1 - Hosts: 88.198.247.67 google.vu
O1 - Hosts: 88.198.247.67 google.ws
O1 - Hosts: 88.198.247.67 google.co.ck
O1 - Hosts: 88.198.247.67 google.co.id
O1 - Hosts: 88.198.247.67 google.co.il
O1 - Hosts: 88.198.247.67 google.co.in
O1 - Hosts: 88.198.247.67 google.co.jp
O1 - Hosts: 88.198.247.67 google.co.kr
O1 - Hosts: 88.198.247.67 google.co.ls
O1 - Hosts: 88.198.247.67 google.co.ma
O1 - Hosts: 88.198.247.67 google.co.nz
O1 - Hosts: 88.198.247.67 google.co.tz
O1 - Hosts: 88.198.247.67 google.co.ug
O1 - Hosts: 88.198.247.67 google.co.uk
O1 - Hosts: 88.198.247.67 google.co.za
O1 - Hosts: 88.198.247.67 google.co.zm
O1 - Hosts: 88.198.247.67 google.com
O1 - Hosts: 88.198.247.67 google.com.af
O1 - Hosts: 88.198.247.67 google.com.ag
O1 - Hosts: 88.198.247.67 google.com.ar
O1 - Hosts: 88.198.247.67 google.com.au
O1 - Hosts: 88.198.247.67 google.com.bn
O1 - Hosts: 88.198.247.67 google.com.br
O1 - Hosts: 88.198.247.67 google.com.by
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [CarboniteSetupLite] "C:\Program Files\Carbonite\CarbonitePreinstaller.exe" /preinstalled
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PLFSetI] C:\WINDOWS\PLFSetI.exe
O4 - HKLM\..\Run: [M3000Mnt] Rundll32.exe M3000Rmv.dll ,WinMainRmv /StartStillMnt
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [NACAgentUI] C:\Program Files\Cisco\Cisco NAC Agent\NACAgentUI.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: Acer VCM.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4D2D3A17-9B46-483C-A5F4-1DC471080009} (Cisco NAC Web Agent Control) - https://lcwireless.scu.edu/auth/taweb.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Desktop Manager 5.7.808.7150 (GoogleDesktopManager-080708-050100) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Cisco NAC Agent (NACAgent) - Cisco Systems, Inc. - C:\Program Files\Cisco\Cisco NAC Agent\NACAgent.exe
O23 - Service: Raw Socket Service (RS_Service) - Acer Incorporated - C:\Program Files\Acer\Acer VCM\RS_Service.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
--
End of file - 12729 bytes
Hi jpfof7
Looking over your log, it seems you don't have any evidence of an anti-virus software.
Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network. Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these excellent vendors NOW:
1) Antivir PersonalEdition Classic (http://www.free-av.com/)- Free anti-virus software for Windows. Free support.
2) avast! 4 Home Edition (http://www.avast.com/eng/avast_4_home.html) - Anti-virus program for Windows. The home edition is freeware for noncommercial users.
3) AVG Anti-Virus Free Edition (http://free.grisoft.com/ww.homepage) - Free edition of the AVG anti-virus program for Windows.
You should run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and results in program conflicts and false virus alerts.
After that, please post back a fresh HijackThis log.
Thank you for the reply. The computer is back at school so it will take a few days to complete this next step. I guess Spybot isn't considered anti-virus? Also, McAfee was loaded but the subscription expired. Curious it didn't seem to register.
Spybot is antispyware and not antivirus.
OK, I wil wait :)
I installed virus software and ran scans. I have used Avira antivirus, Malbytes Malware, and Spybot. I still have the Windows.RedirectHosts and ProtectionSuite issues. Spybot continues to note as does HJT that the Hosts file can't be edited.
Sorry for the delay. I have the computer back so I can respond faster now.
Here is the HJT Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:05:24 AM, on 1/14/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Cisco\Cisco NAC Agent\NACAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\PLFSetI.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Cisco\Cisco NAC Agent\NACAgentUI.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\WebCam\M3000\M3000Mnt.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Avira\AntiVir Desktop\GUARDGUI.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0909&m=aspire_one
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0909&m=aspire_one
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0909&m=aspire_one
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: 74.125.45.100 safebrowsing-cache.google.com
O1 - Hosts: 74.125.45.100 urs.microsoft.com
O1 - Hosts: 74.125.45.100 www.securesoftwarebill.com
O1 - Hosts: 74.125.45.100 paysoftbillsolution.com
O1 - Hosts: 74.125.45.100 protected.maxisoftwaremart.com
O1 - Hosts: 67.215.245.21 www.google-analytics.com
O1 - Hosts: 88.198.247.67 google.ae
O1 - Hosts: 88.198.247.67 google.as
O1 - Hosts: 88.198.247.67 google.at
O1 - Hosts: 88.198.247.67 google.az
O1 - Hosts: 88.198.247.67 google.ba
O1 - Hosts: 88.198.247.67 google.be
O1 - Hosts: 88.198.247.67 google.bg
O1 - Hosts: 88.198.247.67 google.bs
O1 - Hosts: 88.198.247.67 google.ca
O1 - Hosts: 88.198.247.67 google.cd
O1 - Hosts: 88.198.247.67 google.com.gh
O1 - Hosts: 88.198.247.67 google.com.hk
O1 - Hosts: 88.198.247.67 google.com.jm
O1 - Hosts: 88.198.247.67 google.com.mx
O1 - Hosts: 88.198.247.67 google.com.my
O1 - Hosts: 88.198.247.67 google.com.na
O1 - Hosts: 88.198.247.67 google.com.nf
O1 - Hosts: 88.198.247.67 google.com.ng
O1 - Hosts: 88.198.247.67 google.ch
O1 - Hosts: 88.198.247.67 google.com.np
O1 - Hosts: 88.198.247.67 google.com.pr
O1 - Hosts: 88.198.247.67 google.com.qa
O1 - Hosts: 88.198.247.67 google.com.sg
O1 - Hosts: 88.198.247.67 google.com.tj
O1 - Hosts: 88.198.247.67 google.com.tw
O1 - Hosts: 88.198.247.67 google.dj
O1 - Hosts: 88.198.247.67 google.de
O1 - Hosts: 88.198.247.67 google.dk
O1 - Hosts: 88.198.247.67 google.dm
O1 - Hosts: 88.198.247.67 google.ee
O1 - Hosts: 88.198.247.67 google.fi
O1 - Hosts: 88.198.247.67 google.fm
O1 - Hosts: 88.198.247.67 google.fr
O1 - Hosts: 88.198.247.67 google.ge
O1 - Hosts: 88.198.247.67 google.gg
O1 - Hosts: 88.198.247.67 google.gm
O1 - Hosts: 88.198.247.67 google.gr
O1 - Hosts: 88.198.247.67 google.ht
O1 - Hosts: 88.198.247.67 google.ie
O1 - Hosts: 88.198.247.67 google.im
O1 - Hosts: 88.198.247.67 google.in
O1 - Hosts: 88.198.247.67 google.it
O1 - Hosts: 88.198.247.67 google.ki
O1 - Hosts: 88.198.247.67 google.la
O1 - Hosts: 88.198.247.67 google.li
O1 - Hosts: 88.198.247.67 google.lv
O1 - Hosts: 88.198.247.67 google.ma
O1 - Hosts: 88.198.247.67 google.ms
O1 - Hosts: 88.198.247.67 google.mu
O1 - Hosts: 88.198.247.67 google.mw
O1 - Hosts: 88.198.247.67 google.nl
O1 - Hosts: 88.198.247.67 google.no
O1 - Hosts: 88.198.247.67 google.nr
O1 - Hosts: 88.198.247.67 google.nu
O1 - Hosts: 88.198.247.67 google.pl
O1 - Hosts: 88.198.247.67 google.pn
O1 - Hosts: 88.198.247.67 google.pt
