View Full Version : Malware for the 1st time
chas7605
2010-11-27, 07:36
Hi!
I am in need of some help with removing malware from my computer. I have already done what was requested with the DDS.txt and Spybot results along with zipping the attach.txt. Please help me with whatever assistance you may offer. The texts are as follows with DDS.txt, first, followed by Spybot results. Thank you so much for your help. Leon.
DDS (Ver_10-10-10.01) - NTFSx86
Run by User at 13:21:03.96 on Sat 10/09/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.639.121 [GMT -5:00]
AV: My Security Shield *On-access scanning enabled* (Updated) {D56B2FA8-871B-47E5-A679-0C116F87DD68}
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: My Security Shield *enabled* {730BECE1-339E-4709-99CB-42F2EBA9A9BF}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\O8CF91JO\dds[1].com
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.com/ig
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NVMCTRAY.DLL,NvTaskbarInit
uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [nwiz] nwiz.exe /install
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
StartupFolder: c:\docume~1\user\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\user\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
IE: &Search - ?p=ZJxdm128YYUS
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6F6FDB9E-5072-498C-BCB0-2B7F00C49EE7} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
IFEO: image file execution options - svchost.exe
Hosts: 74.125.45.100 4-open-davinci.com
Hosts: 74.125.45.100 securitysoftwarepayments.com
Hosts: 74.125.45.100 privatesecuredpayments.com
Hosts: 74.125.45.100 secure.privatesecuredpayments.com
Hosts: 74.125.45.100 getantivirusplusnow.com
Note: multiple HOSTS entries found. Please refer to Attach.txt
============= SERVICES / DRIVERS ===============
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-1-9 56816]
S1 avgio;avgio;\??\c:\program files\avira\antivir desktop\avgio.sys --> c:\program files\avira\antivir desktop\avgio.sys [?]
S3 MTK;Media Technology Kernel Driver;c:\windows\system32\drivers\mtk.sys --> c:\windows\system32\drivers\mtk.sys [?]
S4 AntiVirSchedulerService;Avira AntiVir Scheduler;"c:\program files\avira\antivir desktop\sched.exe" --> c:\program files\avira\antivir desktop\sched.exe [?]
S4 AntiVirService;Avira AntiVir Guard;"c:\program files\avira\antivir desktop\avguard.exe" --> c:\program files\avira\antivir desktop\avguard.exe [?]
=============== Created Last 30 ================
2010-10-09 17:41:04 2705 --sha-r- c:\windows\system32\drivers\etc\hosts.20101009-124104.backup
2010-10-09 17:36:40 2705 --sha-r- c:\windows\system32\drivers\etc\hosts.20101009-123640.backup
2010-10-09 17:36:39 2705 --sha-r- c:\windows\system32\drivers\etc\hosts.20101009-123639.backup
2010-10-09 17:36:38 2705 --sha-r- c:\windows\system32\drivers\etc\hosts.20101009-123638.backup
2010-10-09 17:36:37 2705 --sha-r- c:\windows\system32\drivers\etc\hosts.20101009-123637.backup
2010-10-09 17:36:36 2705 --sha-r- c:\windows\system32\drivers\etc\hosts.20101009-123636.backup
2010-10-09 17:36:35 2705 --sha-r- c:\windows\system32\drivers\etc\hosts.20101009-123635.backup
2010-10-09 17:36:34 2705 --sha-r- c:\windows\system32\drivers\etc\hosts.20101009-123634.backup
2010-10-09 17:36:33 2705 --sha-r- c:\windows\system32\drivers\etc\hosts.20101009-123633.backup
2010-10-09 17:36:32 2705 --sha-r- c:\windows\system32\drivers\etc\hosts.20101009-123632.backup
2010-10-09 17:36:31 2705 --sha-r- c:\windows\system32\drivers\etc\hosts.20101009-123631.backup
2010-10-09 17:36:30 2705 --sha-r- c:\windows\system32\drivers\etc\hosts.20101009-123630.backup
2010-10-09 17:35:26 2705 --sha-r- c:\windows\system32\drivers\etc\hosts.20101009-123526.backup
2010-10-09 17:34:17 2705 --sha-r- c:\windows\system32\drivers\etc\hosts.20101009-123417.backup
2010-10-09 17:34:16 2705 --sha-r- c:\windows\system32\drivers\etc\hosts.20101009-123416.backup
2010-10-09 17:34:15 2705 --sha-r- c:\windows\system32\drivers\etc\hosts.20101009-123415.backup
2010-10-09 17:34:14 2705 --sha-r- c:\windows\system32\drivers\etc\hosts.20101009-123414.backup
