PDA

View Full Version : Prob with FraudWindowsProtectionSuite & Microsoft.Windows.RedirectedHost



300SD
2010-08-03, 19:08
OS. Win2000
Spybot 1.6.2

Malwarebytes Anti-Malware found FraudWindowsProtectionSuite and Microsoft.Windows.RedirectedHost. I used this software to try to remove it.
The software said it was successfully removed and than I rebooted and rescanned again. Mbam said it was clean.

I then rebooted and scanned with Spybot S&D.
Spybot S&D finds FraudWindowsProtectionSuite and Microsoft.Windows.RedirectedHost
When S&D tries to fix the problem a box pops up and says:
unexpected error in fixing problems (cannot create file "C:\WINNT\System32\drivers\etc\hosts", Access is denied)
I used Alt-F4 to close this warning box
This pop up box may be from Fraud Windows Protection Suite. The box does not show who it is from, so it could be the OS , Virus, or S&D.

How do I remove FraudWindowsProtectionSuite and Microsoft.Windows.RedirectedHost?



DDS (Ver_10-03-17.01) - NTFSx86
Run by Scott at 10:53:54.17 on Tue 08/03/2010
Internet Explorer: 6.0.2800.1106
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.1024.797 [GMT -5:00]


============== Running Processes ===============

C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\3\lxdqserv.exe
C:\WINNT\system32\lxdqcoms.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\locator.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spool\DRIVERS\W32X86\2\printray.exe
C:\Program Files\Lexmark Z2400 Series\lxdqmon.exe
C:\Program Files\Linksys\WUSB100\WUSB100.exe
C:\Program Files\Lexmark Z2400 Series\lxdqMsdMon.exe
E:\Utils\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Bar =
BHO: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
BHO: {495FFA2C-A0B1-4C1B-A97F-285195488913} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: PCTools Site Guard: {5c8b2a36-3db1-42a4-a3cb-d426709bbfeb} - c:\progra~1\spywar~2\tools\iesdsg.dll
BHO: PCTools Browser Monitor: {b56a7d7d-6927-48c8-a975-17df180c71ac} - c:\progra~1\spywar~2\tools\iesdpb.dll
TB: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
TB: {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - No File
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\System32\browseui.dll
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [Spyware Doctor] "c:\program files\spyware doctor\swdoctor.exe" /Q
mRun: [Synchronization Manager] mobsync.exe /logon
mRun: [PrinTray] c:\winnt\system32\spool\drivers\w32x86\2\printray.exe
mRun: [lxdqmon.exe] "c:\program files\lexmark z2400 series\lxdqmon.exe"
mRun: [lxdqamon] "c:\program files\lexmark z2400 series\lxdqamon.exe"
mRun: [ddoctorv2] "c:\program files\comcast\desktop doctor\bin\sprtcmd.exe" /P ddoctorv2
mRun: [<NO NAME>]
dRunOnce: [^SetupICWDesktop] c:\program files\internet explorer\connection wizard\icwconn1.exe /desktop
StartupFolder: c:\docume~1\scott\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\scott\startm~1\programs\startup\rise.lnk - c:\mcam8\crack\rise.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wirele~1.lnk - c:\program files\linksys\wusb100\WUSB100.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
IE: {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - {A1EDC4A1-940F-48E0-8DFD-E38F1D501021} - c:\progra~1\spywar~2\tools\iesdpb.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: DirectAnimation Java Classes - file://c:\winnt\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\java\classes\xmldso.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1237017598500
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?39887.0018055556
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
IFEO: image file execution options - svchost.exe
Hosts: 74.125.45.100 4-open-davinci.com
Hosts: 74.125.45.100 securitysoftwarepayments.com
Hosts: 74.125.45.100 privatesecuredpayments.com
Hosts: 74.125.45.100 secure.privatesecuredpayments.com
Hosts: 74.125.45.100 getantivirusplusnow.com

Note: multiple HOSTS entries found. Please refer to Attach.txt

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\scott\applic~1\mozilla\firefox\profiles\yf3dqeua.default\
FF - prefs.js: browser.search.selectedEngine - search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 lxdq_device;lxdq_device;c:\winnt\system32\lxdqcoms.exe -service --> c:\winnt\system32\lxdqcoms.exe -service [?]
R2 lxdqCATSCustConnectService;lxdqCATSCustConnectService;c:\winnt\system32\spool\drivers\w32x86\3\lxdqserv.exe [2009-6-13 98984]
R3 cwbwdm_device;Crystal WDM Audio Codec Driver;c:\winnt\system32\drivers\cwbwdm.sys [2007-7-27 79264]
R3 EL90BC;3Com EtherLink XL B/C Adapter Driver;c:\winnt\system32\drivers\el90xbc5.sys [2007-7-27 61712]
R3 miniqic;miniqic;c:\winnt\system32\drivers\miniqic.sys [2007-7-27 6608]
S3 rt2870;Linksys 802.11n USB Wireless LAN Card Driver;c:\winnt\system32\drivers\rt2870.sys [2007-7-28 517632]