O1 - Hosts: 88.198.247.67 google.ro
O1 - Hosts: 88.198.247.67 google.ru
O1 - Hosts: 88.198.247.67 google.rw
O1 - Hosts: 88.198.247.67 google.sc
O1 - Hosts: 88.198.247.67 google.se
O1 - Hosts: 88.198.247.67 google.sh
O1 - Hosts: 88.198.247.67 google.si
O1 - Hosts: 88.198.247.67 google.sm
O1 - Hosts: 88.198.247.67 google.sn
O1 - Hosts: 88.198.247.67 google.st
O1 - Hosts: 88.198.247.67 google.tl
O1 - Hosts: 88.198.247.67 google.tm
O1 - Hosts: 88.198.247.67 google.tt
O1 - Hosts: 88.198.247.67 google.us
O1 - Hosts: 88.198.247.67 google.vu
O1 - Hosts: 88.198.247.67 google.ws
O1 - Hosts: 88.198.247.67 google.co.ck
O1 - Hosts: 88.198.247.67 google.co.id
O1 - Hosts: 88.198.247.67 google.co.il
O1 - Hosts: 88.198.247.67 google.co.in
O1 - Hosts: 88.198.247.67 google.co.jp
O1 - Hosts: 88.198.247.67 google.co.kr
O1 - Hosts: 88.198.247.67 google.co.ls
O1 - Hosts: 88.198.247.67 google.co.ma
O1 - Hosts: 88.198.247.67 google.co.nz
O1 - Hosts: 88.198.247.67 google.co.tz
O1 - Hosts: 88.198.247.67 google.co.ug
O1 - Hosts: 88.198.247.67 google.co.uk
O1 - Hosts: 88.198.247.67 google.co.za
O1 - Hosts: 88.198.247.67 google.co.zm
O1 - Hosts: 88.198.247.67 google.com
O1 - Hosts: 88.198.247.67 google.com.af
O1 - Hosts: 88.198.247.67 google.com.ag
O1 - Hosts: 88.198.247.67 google.com.ar
O1 - Hosts: 88.198.247.67 google.com.au
O1 - Hosts: 88.198.247.67 google.com.bn
O1 - Hosts: 88.198.247.67 google.com.br
O1 - Hosts: 88.198.247.67 google.com.by
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [CarboniteSetupLite] "C:\Program Files\Carbonite\CarbonitePreinstaller.exe" /preinstalled
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PLFSetI] C:\WINDOWS\PLFSetI.exe
O4 - HKLM\..\Run: [M3000Mnt] Rundll32.exe M3000Rmv.dll ,WinMainRmv /StartStillMnt
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NACAgentUI] C:\Program Files\Cisco\Cisco NAC Agent\NACAgentUI.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\rsfNZBGrI.exe" /runcleanupscript
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4D2D3A17-9B46-483C-A5F4-1DC471080009} (Cisco NAC Web Agent Control) - https://lcwireless.scu.edu/auth/taweb.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Desktop Manager 5.7.808.7150 (GoogleDesktopManager-080708-050100) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Cisco NAC Agent (NACAgent) - Cisco Systems, Inc. - C:\Program Files\Cisco\Cisco NAC Agent\NACAgent.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
--
End of file - 13251 bytes
Download HostsXpert (http://www.funkytoad.com/download/HostsXpert.zip) and unzip it to your desktop.
Open HostsXpert that you earlier unzipped on your desktop
Click "Make Hosts Writable?" upper right corner (if available)
Click "Restore Microsoft's Original Hosts File" and then click OK
Close HostsXpert
Note; IF you used any custom Hosts (eg. MVPS Hosts), you will have put them back manually
Download at your desktop DDS from one of the links below:
Link 1 (http://download.bleepingcomputer.com/sUBs/dds.scr)
Link 2 (http://www.forospyware.com/sUBs/dds)
Double click the tool to run it.
A black Screen will open, just read the contents and do nothing.
When the tool finish it will open 2 reports.
Copy/paste both reports back here and remove DDS from your desktop.
HostsXpert 4.3 doesn't provide a make hosts writeable option.
Also, I get the following message when trying to restore original hosts file:
ERROR: Cannot create file c:\WINDOWS\system32\DRIVERS\ETC\hosts
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_09-12-01.01)
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 9/16/2009 10:58:42 AM
System Uptime: 1/16/2010 9:19:06 AM (0 hours ago)
Motherboard: Acer | | Aspire one
Processor: Intel(R) Atom(TM) CPU N270 @ 1.60GHz | CPU | 1324/533mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 142 GiB total, 124.86 GiB free.
==== Disabled Device Manager Items =============
Class GUID:
Description: Audio Device on High Definition Audio Bus
Device ID: HDAUDIO\FUNC_01&VEN_10EC&DEV_0272&SUBSYS_1025022F&REV_1000\4&32214977&0&0001
Manufacturer:
Name: Audio Device on High Definition Audio Bus
PNP Device ID: HDAUDIO\FUNC_01&VEN_10EC&DEV_0272&SUBSYS_1025022F&REV_1000\4&32214977&0&0001
Service:
==== System Restore Points ===================
RP22: 10/16/2009 10:22:49 AM - Software Distribution Service 3.0
RP23: 10/17/2009 1:03:51 PM - System Checkpoint
RP24: 10/18/2009 12:40:29 AM - Software Distribution Service 3.0
RP25: 10/19/2009 10:33:01 AM - Software Distribution Service 3.0
RP26: 10/21/2009 5:20:07 PM - System Checkpoint
RP27: 10/22/2009 3:00:19 AM - Software Distribution Service 3.0
RP28: 10/23/2009 12:52:01 PM - System Checkpoint
RP29: 10/24/2009 8:07:06 PM - System Checkpoint
RP30: 10/25/2009 9:57:35 PM - System Checkpoint
RP31: 10/27/2009 5:56:02 PM - System Checkpoint
RP32: 10/28/2009 10:31:18 AM - Software Distribution Service 3.0
RP33: 10/29/2009 12:41:21 PM - System Checkpoint
RP34: 10/30/2009 4:17:08 PM - System Checkpoint
RP35: 11/1/2009 7:00:50 PM - System Checkpoint
RP36: 11/3/2009 3:04:41 PM - System Checkpoint
RP37: 11/4/2009 10:48:50 PM - Software Distribution Service 3.0
RP38: 11/6/2009 10:21:51 PM - System Checkpoint
RP39: 11/9/2009 1:05:34 PM - System Checkpoint
RP40: 11/10/2009 2:16:57 PM - Software Distribution Service 3.0
RP41: 11/11/2009 5:50:30 PM - System Checkpoint
RP42: 11/12/2009 9:10:36 PM - System Checkpoint
RP43: 11/15/2009 2:51:27 PM - System Checkpoint
RP44: 11/19/2009 10:58:30 AM - System Checkpoint
RP45: 11/20/2009 7:50:27 PM - System Checkpoint
RP46: 11/26/2009 8:12:43 PM - System Checkpoint
RP47: 11/27/2009 9:51:21 AM - Software Distribution Service 3.0
RP48: 11/28/2009 5:39:49 PM - System Checkpoint
RP49: 11/30/2009 10:34:59 PM - Software Distribution Service 3.0
RP50: 12/1/2009 8:42:16 PM - Installed Java(TM) 6 Update 16
RP51: 12/1/2009 8:43:25 PM - Installed OpenOffice.org 3.1
RP52: 12/3/2009 10:57:28 PM - Printer Driver Dell Laser Printer 5310n PS3 Installed
RP53: 12/5/2009 11:00:36 AM - System Checkpoint
RP54: 12/6/2009 4:42:19 PM - System Checkpoint
RP55: 12/8/2009 12:47:23 AM - System Checkpoint
RP56: 12/9/2009 12:19:33 PM - System Checkpoint
RP57: 12/10/2009 8:38:21 AM - Software Distribution Service 3.0
RP58: 12/12/2009 12:33:19 AM - System Checkpoint
RP59: 12/13/2009 10:24:50 AM - System Checkpoint
RP60: 12/14/2009 3:21:53 PM - System Checkpoint
RP61: 12/15/2009 7:40:42 PM - System Checkpoint
RP62: 12/17/2009 8:55:21 AM - System Checkpoint
RP63: 12/21/2009 6:23:00 PM - System Checkpoint
RP64: 12/23/2009 3:05:34 PM - System Checkpoint
RP65: 12/29/2009 11:00:48 PM - System Checkpoint
RP66: 12/31/2009 2:45:49 PM - System Checkpoint
RP67: 12/31/2009 3:10:17 PM - Removed Adobe Reader 9.