2010-10-09 17:34:13 2705 --sha-r- c:\windows\system32\drivers\etc\hosts.20101009-123413.backup
2010-10-09 17:34:12 2705 --sha-r- c:\windows\system32\drivers\etc\hosts.20101009-123412.backup
2010-10-09 17:34:11 2705 --sha-r- c:\windows\system32\drivers\etc\hosts.20101009-123411.backup
2010-10-09 17:34:10 2705 --sha-r- c:\windows\system32\drivers\etc\hosts.20101009-123410.backup
2010-10-09 17:34:09 2705 --sha-r- c:\windows\system32\drivers\etc\hosts.20101009-123409.backup
2010-10-09 17:34:08 2705 --sha-r- c:\windows\system32\drivers\etc\hosts.20101009-123408.backup
2010-10-09 17:34:05 2705 --sha-r- c:\windows\system32\drivers\etc\hosts.20101009-123405.backup
2010-10-09 17:33:36 2705 --sha-r- c:\windows\system32\drivers\etc\hosts.20101009-123336.backup
2010-10-09 17:33:35 2705 --sha-r- c:\windows\system32\drivers\etc\hosts.20101009-123335.backup
2010-10-09 17:33:34 2705 --sha-r- c:\windows\system32\drivers\etc\hosts.20101009-123334.backup
2010-10-09 17:33:33 2705 --sha-r- c:\windows\system32\drivers\etc\hosts.20101009-123333.backup
2010-10-09 17:33:32 2705 --sha-r- c:\windows\system32\drivers\etc\hosts.20101009-123332.backup
2010-10-09 17:33:31 2705 --sha-r- c:\windows\system32\drivers\etc\hosts.20101009-123331.backup
2010-10-09 17:33:29 2705 --sha-r- c:\windows\system32\drivers\etc\hosts.20101009-123329.backup
2010-10-09 17:33:24 2705 --sha-r- c:\windows\system32\drivers\etc\hosts.20101009-123324.backup
2010-09-26 04:46:08 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll
2010-09-26 04:46:08 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll
2010-09-26 04:46:08 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll
2010-09-26 04:46:08 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll
2010-09-26 04:46:08 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll
2010-09-26 04:46:08 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll
2010-09-26 04:46:08 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll
2010-09-26 04:39:49 -------- d-----w- c:\program files\Bonjour
2010-09-10 04:53:30 -------- d-----w- c:\docume~1\user\applic~1\Malwarebytes
2010-09-10 04:53:13 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-10 04:53:11 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-09-10 04:53:09 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-10 04:53:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-10 03:59:52 2705 --sha-r- c:\windows\system32\drivers\etc\hosts.20100909-225952.backup
2010-09-10 03:59:51 2705 --sha-r- c:\windows\system32\drivers\etc\hosts.20100909-225951.backup
2010-09-10 03:59:50 2705 --sha-r- c:\windows\system32\drivers\etc\hosts.20100909-225950.backup
2010-09-10 03:59:49 2705 --sha-r- c:\windows\system32\drivers\etc\hosts.20100909-225949.backup
2010-09-10 03:59:48 2705 --sha-r- c:\windows\system32\drivers\etc\hosts.20100909-225948.backup
2010-09-10 03:59:47 2705 --sha-r- c:\windows\system32\drivers\etc\hosts.20100909-225947.backup
2010-09-10 03:59:46 2705 --sha-r- c:\windows\system32\drivers\etc\hosts.20100909-225946.backup
2010-09-10 03:59:45 2705 --sha-r- c:\windows\system32\drivers\etc\hosts.20100909-225945.backup
2010-09-10 03:59:43 2705 --sha-r- c:\windows\system32\drivers\etc\hosts.20100909-225943.backup
2010-09-10 03:57:41 2705 --sha-r- c:\windows\system32\drivers\etc\hosts.20100909-225741.backup
2010-09-10 03:56:59 2705 --sha-r- c:\windows\system32\drivers\etc\hosts.20100909-225659.backup
2010-09-10 03:54:31 2705 --sha-r- c:\windows\system32\drivers\etc\hosts.20100909-225431.backup
2010-09-10 03:54:29 2705 --sha-r- c:\windows\system32\drivers\etc\hosts.20100909-225429.backup
2010-09-10 03:54:28 2705 --sha-r- c:\windows\system32\drivers\etc\hosts.20100909-225428.backup
2010-09-10 03:54:27 2705 --sha-r- c:\windows\system32\drivers\etc\hosts.20100909-225427.backup
2010-09-10 03:54:26 2705 --sha-r- c:\windows\system32\drivers\etc\hosts.20100909-225426.backup
2010-09-10 03:54:25 2705 --sha-r- c:\windows\system32\drivers\etc\hosts.20100909-225425.backup
2010-09-10 03:54:24 2705 --sha-r- c:\windows\system32\drivers\etc\hosts.20100909-225424.backup
2010-09-10 03:54:23 2705 --sha-r- c:\windows\system32\drivers\etc\hosts.20100909-225423.backup
