PDA

View Full Version : windows fraud protection


arash
2010-04-27, 15:09
Please help re Windows fraud protection. Spybot cannot delete as problem with host.

have tried other link solutions but does not work

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:49:18, on 23/04/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Windows\system32\lxdxcoms.exe
C:\Program Files\orderTalk\OTPrintAgent\OTPrintAgent.exe
C:\Windows\System32\snmp.exe
C:\Windows\system32\svchost.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\mqsvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\mqtgsvc.exe
C:\Windows\SOUNDMAN.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\system32\ctfmon.exe
c:\rameses\program\ramserve.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\System32\svchost.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
c:\rameses\program\rameses.exe
C:\Rameses\components\SharedGACComponents\Andromeda.Comms.Service.exe
C:\Hthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = www.andromedagroup.co.uk;http://10.0.101.1;multimap;atdmt.com;ramesesa.ordertalk.net;rameses.ordertalk.net;http://www.androupdate.com;https://reporting.datacash.com;mgr-easypizza.ordertalk.net;https://reporting.datacash.com;https://mars.transaction.datacash.com;www.androtech.com<local>
F2 - REG:system.ini: UserInit=C:\Windows\system32\userinit.exe,%windir%\system32\userinit.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RamBlocker.RamBlock - {6A25B4FD-4917-4E61-B993-58F4EC0A3255} - c:\rameses\components\AndromedaInternetLockdown\andromedainternetlockdown.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [XeroxScannerDaemon] C:\Program Files\Xerox\NWWia\XrxFTPLt.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\Windows\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Rameses Client] c:\RamBoot.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [zzz_ImInstaller_IncrediMail] C:\Documents and Settings\Pizza\Local Settings\Temp\ImInstaller\IncrediMail\incredimail_install.exe -startup -product IncrediMail
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\Windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
O4 - Global Startup: Email.lnk = C:\Program Files\Mozilla Thunderbird\thunderbird.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O10 - Broken Internet access because of LSP provider 'c:\windows\system32\nwprovau.dll' missing
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1244990628687
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1200240355218
O16 - DPF: {87BE3784-6977-4E84-AA08-55A96B9CEAC5} (Bl_camera Control) - http://10.0.101.253/bl_camera.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C77B0997-5674-428E-96A0-C21800187869}: NameServer = 212.23.3.100,212.23.6.100
O20 - Winlogon Notify: SSOExec - %windir%\temp\sso\ssoexec.dll (file missing)
O23 - Service: Andromeda Comms Service (AndromedaCommsService) - Andromeda Trading Ltd - C:\Rameses\components\SharedGACComponents\Andromeda.Comms.Service.exe
O23 - Service: CesarFTP FTP Server (CesarFTP) - Unknown owner - C:\Program Files\CesarFTP\server.exe (file missing)
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: lxdx_device - - C:\Windows\system32\lxdxcoms.exe
O23 - Service: OrderTalk Print Agent (OTPrintAgent) - orderTalk, Inc - C:\Program Files\orderTalk\OTPrintAgent\OTPrintAgent.exe
O23 - Service: QoS RSVP (RSVP) - Unknown owner - C:\Windows\system32\rsvp.exe (file missing)
O23 - Service: VNC Server (winvnc) - TightVNC Group - C:\Program Files\TightVNC\WinVNC.exe
tashi
2010-04-28, 08:13
Hello arash,

You have an open topic: http://forums.spybot.info/showthread.php?p=368795#post368795 ;)

Post here if still waiting for help in the Malware Forum, (AFTER) FOUR days (http://forums.spybot.info/showthread.php?t=1137)

Best regards.