RP68: 12/31/2009 3:11:09 PM - Removed Compatibility Pack for the 2007 Office system
RP69: 12/31/2009 3:22:12 PM - Removed Microsoft Office Home and Student 2007 Trial
RP70: 12/31/2009 3:31:52 PM - Removed Realtek High Definition Audio Driver
RP71: 12/31/2009 3:32:42 PM - Removed Skype web features
RP72: 12/31/2009 3:33:19 PM - Removed Skype™ 4.1
RP73: 12/31/2009 3:35:11 PM - Removed Microsoft Works
RP74: 12/31/2009 3:36:17 PM - Removed Microsoft Office Suite Activation Assistant.
RP75: 12/31/2009 3:36:53 PM - Removed Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
RP76: 12/31/2009 3:39:36 PM - Software Distribution Service 3.0
RP77: 1/1/2010 10:15:23 AM - Software Distribution Service 3.0
RP78: 1/2/2010 10:17:37 AM - System Checkpoint
RP79: 1/3/2010 2:25:28 PM - Removed Cisco NAC Agent .
RP80: 1/3/2010 2:26:05 PM - Installed Cisco NAC Agent .
RP81: 1/5/2010 9:19:46 PM - System Checkpoint
RP82: 1/6/2010 12:40:41 PM - Installed AVG Free 8.5
RP83: 1/7/2010 8:58:14 AM - Avg8 Update
RP84: 1/7/2010 8:59:33 AM - Avg8 Update
RP85: 1/8/2010 1:15:20 PM - Removed Acrobat.com
RP86: 1/9/2010 4:16:57 PM - System Checkpoint
RP87: 1/10/2010 6:42:40 PM - System Checkpoint
RP88: 1/11/2010 9:06:50 PM - System Checkpoint
RP89: 1/12/2010 4:24:49 PM - Removed AVG Free 8.5
RP90: 1/12/2010 4:25:43 PM - Installed AVG Free 8.5
RP91: 1/12/2010 4:27:09 PM - Removed Acer VCM
RP92: 1/12/2010 10:47:43 PM - Avira AntiVir Personal - 1/12/2010 22:47
RP93: 1/13/2010 3:00:20 AM - Software Distribution Service 3.0
RP94: 1/14/2010 7:48:24 AM - Software Distribution Service 3.0
RP95: 1/15/2010 7:51:19 PM - System Checkpoint
==== Hosts File Hijack ======================
Hosts: 74.125.45.100 safebrowsing-cache.google.com
Hosts: 74.125.45.100 urs.microsoft.com
Hosts: 74.125.45.100 www.securesoftwarebill.com
Hosts: 74.125.45.100 paysoftbillsolution.com
Hosts: 74.125.45.100 protected.maxisoftwaremart.com
Hosts: 67.215.245.21 www.google-analytics.com
Hosts: 88.198.247.67 google.ae
Hosts: 88.198.247.67 google.as
Hosts: 88.198.247.67 google.at
Hosts: 88.198.247.67 google.az
Hosts: 88.198.247.67 google.ba
Hosts: 88.198.247.67 google.be
Hosts: 88.198.247.67 google.bg
Hosts: 88.198.247.67 google.bs
Hosts: 88.198.247.67 google.ca
Hosts: 88.198.247.67 google.cd
Hosts: 88.198.247.67 google.com.gh
Hosts: 88.198.247.67 google.com.hk
Hosts: 88.198.247.67 google.com.jm
Hosts: 88.198.247.67 google.com.mx
Hosts: 88.198.247.67 google.com.my
Hosts: 88.198.247.67 google.com.na
Hosts: 88.198.247.67 google.com.nf
Hosts: 88.198.247.67 google.com.ng
Hosts: 88.198.247.67 google.ch
Hosts: 88.198.247.67 google.com.np
Hosts: 88.198.247.67 google.com.pr
Hosts: 88.198.247.67 google.com.qa
Hosts: 88.198.247.67 google.com.sg
Hosts: 88.198.247.67 google.com.tj
Hosts: 88.198.247.67 google.com.tw
Hosts: 88.198.247.67 google.dj
Hosts: 88.198.247.67 google.de
Hosts: 88.198.247.67 google.dk
Hosts: 88.198.247.67 google.dm
Hosts: 88.198.247.67 google.ee
Hosts: 88.198.247.67 google.fi
Hosts: 88.198.247.67 google.fm
Hosts: 88.198.247.67 google.fr
Hosts: 88.198.247.67 google.ge
Hosts: 88.198.247.67 google.gg
Hosts: 88.198.247.67 google.gm
Hosts: 88.198.247.67 google.gr
Hosts: 88.198.247.67 google.ht
Hosts: 88.198.247.67 google.ie
Hosts: 88.198.247.67 google.im
Hosts: 88.198.247.67 google.in
Hosts: 88.198.247.67 google.it
Hosts: 88.198.247.67 google.ki
Hosts: 88.198.247.67 google.la
Hosts: 88.198.247.67 google.li
Hosts: 88.198.247.67 google.lv
Hosts: 88.198.247.67 google.ma
Hosts: 88.198.247.67 google.ms
Hosts: 88.198.247.67 google.mu
Hosts: 88.198.247.67 google.mw
Hosts: 88.198.247.67 google.nl
Hosts: 88.198.247.67 google.no
Hosts: 88.198.247.67 google.nr
Hosts: 88.198.247.67 google.nu
Hosts: 88.198.247.67 google.pl
Hosts: 88.198.247.67 google.pn
Hosts: 88.198.247.67 google.pt
Hosts: 88.198.247.67 google.ro
Hosts: 88.198.247.67 google.ru
Hosts: 88.198.247.67 google.rw
Hosts: 88.198.247.67 google.sc
Hosts: 88.198.247.67 google.se
Hosts: 88.198.247.67 google.sh
Hosts: 88.198.247.67 google.si
Hosts: 88.198.247.67 google.sm
Hosts: 88.198.247.67 google.sn
Hosts: 88.198.247.67 google.st
Hosts: 88.198.247.67 google.tl
Hosts: 88.198.247.67 google.tm
Hosts: 88.198.247.67 google.tt
Hosts: 88.198.247.67 google.us
Hosts: 88.198.247.67 google.vu
Hosts: 88.198.247.67 google.ws
Hosts: 88.198.247.67 google.co.ck
Hosts: 88.198.247.67 google.co.id
Hosts: 88.198.247.67 google.co.il
Hosts: 88.198.247.67 google.co.in
Hosts: 88.198.247.67 google.co.jp
Hosts: 88.198.247.67 google.co.kr
Hosts: 88.198.247.67 google.co.ls
Hosts: 88.198.247.67 google.co.ma
Hosts: 88.198.247.67 google.co.nz
Hosts: 88.198.247.67 google.co.tz
Hosts: 88.198.247.67 google.co.ug
Hosts: 88.198.247.67 google.co.uk
Hosts: 88.198.247.67 google.co.za
Hosts: 88.198.247.67 google.co.zm
Hosts: 88.198.247.67 google.com
Hosts: 88.198.247.67 google.com.af
Hosts: 88.198.247.67 google.com.ag
Hosts: 88.198.247.67 google.com.ar
Hosts: 88.198.247.67 google.com.au
Hosts: 88.198.247.67 google.com.bn
Hosts: 88.198.247.67 google.com.br
Hosts: 88.198.247.67 google.com.by
Hosts: 88.198.247.67 google.com.bz
Hosts: 88.198.247.67 google.com.cu
Hosts: 88.198.247.67 google.com.ec
Hosts: 88.198.247.67 google.com.fj
Hosts: 88.198.247.67 www.google.ae
Hosts: 88.198.247.67 www.google.as
Hosts: 88.198.247.67 www.google.at
Hosts: 88.198.247.67 www.google.az
Hosts: 88.198.247.67 www.google.ba
Hosts: 88.198.247.67 www.google.be
Hosts: 88.198.247.67 www.google.bg
Hosts: 88.198.247.67 www.google.bs
Hosts: 88.198.247.67 www.google.ca
Hosts: 88.198.247.67 www.google.cd
Hosts: 88.198.247.67 www.google.com.gh
Hosts: 88.198.247.67 www.google.com.hk
Hosts: 88.198.247.67 www.google.com.jm
Hosts: 88.198.247.67 www.google.com.mx
Hosts: 88.198.247.67 www.google.com.my
Hosts: 88.198.247.67 www.google.com.na