2010-09-10 03:54:09 2705 --sha-r- c:\windows\system32\drivers\etc\hosts.20100909-225409.backup
2010-09-10 03:53:16 2705 --sha-r- c:\windows\system32\drivers\etc\hosts.20100909-225316.backup
2010-09-10 03:53:09 2705 --sha-r- c:\windows\system32\drivers\etc\hosts.20100909-225309.backup
2010-09-10 03:53:08 2705 --sha-r- c:\windows\system32\drivers\etc\hosts.20100909-225308.backup
2010-09-10 03:53:07 2705 --sha-r- c:\windows\system32\drivers\etc\hosts.20100909-225307.backup
2010-09-10 03:53:04 2705 --sha-r- c:\windows\system32\drivers\etc\hosts.20100909-225304.backup
2010-09-10 03:53:03 2705 --sha-r- c:\windows\system32\drivers\etc\hosts.20100909-225303.backup
2010-09-10 03:53:01 2705 --sha-r- c:\windows\system32\drivers\etc\hosts.20100909-225301.backup
2010-09-10 03:52:45 2705 --sha-r- c:\windows\system32\drivers\etc\hosts.20100909-225245.backup
2010-09-10 03:52:43 2705 --sha-r- c:\windows\system32\drivers\etc\hosts.20100909-225243.backup
2010-09-10 03:51:51 2705 --sha-r- c:\windows\system32\drivers\etc\hosts.20100909-225151.backup
2010-09-10 03:51:50 2705 --sha-r- c:\windows\system32\drivers\etc\hosts.20100909-225150.backup
2010-09-10 03:51:49 2705 --sha-r- c:\windows\system32\drivers\etc\hosts.20100909-225149.backup
2010-09-10 03:51:48 2705 --sha-r- c:\windows\system32\drivers\etc\hosts.20100909-225148.backup
2010-09-10 03:51:44 2705 --sha-r- c:\windows\system32\drivers\etc\hosts.20100909-225144.backup
2010-09-10 03:51:42 2705 --sha-r- c:\windows\system32\drivers\etc\hosts.20100909-225142.backup
2010-09-10 03:51:41 2705 --sha-r- c:\windows\system32\drivers\etc\hosts.20100909-225141.backup
2010-09-10 03:51:35 2705 --sha-r- c:\windows\system32\drivers\etc\hosts.20100909-225135.backup
2010-09-10 02:30:16 -------- d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)
2010-09-10 02:30:15 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2010-09-10 02:30:15 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2010-09-10 02:30:14 -------- d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2010-09-10 02:28:17 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-09-10 02:28:13 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-09-10 02:26:19 -------- d-----w- c:\program files\Lavasoft
2010-09-10 02:00:50 -------- d-sh--w- c:\docume~1\alluse~1\applic~1\MSOFDHS
2010-09-10 02:00:18 -------- d-sh--w- c:\docume~1\alluse~1\applic~1\26be784
==================== Find3M ====================
2010-09-08 16:17:46 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 16:17:46 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-07-27 23:44:10 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-07-27 23:44:10 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-07-22 15:49:15 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 05:57:20 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-07-17 10:00:04 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-17 07:42:29 73728 ----a-w- c:\windows\system32\javacpl.cpl
============= FINISH: 13:21:58.93 ===============
SPYBOT RESULTS
Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected host, nothing done)
4-open-davinci.com=74.125.45.100
Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected host, nothing done)
securitysoftwarepayments.com=74.125.45.100
Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected host, nothing done)
privatesecuredpayments.com=74.125.45.100
Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected host, nothing done)
secure.privatesecuredpayments.com=74.125.45.100
Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected host, nothing done)
getantivirusplusnow.com=74.125.45.100
Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected host, nothing done)
secure-plus-payments.com=74.125.45.100
Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected host, nothing done)
www.getantivirusplusnow.com=74.125.45.100
Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected host, nothing done)
www.secure-plus-payments.com=74.125.45.100
Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected host, nothing done)
www.getavplusnow.com=74.125.45.100
Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected host, nothing done)
safebrowsing-cache.google.com=74.125.45.100
Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected host, nothing done)
urs.microsoft.com=74.125.45.100
Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected host, nothing done)
www.securesoftwarebill.com=74.125.45.100
Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected host, nothing done)
secure.paysecuresystem.com=74.125.45.100
Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected host, nothing done)
paysoftbillsolution.com=74.125.45.100
Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected host, nothing done)
protected.maxisoftwaremart.com=74.125.45.100
Microsoft.Windows.RedirectedHosts: [SBI $B89FBA81] Redirected host (Redirected host, nothing done)
www.securesoftwarebill.com=74.125.45.100
Microsoft.Windows.RedirectedHosts: [SBI $19781685] Redirected host (Redirected host, nothing done)
secure.paysecuresystem.com=74.125.45.100
Microsoft.Windows.RedirectedHosts: [SBI $CEFF52BA] Redirected host (Redirected host, nothing done)
paysoftbillsolution.com=74.125.45.100
Right Media: Tracking cookie (Internet Explorer: User) (Cookie, nothing done)
--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---
2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2004-04-27 unins000.exe (51.13.0.0)
2010-09-09 unins001.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-11-04 advcheck.dll (1.6.5.20)
2007-04-02 aports.dll (2.1.0.0)
2004-05-12 borlndmm.dll (7.0.4.453)
2004-05-12 delphimm.dll (7.0.4.453)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2004-05-12 UnzDll.dll (1.73.1.1)
2004-05-12 ZipDll.dll (1.73.2.0)
2010-06-29 Includes\Adware.sbi (*)
2010-08-24 Includes\AdwareC.sbi (*)
2010-08-13 Includes\Cookies.sbi (*)
2009-11-03 Includes\Dialer.sbi (*)
2010-07-27 Includes\DialerC.sbi (*)
2010-01-25 Includes\HeavyDuty.sbi (*)
2009-05-26 Includes\Hijackers.sbi (*)
2010-07-27 Includes\HijackersC.sbi (*)
2010-06-29 Includes\iPhone.sbi (*)
2010-08-02 Includes\Keyloggers.sbi (*)
2010-08-31 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2010-06-01 Includes\Malware.sbi (*)
2010-09-07 Includes\MalwareC.sbi (*)
2010-05-18 Includes\PUPS.sbi (*)
2010-07-20 Includes\PUPSC.sbi (*)
2010-01-25 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2010-07-27 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2010-06-29 Includes\Spyware.sbi (*)
2010-07-27 Includes\SpywareC.sbi (*)
2010-03-08 Includes\Tracks.uti
2010-08-04 Includes\Trojans.sbi (*)
2010-07-28 Includes\TrojansC-02.sbi (*)
2010-07-28 Includes\TrojansC-03.sbi (*)
2010-07-28 Includes\TrojansC-04.sbi (*)
2010-09-07 Includes\TrojansC-05.sbi (*)
2010-08-15 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll
:snwelcome:
Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.
Until we deem your system clean I am going to ask you not to install or uninstall any software or hardware except for the programs we may run.
Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your desktop.
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Check the boxes beside LOP Check and Purity Check.
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.
chas7605
2010-11-28, 16:42
OTL logfile created on: 11/28/2010 9:32:49 AM - Run 1
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Documents and Settings\User\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
639.00 Mb Total Physical Memory | 366.00 Mb Available Physical Memory | 57.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 82.00% Paging File free
Paging file location(s): C:\pagefile.sys 960 1920 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 27.93 Gb Total Space | 3.69 Gb Free Space | 13.20% Space Free | Partition Type: NTFS
Drive G: | 1.92 Gb Total Space | 0.03 Gb Free Space | 1.31% Space Free | Partition Type: FAT
Drive H: | 983.72 Mb Total Space | 355.22 Mb Free Space | 36.11% Space Free | Partition Type: FAT
Computer Name: PC | User Name: User | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
========== Processes (SafeList) ==========
PRC - C:\Documents and Settings\User\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc.)