=============== Created Last 30 ================

2010-08-03 15:53:54 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_31c.dat
2010-08-02 19:00:13 0 d-----w- c:\program files\Spyware Doctor
2010-08-02 18:15:25 82432 ----a-w- c:\winnt\system32\msxml4r.dll
2010-08-02 18:15:25 44544 ----a-w- c:\winnt\system32\msxml4a.dll
2010-08-02 18:15:25 1233920 ----a-w- c:\winnt\system32\msxml4.dll
2010-08-02 18:15:23 0 d-----w- c:\program files\Spyware Doctor Enterprise Server
2010-08-02 18:13:37 499712 ----a-w- c:\winnt\system32\msvcp71.dll
2010-08-02 18:13:37 348160 ----a-w- c:\winnt\system32\msvcr71.dll
2010-08-02 18:00:57 4656 -c--a-w- c:\winnt\system32\dllcache\ds16gt.dll
2010-08-01 02:43:22 0 d-----w- c:\docume~1\scott\applic~1\SUPERAntiSpyware.com
2010-08-01 02:43:22 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-08-01 02:42:18 0 d-----w- c:\program files\SUPERAntiSpyware
2010-07-30 20:23:34 38224 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys
2010-07-30 20:23:28 19288 ----a-w- c:\winnt\system32\drivers\mbam.sys
2010-07-30 20:23:28 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-30 17:06:08 0 d-----w- c:\docume~1\scott\applic~1\Malwarebytes
2010-07-30 17:06:00 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-07-30 02:20:02 13744 -c--a-w- c:\winnt\system32\dllcache\kbdhid.sys
2010-07-30 02:20:02 13744 ----a-w- c:\winnt\system32\drivers\kbdhid.sys
2010-07-30 02:20:00 19728 -c--a-w- c:\winnt\system32\dllcache\hidserv.exe
2010-07-30 02:20:00 19728 ----a-w- c:\winnt\system32\hidserv.exe
2010-07-30 02:19:53 11632 -c--a-w- c:\winnt\system32\dllcache\mouhid.sys
2010-07-30 02:19:53 11632 ----a-w- c:\winnt\system32\drivers\mouhid.sys
2010-07-23 23:56:58 92464 ----a-w- c:\winnt\system32\drivers\SBREDrv.sys
2010-07-23 23:56:58 65320 ----a-w- c:\winnt\system32\sbbd.exe
2010-07-23 23:56:17 0 d-----w- C:\VIPRERESCUE
2010-07-23 11:44:00 303 ----a-w- c:\winnt\wininit.ini
2010-07-22 18:14:19 0 d-sh--w- c:\docume~1\alluse~1\applic~1\SMEICAV

==================== Find3M ====================

2007-07-27 15:30:01 271 ---h--w- c:\program files\desktop.ini
2007-07-27 15:30:01 21952 ---h--w- c:\program files\folder.htt
1999-12-07 12:00:00 32528 ----a-w- c:\winnt\inf\wbfirdma.sys

============= FINISH: 10:55:07.73 ===============

shelf life
2010-08-08, 17:00
Hi,

If you still need help:

Get a copy of HJT (v2.0.4)and we will use it to remove the host file entries;

HJT (http://free.antivirus.com/hijackthis/)

300SD
2010-08-08, 21:01
Thank you so much for your reply.

I installed HJT (v2.0.4) and launched it.
HJT popped this up on the screen.


For some reason your system denied write access to the
file host. If any hijacked domains are in theis file, HighjackedThis may not be able to fix this.
If this happens, you need to edit the file yourself. To do this, click Start, Run, and type:
notepad C:\winnt\system32\drivers\etc\hosts and press enter, Find the line(s) HiJackThis reports and delete them. Save the file as 'hosts.' (with quotes), and reboot.
For Vista: Simply , exit HiJackThis, rightClick on the Hijack this icon: choose \Run as Administrator.

Under the Scan & Fix box I chose the button "save log"
I have attached the log to this posting.

Thank you

300SD
2010-08-08, 21:05
hiJackThis.Log
is attached

300SD
2010-08-08, 21:14
HijackThis log report zipped
and attached.

shelf life
2010-08-09, 00:45
ok, may as well try this:

click Start, Run, and type:
notepad C:\winnt\system32\drivers\etc\hosts and press enter, Find the line(s) HiJackThis reports and delete them. Save the file as 'hosts.' (with quotes), and reboot.