Hosts: 88.198.247.67 www.google.com.nf
Hosts: 88.198.247.67 www.google.com.ng
Hosts: 88.198.247.67 www.google.ch
Hosts: 88.198.247.67 www.google.com.np
Hosts: 88.198.247.67 www.google.com.pr
Hosts: 88.198.247.67 www.google.com.qa
Hosts: 88.198.247.67 www.google.com.sg
Hosts: 88.198.247.67 www.google.com.tj
Hosts: 88.198.247.67 www.google.com.tw
Hosts: 88.198.247.67 www.google.dj
Hosts: 88.198.247.67 www.google.de
Hosts: 88.198.247.67 www.google.dk
Hosts: 88.198.247.67 www.google.dm
Hosts: 88.198.247.67 www.google.ee
Hosts: 88.198.247.67 www.google.fi
Hosts: 88.198.247.67 www.google.fm
Hosts: 88.198.247.67 www.google.fr
Hosts: 88.198.247.67 www.google.ge
Hosts: 88.198.247.67 www.google.gg
Hosts: 88.198.247.67 www.google.gm
Hosts: 88.198.247.67 www.google.gr
Hosts: 88.198.247.67 www.google.ht
Hosts: 88.198.247.67 www.google.ie
Hosts: 88.198.247.67 www.google.im
Hosts: 88.198.247.67 www.google.in
Hosts: 88.198.247.67 www.google.it
Hosts: 88.198.247.67 www.google.ki
Hosts: 88.198.247.67 www.google.la
Hosts: 88.198.247.67 www.google.li
Hosts: 88.198.247.67 www.google.lv
Hosts: 88.198.247.67 www.google.ma
Hosts: 88.198.247.67 www.google.ms
Hosts: 88.198.247.67 www.google.mu
Hosts: 88.198.247.67 www.google.mw
Hosts: 88.198.247.67 www.google.nl
Hosts: 88.198.247.67 www.google.no
Hosts: 88.198.247.67 www.google.nr
Hosts: 88.198.247.67 www.google.nu
Hosts: 88.198.247.67 www.google.pl
Hosts: 88.198.247.67 www.google.pn
Hosts: 88.198.247.67 www.google.pt
Hosts: 88.198.247.67 www.google.ro
Hosts: 88.198.247.67 www.google.ru
Hosts: 88.198.247.67 www.google.rw
Hosts: 88.198.247.67 www.google.sc
Hosts: 88.198.247.67 www.google.se
Hosts: 88.198.247.67 www.google.sh
Hosts: 88.198.247.67 www.google.si
Hosts: 88.198.247.67 www.google.sm
Hosts: 88.198.247.67 www.google.sn
Hosts: 88.198.247.67 www.google.st
Hosts: 88.198.247.67 www.google.tl
Hosts: 88.198.247.67 www.google.tm
Hosts: 88.198.247.67 www.google.tt
Hosts: 88.198.247.67 www.google.us
Hosts: 88.198.247.67 www.google.vu
Hosts: 88.198.247.67 www.google.ws
Hosts: 88.198.247.67 www.google.co.ck
Hosts: 88.198.247.67 www.google.co.id
Hosts: 88.198.247.67 www.google.co.il
Hosts: 88.198.247.67 www.google.co.in
Hosts: 88.198.247.67 www.google.co.jp
Hosts: 88.198.247.67 www.google.co.kr
Hosts: 88.198.247.67 www.google.co.ls
Hosts: 88.198.247.67 www.google.co.ma
Hosts: 88.198.247.67 www.google.co.nz
Hosts: 88.198.247.67 www.google.co.tz
Hosts: 88.198.247.67 www.google.co.ug
Hosts: 88.198.247.67 www.google.co.uk
Hosts: 88.198.247.67 www.google.co.za
Hosts: 88.198.247.67 www.google.co.zm
Hosts: 88.198.247.67 www.google.com
Hosts: 88.198.247.67 www.google.com.af
Hosts: 88.198.247.67 www.google.com.ag
Hosts: 88.198.247.67 www.google.com.ar
Hosts: 88.198.247.67 www.google.com.au
Hosts: 88.198.247.67 www.google.com.bn
Hosts: 88.198.247.67 www.google.com.br
Hosts: 88.198.247.67 www.google.com.by
Hosts: 88.198.247.67 www.google.com.bz
Hosts: 88.198.247.67 www.google.com.cu
Hosts: 88.198.247.67 www.google.com.ec
Hosts: 88.198.247.67 www.google.com.fj
Hosts: 88.198.247.67 google.com
Hosts: 88.198.247.67 www.google.com
Hosts: 88.198.247.67 bing.com
Hosts: 88.198.247.67 www.bing.com
Hosts: 88.198.247.67 search.yahoo.com
Hosts: 88.198.247.67 www.search.yahoo.com
Hosts: 88.198.247.67 search.live.com
Hosts: 88.198.247.67 search.msn.com
Hosts: 88.198.247.67 uk.search.yahoo.com
Hosts: 88.198.247.67 ca.search.yahoo.com
Hosts: 88.198.247.67 de.search.yahoo.com
Hosts: 88.198.247.67 fr.search.yahoo.com
Hosts: 88.198.247.67 au.search.yahoo.com
Hosts: 74.125.45.100 4-open-davinci.com
Hosts: 74.125.45.100 securitysoftwarepayments.com
Hosts: 74.125.45.100 privatesecuredpayments.com
Hosts: 74.125.45.100 secure.privatesecuredpayments.com
Hosts: 74.125.45.100 getantivirusplusnow.com
Hosts: 74.125.45.100 secure-plus-payments.com
Hosts: 74.125.45.100 www.getantivirusplusnow.com
Hosts: 74.125.45.100 www.secure-plus-payments.com
Hosts: 74.125.45.100 www.getavplusnow.com
Hosts: 74.125.45.100 secure.paysecuresystem.com
==== Installed Programs ======================
Acer Crystal Eye Webcam
Acer eRecovery Management
Acer ScreenSaver
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Apple Application Support
Apple Mobile Device Support
Apple Software Update
AutoUpdate
Avira AntiVir Personal - Free Antivirus
Bonjour
Carbonite Online Backup Setup
Choice Guard
Cisco NAC Agent
Cool PDF Reader 3.0
DivX Player
DivX Plus Web Player
DivX Version Checker
ERUNT 1.1j
Google Desktop
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB932716-v2)
Hotfix for Windows XP (KB949764)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB954708)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Intel(R) Graphics Media Accelerator Driver
Intel® Matrix Storage Manager
iTunes
Java(TM) 6 Update 16
Junk Mail filter update
Launch Manager
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft National Language Support Downlevel APIs
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
OpenOffice.org 3.1
QuickTime
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Segoe UI
Spybot - Search & Destroy
Synaptics Pointing Device Driver
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows XP (KB898461)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
USB2.0 Card Reader Software
VC80CRTRedist - 8.0.50727.4053
VLC media player 1.0.1
WebCam
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Upload Tool
Windows Live Writer
Yahoo! Search Protection
Yahoo! Software Update
==== Event Viewer Messages From Past Week ========
1/13/2010 9:30:14 AM, error: Dhcp [1002] - The IP address lease 192.168.2.6 for the Network Card with network address 00255622C76C has been denied by the DHCP server 10.196.255.250 (The DHCP Server sent a DHCPNACK message).