PRC - C:\Program Files\OpenOffice.org 3\program\soffice.bin (OpenOffice.org)
PRC - C:\Program Files\OpenOffice.org 3\program\soffice.exe (OpenOffice.org)
PRC - C:\Program Files\OpenOffice.org 3\program\swriter.exe ()
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
========== Modules (SafeList) ==========
MOD - C:\Documents and Settings\User\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll (Microsoft Corporation)
========== Win32 Services (SafeList) ==========
SRV - (HidServ) -- C:\WINDOWS\System32\hidserv.dll File not found
SRV - (AntiVirService) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe File not found
SRV - (AntiVirSchedulerService) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe File not found
SRV - (Apple Mobile Device) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc.)
========== Driver Services (SafeList) ==========
DRV - (MTK) -- C:\WINDOWS\System32\Drivers\mtk.sys File not found
DRV - (avgio) -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys File not found
DRV - (avgntflt) -- C:\WINDOWS\system32\drivers\avgntflt.sys (Avira GmbH)
DRV - (ssmdrv) -- C:\WINDOWS\system32\drivers\ssmdrv.sys (Avira GmbH)
DRV - (avipbb) -- C:\WINDOWS\system32\drivers\avipbb.sys (Avira GmbH)
DRV - (nv) -- C:\WINDOWS\system32\drivers\nv4_mini.sys (NVIDIA Corporation)
DRV - (omci) -- C:\WINDOWS\system32\drivers\omci.sys (Dell Computer Corporation)
DRV - (Edspport) -- C:\WINDOWS\system32\drivers\es56tpi.sys (ESS Technology, Inc.)
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ig
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
O1 HOSTS File: ([2010/09/09 22:34:37 | 000,002,705 | RHS- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 74.125.45.100 4-open-davinci.com
O1 - Hosts: 74.125.45.100 securitysoftwarepayments.com
O1 - Hosts: 74.125.45.100 privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 secure-plus-payments.com
O1 - Hosts: 74.125.45.100 www.getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 www.secure-plus-payments.com
O1 - Hosts: 74.125.45.100 www.getavplusnow.com
O1 - Hosts: 74.125.45.100 safebrowsing-cache.google.com
O1 - Hosts: 74.125.45.100 urs.microsoft.com
O1 - Hosts: 74.125.45.100 www.securesoftwarebill.com
O1 - Hosts: 74.125.45.100 secure.paysecuresystem.com
O1 - Hosts: 74.125.45.100 paysoftbillsolution.com
O1 - Hosts: 74.125.45.100 protected.maxisoftwaremart.com
O1 - Hosts: 217.23.7.114 www.google.com
O1 - Hosts: 217.23.7.114 google.com
O1 - Hosts: 217.23.7.114 google.com.au
O1 - Hosts: 217.23.7.114 www.google.com.au
O1 - Hosts: 217.23.7.114 google.be
O1 - Hosts: 217.23.7.114 www.google.be
O1 - Hosts: 217.23.7.114 google.com.br
O1 - Hosts: 217.23.7.114 www.google.com.br
O1 - Hosts: 217.23.7.114 google.ca
O1 - Hosts: 38 more lines...