If you are successful opening the host file the lines you want to delete out are these:

74.125.45.100 4-open-davinci.com
74.125.45.100 securitysoftwarepayments.com
74.125.45.100 privatesecuredpayments.com
74.125.45.100 secure.privatesecuredpayments.com
74.125.45.100 secure-plus-payments.com
74.125.45.100 www.getantivirusplusnow.com
74.125.45.100 www.secure-plus-payments.com
74.125.45.100 safebrowsing-cache.google.com
74.125.45.100 www.securesoftwarebill.com
74.125.45.100 paysoftbillsolution.com
74.125.45.100 protected.maxisoftwaremart.com
74.125.45.100 www.getavplusnow.com
74.125.45.100 urs.microsoft.com
74.125.45.100 secure.paysecuresystem.com
217.23.4.103 www.google.com
217.23.4.103 google.it
217.23.4.103 www.google.it
217.23.4.103 www.google.no
217.23.4.103 google.pl
217.23.4.103 uk.search.yahoo.com

300SD
2010-08-10, 19:20
Hi,
The things you suggested to remove from the hosts file have been successfully removed. I rebooted the computer and scanned with Spybot. Spybot says that the computer is clean. Spybot did not find anything after the hosts file was changed.

Is the computer clean now or is there another step we should do?

shelf life
2010-08-10, 23:56
ok good. Is a updated Malwarebytes coming up clean after a scan? If so then we can call it quits. If all is good: some tips for you:

10 Tips for Reducing/Preventing Your Risk To Malware:
There is no reason why your computer can not stay malware free

In no special order:

1) It is essential to keep your OS (http://update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us),(Windows) browser (IE, FireFox) and other software up to date to "patch" vulnerabilities that could be exploited. Visit Windows Update frequently or use the auto-update feature. Staying updated is also necessary for web based applications like Java, Adobe Flash/Reader, QuickTime etc. Check there version status here. (http://secunia.com/vulnerability_scanning/online/)

2) Know what you are installing to your computer. Alot of software can come bundled with unwanted add-ons, like adware, toolbars and malware. More and more legitimate software is installing useless toolbars if not unchecked first. Do not install any files from ads, popups or random links. Do not fall for fake warnings about virus and trojans being found on your computer and you are then prompted to install software to remedy this. See also the signs (http://www.virusvault.us/signs1.html)that you may have malware on your computer.

3) Install and keep updated: one antivirus and two or three anti-malware applications. If not updated they will soon be worthless. If either of these frequently find malware then its time to *review your computer habits*. *There is no reason why your computer can not stay malware free*.

4) Refrain from clicking on links or attachments via E-Mail, IM, IRC, Chat Rooms, Blogs or Social Networking Sites, no matter how tempting or legitimate the message may seem.

5) Do not click on ads/pop ups or offers from websites requesting that you need to install software to your computer--*for any reason*. Use the Alt+F4 keys to close the window.

6) Don't click on offers to "scan" your computer. Install ActiveX Objects with care. Do you trust the website to install components?

7) Consider using limited (non-privileged) accounts for everyday use, rather than administrator accounts. Limited accounts (http://www.microsoft.com/protect/computer/advanced/useraccount.mspx) can help prevent *malware from installing and lessen its potential impact.* This is exactly what user account control (UAC) in Windows Vista and Windows 7 attempts to address.

8) Install and understand the *limitations* of a software firewall.

9) A tool (http://nsslabs.com/general/ie8-hardening-tool.html)for automatically hardening and securing Internet Explorer 8.0. Requires site registration for downloading. Or see a slideshow (http://threatpost.com/en_us/slideshow/How%20to%20configure%20Internet%20Explorer%20for%20secure%20surfing)on how to configure IE 8.0.

10) Warez, cracks etc are very popular for carrying malware payloads. If you look for these you will encounter malware. P2p networks are also popular vectors for malware. If you download/install files via p2p networks, then you are also much more likely to encounter malicious code in a downloaded file. Do you really trust the source of the file? Do you really need another malware source?

More info in links below.
Happy Safe Surfing

300SD
2010-08-11, 08:32
shelf life,

Thank you so much for helping me. I scanned with Malwarebytes and it comes up clean and spybot still comes up clean.
I tested connectivity and it can successfully open webpages.

I am using SuperAntiSpyWare 4.41.1000, Spybot, and Malwarebytes
Hopefully that will help keep it clean.

I hope Spybot will be able to include the fix for this in their next version.
Sources on the internet claim FraudWindowsProtectionSuite was developed this year of 2010.

That was a tough one to clean.
Thanks again,
300SD:bigthumb:

shelf life
2010-08-12, 00:04
hi,

Ok your welcome. happy safe surfing out there.