1/13/2010 5:04:49 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
1/13/2010 3:41:57 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: avgio avipbb Fips intelppm ssmdrv
1/11/2010 2:28:06 PM, error: Dhcp [1002] - The IP address lease 129.210.219.13 for the Network Card with network address 00255622C76C has been denied by the DHCP server 192.168.100.5 (The DHCP Server sent a DHCPNACK message).
1/11/2010 1:04:43 PM, error: Dhcp [1002] - The IP address lease 129.210.237.188 for the Network Card with network address 00255622C76C has been denied by the DHCP server 129.210.250.201 (The DHCP Server sent a DHCPNACK message).
==== End Of File ===========================
DDS (Ver_09-12-01.01) - NTFSx86
Run by Julia Pezzini at 9:41:24.00 on Sat 01/16/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.601 [GMT -8:00]
AV: PC Live Guard *On-access scanning enabled* (Updated) {DB08491C-21DE-40D7-AA03-3BCA2FAAE4FF}
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: PC Live Guard *enabled* {43DA7C7C-F504-4D5F-95ED-8CE62F26A3F2}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Cisco\Cisco NAC Agent\NACAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\PLFSetI.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\WebCam\M3000\M3000Mnt.exe
C:\Program Files\Cisco\Cisco NAC Agent\NACAgentUI.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Julia Pezzini\My Documents\antivirus\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
uDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0909&m=aspire_one
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
mDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0909&m=aspire_one
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0909&m=aspire_one
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [LManager] c:\progra~1\launch~1\LManager.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [CarboniteSetupLite] "c:\program files\carbonite\CarbonitePreinstaller.exe" /preinstalled
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [PLFSetI] c:\windows\PLFSetI.exe
mRun: [M3000Mnt] Rundll32.exe M3000Rmv.dll ,WinMainRmv /StartStillMnt
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [NACAgentUI] c:\program files\cisco\cisco nac agent\NACAgentUI.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\rsfNZBGrI.exe" /runcleanupscript
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
StartupFolder: c:\docume~1\juliap~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\juliap~1\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {4D2D3A17-9B46-483C-A5F4-1DC471080009} - hxxps://lcwireless.scu.edu/auth/taweb.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
IFEO: image file execution options - svchost.exe
IFEO: brastk.exe - svchost.exe
Hosts: 74.125.45.100 safebrowsing-cache.google.com
Hosts: 74.125.45.100 urs.microsoft.com
Hosts: 74.125.45.100 www.securesoftwarebill.com
Hosts: 74.125.45.100 paysoftbillsolution.com
Hosts: 74.125.45.100 protected.maxisoftwaremart.com
Note: multiple HOSTS entries found. Please refer to Attach.txt
============= SERVICES / DRIVERS ===============
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-1-12 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-1-12 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-1-12 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-1-12 56816]
R2 NACAgent;Cisco NAC Agent;c:\program files\cisco\cisco nac agent\NACAgent.exe [2009-11-21 742144]
R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [2009-3-3 38912]
R3 M3000Srv;USB2.0 UVC WebCam Driver;c:\windows\system32\drivers\M3000KNT.sys [2009-7-7 145152]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\ambfilt.sys --> c:\windows\system32\drivers\Ambfilt.sys [?]
S3 GoogleDesktopManager-080708-050100;Google Desktop Manager 5.7.808.7150;c:\program files\google\google desktop search\GoogleDesktop.exe [2009-3-11 24064]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2009-3-11 162816]
S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\drivers\rts516xir.sys --> c:\windows\system32\drivers\Rts516xIR.sys [?]
=============== Created Last 30 ================
2010-01-13 06:48:43 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-01-13 06:48:41 0 d-----w- c:\program files\Avira
2010-01-13 06:48:41 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira
2010-01-13 04:27:09 0 d--h--w- c:\windows\PIF
2010-01-08 21:06:55 51604 ----a-w- c:\windows\system32\Adist5k.ppd
2010-01-08 21:06:55 438976 ----a-w- c:\windows\system32\Mshflxgd.ocx
2010-01-08 21:06:55 244024 ----a-w- c:\windows\system32\Msflxgrd.ocx
2010-01-08 21:06:55 212240 ----a-w- c:\windows\system32\Richtx32.ocx
2010-01-08 21:06:55 204848 ----a-w- c:\windows\system32\gswin32c.exe
2010-01-08 21:06:55 196608 ----a-w- c:\windows\system32\Utility.dll
2010-01-08 21:06:55 117507 ----a-w- c:\windows\system32\msinet.ocx
2010-01-08 21:06:54 0 d-----w- c:\windows\system32\gs
2010-01-08 21:06:47 368912 ----a-w- c:\windows\system32\vbar332.dll
2010-01-08 21:06:47 140288 ----a-w- c:\windows\system32\COMDLG32.OCX
2010-01-08 21:06:47 1081616 ----a-w- c:\windows\system32\MSCOMCTL.OCX
2010-01-06 20:40:56 0 d-----w- c:\windows\system32\drivers\Avg
2010-01-06 20:40:42 0 d-----w- c:\program files\AVG
2010-01-03 22:26:06 0 d-----w- c:\program files\common files\Cisco
2010-01-02 16:44:06 0 d-----w- c:\program files\Trend Micro
2009-12-31 23:29:57 0 d-----w- c:\docume~1\juliap~1\applic~1\MSNInstaller
2009-12-30 05:42:33 0 d-----w- c:\docume~1\juliap~1\applic~1\Malwarebytes
2009-12-30 05:42:26 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-30 05:42:24 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-12-30 05:42:22 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-30 05:42:22 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-30 04:02:27 0 d-----w- c:\program files\Spybot - Search & Destroy
2009-12-30 04:02:27 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-12-29 04:53:07 0 d-sh--w- c:\docume~1\alluse~1\applic~1\PCMCRJQZLG
2009-12-29 04:51:50 0 d-sh--w- c:\docume~1\alluse~1\applic~1\664e2e2
2009-12-26 05:28:34 0 d-----w- c:\docume~1\juliap~1\applic~1\MozillaControl
2009-12-26 05:22:06 0 d-----w- c:\program files\Mozilla ActiveX Control v1.7.12
2009-12-26 05:19:15 0 d-----w- c:\program files\VideoLAN
2009-12-25 03:33:24 0 d-----w- c:\program files\common files\DivX Shared
2009-12-25 03:33:22 0 d-----w- c:\program files\DivX
==================== Find3M ====================
2009-12-02 04:42:26 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-14 00:49:00 129784 ------w- c:\windows\system32\pxafs.dll
2009-11-14 00:49:00 120056 ------w- c:\windows\system32\pxcpyi64.exe
2009-11-14 00:49:00 118520 ------w- c:\windows\system32\pxinsi64.exe
2009-10-29 07:46:59 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:46:52 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46:50 17408 ----a-w- c:\windows\system32\corpol.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-03-12 05:16:13 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
2009-09-16 17:52:49 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009091620090917\index.dat
============= FINISH: 9:42:20.95 ===============
So it is brute force time.
Download OTMoveIt (http://oldtimer.geekstogo.com/OTM.exe) by Old Timer and save it to your Desktop.
Double-click OTM.exe. (Vista users, please right click on OTM.exe and select "Run as an Administrator")
Copy the lines in the codebox below.