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe (Nero AG)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe (NVIDIA Corporation)
O4 - HKCU..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe (Nero AG)
O4 - HKCU..\Run: [NvMediaCenter] C:\WINDOWS\System32\NVMCTRAY.DLL (NVIDIA Corporation)
O4 - HKCU..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe File not found
O4 - HKCU..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\System32\Macromed\Flash\FlashUtil10k_ActiveX.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\User\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE ()
O4 - Startup: C:\Documents and Settings\User\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {6F6FDB9E-5072-498C-BCB0-2B7F00C49EE7} http://support.dell.com/systemprofiler/DellSystemLite.CAB (DellSystemLite.Scanner)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 129.15.1.120 129.15.1.121
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/01/09 08:10:57 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
========== Files/Folders - Created Within 30 Days ==========
[2010/11/28 09:32:02 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\User\Desktop\OTL.exe
[2010/11/21 15:02:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Apple Computer
[2010/11/21 15:02:42 | 000,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2010/11/16 00:17:42 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2010/11/16 00:17:20 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2010/11/08 16:38:25 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\NtmsData
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
========== Files - Modified Within 30 Days ==========
[2010/11/28 09:32:03 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\User\Desktop\OTL.exe
[2010/11/27 23:17:02 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/11/22 21:45:23 | 000,056,320 | ---- | M] () -- C:\Documents and Settings\User\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/11/20 23:41:03 | 000,000,572 | ---- | M] () -- C:\Documents and Settings\User\My Documents\spider.sav
[2010/11/17 13:45:29 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/11/17 13:44:49 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/11/17 13:44:48 | 670,113,792 | -HS- | M] () -- C:\hiberfil.sys
[2010/11/16 00:18:42 | 000,001,542 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/11/08 17:43:16 | 000,432,664 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/11/08 17:43:16 | 000,067,428 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
========== Files Created - No Company Name ==========
[2010/11/20 23:41:03 | 000,000,572 | ---- | C] () -- C:\Documents and Settings\User\My Documents\spider.sav
[2010/11/16 00:18:42 | 000,001,542 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/09/09 21:51:58 | 000,005,335 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2010/01/20 20:42:46 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2010/01/17 20:46:15 | 000,076,407 | ---- | C] () -- C:\Documents and Settings\User\Application Data\Smiley.ico
[2010/01/16 10:54:43 | 000,056,320 | ---- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/01/15 22:07:34 | 000,021,504 | ---- | C] () -- C:\WINDOWS\jestertb.dll
[2010/01/09 02:07:00 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2003/10/06 14:16:00 | 000,027,136 | ---- | C] () -- C:\WINDOWS\System32\nvcod.dll
========== LOP Check ==========
[2010/01/17 21:25:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\25109
[2010/09/09 20:13:21 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\All Users\Application Data\26be784
[2010/09/09 20:00:50 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\All Users\Application Data\MSOFDHS
[2010/04/03 12:04:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2010/02/13 23:46:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2010/07/07 21:45:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Amazon
[2010/08/31 16:08:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\CVS
[2010/01/23 11:42:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\MSNInstaller
[2010/01/23 09:08:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\OpenOffice.org
========== Purity Check ==========
< End of report >
chas7605
2010-11-28, 16:43
OTL Extras logfile created on: 11/28/2010 9:32:49 AM - Run 1
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Documents and Settings\User\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
639.00 Mb Total Physical Memory | 366.00 Mb Available Physical Memory | 57.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 82.00% Paging File free
Paging file location(s): C:\pagefile.sys 960 1920 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 27.93 Gb Total Space | 3.69 Gb Free Space | 13.20% Space Free | Partition Type: NTFS
Drive G: | 1.92 Gb Total Space | 0.03 Gb Free Space | 1.31% Space Free | Partition Type: FAT
Drive H: | 983.72 Mb Total Space | 355.22 Mb Free Space | 36.11% Space Free | Partition Type: FAT
Computer Name: PC | User Name: User | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
========== Extra Registry (SafeList) ==========
========== File Associations ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = ChromeHTML] -- Reg Error: Key error. File not found
========== Shell Spawning ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
========== Security Center Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
========== System Restore Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2
========== Firewall Settings ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
========== Authorized Applications List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger -- File not found
"C:\Program Files\iMesh Applications\iMesh\iMesh.exe" = C:\Program Files\iMesh Applications\iMesh\iMesh.exe:*:Enabled:iMesh -- File not found
"C:\Documents and Settings\All Users\Application Data\26be784\MS26be_2121.exe" = C:\Documents and Settings\All Users\Application Data\26be784\MS26be_2121.exe:*:Enabled:My Security Shield -- File not found
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
========== HKEY_LOCAL_MACHINE Uninstall List ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{17424F35-8B77-4ADF-BC63-BF9B81418539}" = Apple Application Support
"{26A24AE4-039D-4CA4-87B4-2F83216016FF}" = Java(TM) 6 Update 21
"{308B6AEA-DE50-4666-996D-0FA461719D6B}" = Apple Mobile Device Support
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{6421F085-1FAA-DE13-D02A-CFB412C522A4}" = Acrobat.com
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.4
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D9B4D7EE-481C-4C36-86AB-A8F7417725FF}" = LightScribe 1.6.43.1
"{E6B87DC4-2B3D-4483-ADFF-E483BF718991}" = OpenOffice.org 3.1
"{E7004147-2CCA-431C-AA05-2AB166B9785D}" = QuickTime
"{E8843212-F0FC-4C3B-BFF3-D51829CB4F19}" = iTunes
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F61DD673-0030-4BB2-A382-7E57E97F1033}" = Nero 7 Essentials
"{FF1C31AE-0CDC-40CE-AB85-406F8B70D643}" = Bonjour
"Ad-Aware SE Personal" = Ad-Aware SE Personal
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"ERUNT_is1" = ERUNT 1.1j
"ie8" = Windows Internet Explorer 8
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NVIDIA" = NVIDIA Windows 2000/XP Display Drivers
"NVIDIA Display Driver" = NVIDIA Display Driver
"PROSet" = Intel(R) PRO Ethernet Adapter and Software
"Spybot - Search & Destroy_is1" = Spybot - Search & Destroy 1.3
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
========== HKEY_CURRENT_USER Uninstall List ==========
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"f031ef6ac137efc5" = Dell Driver Download Manager
"Move Media Player" = Move Media Player
========== Last 10 Event Log Errors ==========
[ Application Events ]
Error - 11/26/2010 2:03:05 AM | Computer Name = PC | Source = Application Hang | ID = 1001
Description = Fault bucket 1180947459.