:files
c:\WINDOWS\system32\DRIVERS\ETC\hosts
Return to OTMoveIt, right click in the Paste Instructions for Items to be Moved window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar), and paste it in your next reply.
Close OTMoveIt
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
Post also a fresh HijackThis log, please.
========== FILES ==========
c:\windows\system32\drivers\etc\hosts moved successfully.
OTM by OldTimer - Version 3.1.6.0 log created on 01162010_141133
HJT:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:14:33 PM, on 1/16/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Cisco\Cisco NAC Agent\NACAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\WINDOWS\PLFSetI.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Cisco\Cisco NAC Agent\NACAgentUI.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\WINDOWS\WebCam\M3000\M3000Mnt.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Julia Pezzini\My Documents\antivirus\OTM.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0909&m=aspire_one
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0909&m=aspire_one
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0909&m=aspire_one
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [CarboniteSetupLite] "C:\Program Files\Carbonite\CarbonitePreinstaller.exe" /preinstalled
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PLFSetI] C:\WINDOWS\PLFSetI.exe
O4 - HKLM\..\Run: [M3000Mnt] Rundll32.exe M3000Rmv.dll ,WinMainRmv /StartStillMnt
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NACAgentUI] C:\Program Files\Cisco\Cisco NAC Agent\NACAgentUI.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\rsfNZBGrI.exe" /runcleanupscript
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4D2D3A17-9B46-483C-A5F4-1DC471080009} (Cisco NAC Web Agent Control) - https://lcwireless.scu.edu/auth/taweb.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Desktop Manager 5.7.808.7150 (GoogleDesktopManager-080708-050100) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Cisco NAC Agent (NACAgent) - Cisco Systems, Inc. - C:\Program Files\Cisco\Cisco NAC Agent\NACAgent.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
--
End of file - 9384 bytes
Sorry, I didn't close OTMoveIT before running the last HJT.
Here is the latest log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:16:38 PM, on 1/16/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Cisco\Cisco NAC Agent\NACAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\WINDOWS\PLFSetI.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Cisco\Cisco NAC Agent\NACAgentUI.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\WINDOWS\WebCam\M3000\M3000Mnt.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0909&m=aspire_one
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0909&m=aspire_one
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0909&m=aspire_one
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [CarboniteSetupLite] "C:\Program Files\Carbonite\CarbonitePreinstaller.exe" /preinstalled
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PLFSetI] C:\WINDOWS\PLFSetI.exe
O4 - HKLM\..\Run: [M3000Mnt] Rundll32.exe M3000Rmv.dll ,WinMainRmv /StartStillMnt
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NACAgentUI] C:\Program Files\Cisco\Cisco NAC Agent\NACAgentUI.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\rsfNZBGrI.exe" /runcleanupscript
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4D2D3A17-9B46-483C-A5F4-1DC471080009} (Cisco NAC Web Agent Control) - https://lcwireless.scu.edu/auth/taweb.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Desktop Manager 5.7.808.7150 (GoogleDesktopManager-080708-050100) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Cisco NAC Agent (NACAgent) - Cisco Systems, Inc. - C:\Program Files\Cisco\Cisco NAC Agent\NACAgent.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
--
End of file - 9239 bytes
Looks good :)
Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.
Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply along with a fresh HijackThis log.
Here is the Kapersky results:
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Sunday, January 17, 2010
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Sunday, January 17, 2010 19:14:56
Records in database: 3325557
--------------------------------------------------------------------------------
Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes
Scan area - My Computer:
C:\
Scan statistics:
Objects scanned: 102015
Threats found: 4
Infected objects found: 75
Suspicious objects found: 0
Scan duration: 02:45:12
File name / Threat / Threats count
C:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\GUMU2VR2\jquery-init[1].js Infected: Hoax.HTML.FakeAntivirus.a 1
C:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\K59JOU95\dfghfghgfj[1].dll Infected: Trojan.Win32.BHO.adet 1
C:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\R17H160C\documents[1].htm Infected: Trojan.JS.Plugator.a 1
C:\Documents and Settings\HelpAssistant.ACER-330BB84976\Local Settings\Temporary Internet Files\Content.IE5\GUMU2VR2\jquery-init[1].js Infected: Hoax.HTML.FakeAntivirus.a 1
C:\Documents and Settings\HelpAssistant.ACER-330BB84976\Local Settings\Temporary Internet Files\Content.IE5\K59JOU95\dfghfghgfj[1].dll Infected: Trojan.Win32.BHO.adet 1
C:\Documents and Settings\HelpAssistant.ACER-330BB84976\Local Settings\Temporary Internet Files\Content.IE5\R17H160C\documents[1].htm Infected: Trojan.JS.Plugator.a 1
C:\Documents and Settings\Julia Pezzini\Local Settings\Temporary Internet Files\Content.IE5\GUMU2VR2\jquery-init[1].js Infected: Hoax.HTML.FakeAntivirus.a 1
C:\Documents and Settings\Julia Pezzini\Local Settings\Temporary Internet Files\Content.IE5\K59JOU95\dfghfghgfj[1].dll Infected: Trojan.Win32.BHO.adet 1
C:\Documents and Settings\Julia Pezzini\Local Settings\Temporary Internet Files\Content.IE5\R17H160C\documents[1].htm Infected: Trojan.JS.Plugator.a 1
C:\WINDOWS\system32\drivers\etc\hosts.20091229-201439.backup Infected: Trojan.Win32.FraudPack.rdo 1
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204056.backup Infected: Trojan.Win32.FraudPack.rdo 1
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204113.backup Infected: Trojan.Win32.FraudPack.rdo 1
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204114.backup Infected: Trojan.Win32.FraudPack.rdo 1
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204115.backup Infected: Trojan.Win32.FraudPack.rdo 1
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204116.backup Infected: Trojan.Win32.FraudPack.rdo 1
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204118.backup Infected: Trojan.Win32.FraudPack.rdo 1
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204119.backup Infected: Trojan.Win32.FraudPack.rdo 1
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204120.backup Infected: Trojan.Win32.FraudPack.rdo 1
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204121.backup Infected: Trojan.Win32.FraudPack.rdo 1
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204122.backup Infected: Trojan.Win32.FraudPack.rdo 1
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204123.backup Infected: Trojan.Win32.FraudPack.rdo 1
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204124.backup Infected: Trojan.Win32.FraudPack.rdo 1
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204240.backup Infected: Trojan.Win32.FraudPack.rdo 1
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204244.backup Infected: Trojan.Win32.FraudPack.rdo 1
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204245.backup Infected: Trojan.Win32.FraudPack.rdo 1
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204246.backup Infected: Trojan.Win32.FraudPack.rdo 1
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204247.backup Infected: Trojan.Win32.FraudPack.rdo 1
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204248.backup Infected: Trojan.Win32.FraudPack.rdo 1
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204249.backup Infected: Trojan.Win32.FraudPack.rdo 1
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204250.backup Infected: Trojan.Win32.FraudPack.rdo 1
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204251.backup Infected: Trojan.Win32.FraudPack.rdo 1
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204252.backup Infected: Trojan.Win32.FraudPack.rdo 1
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204253.backup Infected: Trojan.Win32.FraudPack.rdo 1
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204254.backup Infected: Trojan.Win32.FraudPack.rdo 1
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204255.backup Infected: Trojan.Win32.FraudPack.rdo 1
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204256.backup Infected: Trojan.Win32.FraudPack.rdo 1
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204259.backup Infected: Trojan.Win32.FraudPack.rdo 1
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204300.backup Infected: Trojan.Win32.FraudPack.rdo 1
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204301.backup Infected: Trojan.Win32.FraudPack.rdo 1
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204430.backup Infected: Trojan.Win32.FraudPack.rdo 1
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204436.backup Infected: Trojan.Win32.FraudPack.rdo 1
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204438.backup Infected: Trojan.Win32.FraudPack.rdo 1
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204439.backup Infected: Trojan.Win32.FraudPack.rdo 1
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204440.backup Infected: Trojan.Win32.FraudPack.rdo 1
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204441.backup Infected: Trojan.Win32.FraudPack.rdo 1
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204442.backup Infected: Trojan.Win32.FraudPack.rdo 1
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204443.backup Infected: Trojan.Win32.FraudPack.rdo 1
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204444.backup Infected: Trojan.Win32.FraudPack.rdo 1
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204445.backup Infected: Trojan.Win32.FraudPack.rdo 1
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204446.backup Infected: Trojan.Win32.FraudPack.rdo 1
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204447.backup Infected: Trojan.Win32.FraudPack.rdo 1
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204448.backup Infected: Trojan.Win32.FraudPack.rdo 1
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204449.backup Infected: Trojan.Win32.FraudPack.rdo 1
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204450.backup Infected: Trojan.Win32.FraudPack.rdo 1
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204617.backup Infected: Trojan.Win32.FraudPack.rdo 1
C:\WINDOWS\system32\drivers\etc\hosts.20091230-113506.backup Infected: Trojan.Win32.FraudPack.rdo 1
C:\WINDOWS\system32\drivers\etc\hosts.20091230-113514.backup Infected: Trojan.Win32.FraudPack.rdo 1
C:\WINDOWS\system32\drivers\etc\hosts.20091230-113515.backup Infected: Trojan.Win32.FraudPack.rdo 1
C:\WINDOWS\system32\drivers\etc\hosts.20091230-113516.backup Infected: Trojan.Win32.FraudPack.rdo 1
C:\WINDOWS\system32\drivers\etc\hosts.20091230-113517.backup Infected: Trojan.Win32.FraudPack.rdo 1
C:\WINDOWS\system32\drivers\etc\hosts.20091230-113518.backup Infected: Trojan.Win32.FraudPack.rdo 1
C:\WINDOWS\system32\drivers\etc\hosts.20091230-113519.backup Infected: Trojan.Win32.FraudPack.rdo 1
C:\WINDOWS\system32\drivers\etc\hosts.20091230-113520.backup Infected: Trojan.Win32.FraudPack.rdo 1
C:\WINDOWS\system32\drivers\etc\hosts.20091230-113522.backup Infected: Trojan.Win32.FraudPack.rdo 1
C:\WINDOWS\system32\drivers\etc\hosts.20091230-113523.backup Infected: Trojan.Win32.FraudPack.rdo 1
C:\WINDOWS\system32\drivers\etc\hosts.20091230-113524.backup Infected: Trojan.Win32.FraudPack.rdo 1
C:\WINDOWS\system32\drivers\etc\hosts.20091230-113525.backup Infected: Trojan.Win32.FraudPack.rdo 1
C:\WINDOWS\system32\drivers\etc\hosts.20091230-113526.backup Infected: Trojan.Win32.FraudPack.rdo 1
C:\WINDOWS\system32\drivers\etc\hosts.20091230-113527.backup Infected: Trojan.Win32.FraudPack.rdo 1
C:\WINDOWS\system32\drivers\etc\hosts.20091230-113528.backup Infected: Trojan.Win32.FraudPack.rdo 1
C:\WINDOWS\system32\drivers\etc\hosts.20091230-113529.backup Infected: Trojan.Win32.FraudPack.rdo 1
C:\WINDOWS\system32\drivers\etc\hosts.20100102-083025.backup Infected: Trojan.Win32.FraudPack.rdo 1
C:\WINDOWS\system32\drivers\etc\hosts.20100102-083028.backup Infected: Trojan.Win32.FraudPack.rdo 1
C:\WINDOWS\system32\drivers\etc\hosts.20100102-083029.backup Infected: Trojan.Win32.FraudPack.rdo 1
C:\_OTM\MovedFiles\01162010_141133\c_windows\system32\drivers\etc\hosts Infected: Trojan.Win32.FraudPack.rdo 1
Selected area has been scanned.
Here is the HJT:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:08:40 PM, on 1/17/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Cisco\Cisco NAC Agent\NACAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\WINDOWS\PLFSetI.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Cisco\Cisco NAC Agent\NACAgentUI.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\WebCam\M3000\M3000Mnt.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0909&m=aspire_one
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0909&m=aspire_one
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0909&m=aspire_one
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [CarboniteSetupLite] "C:\Program Files\Carbonite\CarbonitePreinstaller.exe" /preinstalled
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PLFSetI] C:\WINDOWS\PLFSetI.exe
O4 - HKLM\..\Run: [M3000Mnt] Rundll32.exe M3000Rmv.dll ,WinMainRmv /StartStillMnt
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NACAgentUI] C:\Program Files\Cisco\Cisco NAC Agent\NACAgentUI.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\rsfNZBGrI.exe" /runcleanupscript
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4D2D3A17-9B46-483C-A5F4-1DC471080009} (Cisco NAC Web Agent Control) - https://lcwireless.scu.edu/auth/taweb.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Desktop Manager 5.7.808.7150 (GoogleDesktopManager-080708-050100) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Cisco NAC Agent (NACAgent) - Cisco Systems, Inc. - C:\Program Files\Cisco\Cisco NAC Agent\NACAgent.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
--
End of file - 9321 bytes
Please confirm that Kapersky only identifies issues but doesn't clean them. I didn't see any instructions to use Kapersky to clean or fix any issues.
Yes it identifies only.
Please download ATF Cleaner by Atribune (http://www.atribune.org/ccount/click.php?id=1) and save
it to desktop.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit to close ATF-Cleaner.
Double-click OTM.exe. (Vista users, please right click on OTM.exe and select "Run as an Administrator")
Copy the lines in the codebox below.
:files
C:\WINDOWS\system32\drivers\etc\hosts.20091229-201439.backup
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204056.backup
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204113.backup
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204114.backup
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204115.backup
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204116.backup
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204118.backup
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204119.backup
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204120.backup
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204121.backup
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204122.backup
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204123.backup
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204124.backup
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204240.backup
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204244.backup
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204245.backup
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204246.backup
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204247.backup
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204248.backup
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204249.backup
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204250.backup
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204251.backup
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204252.backup
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204253.backup
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204254.backup
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204255.backup
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204256.backup
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204259.backup
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204300.backup
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204301.backup
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204430.backup
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204436.backup
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204438.backup
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204439.backup
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204440.backup
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204441.backup
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204442.backup
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204443.backup
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204444.backup
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204445.backup
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204446.backup
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204447.backup
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204448.backup
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204449.backup
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204450.backup
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204617.backup
C:\WINDOWS\system32\drivers\etc\hosts.20091230-113506.backup
C:\WINDOWS\system32\drivers\etc\hosts.20091230-113514.backup
C:\WINDOWS\system32\drivers\etc\hosts.20091230-113515.backup
C:\WINDOWS\system32\drivers\etc\hosts.20091230-113516.backup
C:\WINDOWS\system32\drivers\etc\hosts.20091230-113517.backup
C:\WINDOWS\system32\drivers\etc\hosts.20091230-113518.backup
C:\WINDOWS\system32\drivers\etc\hosts.20091230-113519.backup
C:\WINDOWS\system32\drivers\etc\hosts.20091230-113520.backup
C:\WINDOWS\system32\drivers\etc\hosts.20091230-113522.backup
C:\WINDOWS\system32\drivers\etc\hosts.20091230-113523.backup
C:\WINDOWS\system32\drivers\etc\hosts.20091230-113524.backup
C:\WINDOWS\system32\drivers\etc\hosts.20091230-113525.backup
C:\WINDOWS\system32\drivers\etc\hosts.20091230-113526.backup
C:\WINDOWS\system32\drivers\etc\hosts.20091230-113527.backup
C:\WINDOWS\system32\drivers\etc\hosts.20091230-113528.backup
C:\WINDOWS\system32\drivers\etc\hosts.20091230-113529.backup
C:\WINDOWS\system32\drivers\etc\hosts.20100102-083025.backup
C:\WINDOWS\system32\drivers\etc\hosts.20100102-083028.backup
C:\WINDOWS\system32\drivers\etc\hosts.20100102-083029.backup
Return to OTMoveIt, right click in the Paste Instructions for Items to be Moved window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar), and paste it in your next reply.
Close OTMoveIt
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
========== FILES ==========
C:\WINDOWS\system32\drivers\etc\hosts.20091229-201439.backup moved successfully.
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204056.backup moved successfully.
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204113.backup moved successfully.
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204114.backup moved successfully.
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204115.backup moved successfully.
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204116.backup moved successfully.
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204118.backup moved successfully.
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204119.backup moved successfully.
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204120.backup moved successfully.
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204121.backup moved successfully.
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204122.backup moved successfully.
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204123.backup moved successfully.
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204124.backup moved successfully.
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204240.backup moved successfully.
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204244.backup moved successfully.
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204245.backup moved successfully.
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204246.backup moved successfully.
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204247.backup moved successfully.
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204248.backup moved successfully.
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204249.backup moved successfully.
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204250.backup moved successfully.
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204251.backup moved successfully.
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204252.backup moved successfully.
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204253.backup moved successfully.
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204254.backup moved successfully.
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204255.backup moved successfully.
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204256.backup moved successfully.
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204259.backup moved successfully.
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204300.backup moved successfully.
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204301.backup moved successfully.
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204430.backup moved successfully.
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204436.backup moved successfully.
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204438.backup moved successfully.
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204439.backup moved successfully.
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204440.backup moved successfully.
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204441.backup moved successfully.
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204442.backup moved successfully.
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204443.backup moved successfully.
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204444.backup moved successfully.
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204445.backup moved successfully.
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204446.backup moved successfully.
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204447.backup moved successfully.
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204448.backup moved successfully.
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204449.backup moved successfully.
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204450.backup moved successfully.
C:\WINDOWS\system32\drivers\etc\hosts.20091229-204617.backup moved successfully.
C:\WINDOWS\system32\drivers\etc\hosts.20091230-113506.backup moved successfully.
C:\WINDOWS\system32\drivers\etc\hosts.20091230-113514.backup moved successfully.
C:\WINDOWS\system32\drivers\etc\hosts.20091230-113515.backup moved successfully.
C:\WINDOWS\system32\drivers\etc\hosts.20091230-113516.backup moved successfully.
C:\WINDOWS\system32\drivers\etc\hosts.20091230-113517.backup moved successfully.
C:\WINDOWS\system32\drivers\etc\hosts.20091230-113518.backup moved successfully.
C:\WINDOWS\system32\drivers\etc\hosts.20091230-113519.backup moved successfully.
C:\WINDOWS\system32\drivers\etc\hosts.20091230-113520.backup moved successfully.
C:\WINDOWS\system32\drivers\etc\hosts.20091230-113522.backup moved successfully.
C:\WINDOWS\system32\drivers\etc\hosts.20091230-113523.backup moved successfully.
C:\WINDOWS\system32\drivers\etc\hosts.20091230-113524.backup moved successfully.
C:\WINDOWS\system32\drivers\etc\hosts.20091230-113525.backup moved successfully.
C:\WINDOWS\system32\drivers\etc\hosts.20091230-113526.backup moved successfully.
C:\WINDOWS\system32\drivers\etc\hosts.20091230-113527.backup moved successfully.
C:\WINDOWS\system32\drivers\etc\hosts.20091230-113528.backup moved successfully.
C:\WINDOWS\system32\drivers\etc\hosts.20091230-113529.backup moved successfully.
C:\WINDOWS\system32\drivers\etc\hosts.20100102-083025.backup moved successfully.
C:\WINDOWS\system32\drivers\etc\hosts.20100102-083028.backup moved successfully.
C:\WINDOWS\system32\drivers\etc\hosts.20100102-083029.backup moved successfully.
OTM by OldTimer - Version 3.1.6.0 log created on 01182010_132948
==========================
http://forums.spybot.info/showthread.php?p=356230#post356230
Per the FAQ and Tashi's reference I have another infected computer. I had opened a separate thread. I am informing you of the additional computer. The first computer, the Acer Aspire One, was infected at my daughter's college, but is not home so I can try to resolve. The second computer, a Dell desktop, has always been located in the house. The computers share a wireless router but are not otherwise networked.
Thanks for update.
That looks good :)
Still problems?
I reran Spybot and it didn't find the issues so it would appear things are ok. Thank you very much.
Good :)
Are you ready for final instructions?
Yes, ready for final instructions
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
Looking over your log, it seems you don't have any evidence of a third party firewall.
As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access to systems from the outside world. Firewalls protect against hackers and malicious intruders. I want you to download a free firewall NOW from one of these excellent vendors:
1) Comodo (http://www.personalfirewall.comodo.com/download_firewall.html) (Uncheck during installation "Install COMODO Antivirus (Recommended)"!, "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage")
2) Online Armor (http://www.tallemu.com/online_armor_free.html)
3) PC Tools (http://www.pctools.com/firewall/download/)
4) Sunbelt/Kerio (http://www.sunbelt-software.com/Kerio-Download.cfm)
5) ZoneAlarm (http://www.zonelabs.com/store/content/catalog/products/sku_list_za.jsp?dc=12bms&ctry=US&lang=en&lid=nav_za) (uncheck ZoneAlarm Spy Blocker during installation if you choose this one)
If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.
Next we remove all used tools.
Please download OTCleanIt (http://oldtimer.geekstogo.com/OTC.exe) and save it to desktop.
Double-click OTC.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.
Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.
Disable and Enable System Restore. - If you are using Windows XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.
You can find instructions on how to enable and re-enable system restore here:
Windows XP System Restore Guide (http://www.bleepingcomputer.com/forums/tutorial56.html)
Re-enable system restore with instructions from tutorial above
Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
Update your AntiVirus Software and keep your other programs up-to-date Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector (http://secunia.com/software_inspector/)
F-secure Health Check (http://www.f-secure.com/weblog/archives/00001356.html)
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com (http://www.windowsupdate.com) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install Malwarebytes' Anti-Malware - Malwarebytes''Anti-Malware is a new and powerful anti-malware tool. It is
totally free but for real-time protection you will have to pay a small one-time fee. Tutorial on installing & using this product can be found below:
Malwarebytes' Anti-Malware Setup Guide (http://www.lognrock.com/forum/index.php?showtopic=6926)
Malwarebytes' Anti-Malware Scanning Guide (http://www.lognrock.com/forum/index.php?showtopic=6913)
Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.
Here are some additional utilities that will enhance your safety
MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer. See also a hosts file tutorial here (http://malwareremoval.com/forum/viewtopic.php?t=22187)
Winpatrol (http://www.winpatrol.com/) <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)
Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
Also, please read this great article by Tony Klein So How Did I Get Infected In First Place (http://forums.spybot.info/showthread.php?t=279)
Happy surfing and stay clean! :bigthumb:
Thank you.
I will get to these steps asap.
What is your opinion of McAfee? It seems the forum recommends not installing multiple virus applications at once. Also, I don't see Spybot in your instructions. Are you assuming I already installed it or should I not be running it and Teatimer constantly. I have Teatimer running at startup on my other home computer.
Thanks,
J
"What is your opinion of McAfee? It seems the forum recommends not installing multiple virus applications at once. "
It is fine, no AV can find everything. Yes, you should use only one AV to avoid conflicts.
"Also, I don't see Spybot in your instructions. Are you assuming I already installed it or should I not be running it and Teatimer constantly. I have Teatimer running at startup on my other home computer."
I saw it installed in DDS log so it is not included. Also I do assume that if one asks help from Spybot forums, Spybot is installed ;)
I completed the final steps.
Thank you very much.
You can close the thread.
Now it is on to my other infected computer.
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.
Note: If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than four days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.