Error - 11/26/2010 2:03:17 AM | Computer Name = PC | Source = Application Hang | ID = 1001
Description = Fault bucket 1180947459.
Error - 11/26/2010 2:03:20 AM | Computer Name = PC | Source = Application Hang | ID = 1001
Description = Fault bucket 1180947459.
Error - 11/26/2010 9:43:40 PM | Computer Name = PC | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.
Error - 11/27/2010 4:19:11 AM | Computer Name = PC | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.
Error - 11/27/2010 3:36:22 PM | Computer Name = PC | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.
Error - 11/27/2010 3:36:25 PM | Computer Name = PC | Source = Application Hang | ID = 1001
Description = Fault bucket 1180947459.
Error - 11/28/2010 4:53:40 AM | Computer Name = PC | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.
Error - 11/28/2010 4:53:40 AM | Computer Name = PC | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.
Error - 11/28/2010 4:53:44 AM | Computer Name = PC | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.
[ System Events ]
Error - 11/19/2010 12:01:48 PM | Computer Name = PC | Source = Server | ID = 2505
Description = The server could not bind to the transport \Device\NetBT_Tcpip_{3D0A3E98-51AD-4C4B-A987-D2B13073B5E1}
because another computer on the network has the same name. The server could not
start.
Error - 11/19/2010 12:02:58 PM | Computer Name = PC | Source = NetBT | ID = 4321
Description = The name "PC :0" could not be registered on the Interface
with IP address 10.193.51.255. The machine with the IP address 10.193.48.206 did
not allow the name to be claimed by this machine.
Error - 11/19/2010 5:15:14 PM | Computer Name = PC | Source = NetBT | ID = 4321
Description = The name "PC :20" could not be registered on the Interface
with IP address 10.193.51.255. The machine with the IP address 129.15.1.120 did
not allow the name to be claimed by this machine.
Error - 11/19/2010 5:15:14 PM | Computer Name = PC | Source = NetBT | ID = 4321
Description = The name "PC :0" could not be registered on the Interface
with IP address 10.193.51.255. The machine with the IP address 129.15.1.120 did
not allow the name to be claimed by this machine.
Error - 11/23/2010 2:35:59 AM | Computer Name = PC | Source = Cdrom | ID = 262151
Description = The device, \Device\CdRom0, has a bad block.
Error - 11/23/2010 12:16:31 PM | Computer Name = PC | Source = NetBT | ID = 4321
Description = The name "PC :0" could not be registered on the Interface
with IP address 10.193.51.255. The machine with the IP address 10.193.48.206 did
not allow the name to be claimed by this machine.
Error - 11/23/2010 12:16:31 PM | Computer Name = PC | Source = NetBT | ID = 4321
Description = The name "PC :20" could not be registered on the Interface
with IP address 10.193.51.255. The machine with the IP address 10.193.48.206 did
not allow the name to be claimed by this machine.
Error - 11/23/2010 12:16:31 PM | Computer Name = PC | Source = Server | ID = 2505
Description = The server could not bind to the transport \Device\NetBT_Tcpip_{3D0A3E98-51AD-4C4B-A987-D2B13073B5E1}
because another computer on the network has the same name. The server could not
start.
Error - 11/23/2010 12:16:53 PM | Computer Name = PC | Source = NetBT | ID = 4321
Description = The name "PC :0" could not be registered on the Interface
with IP address 10.193.51.255. The machine with the IP address 10.193.48.206 did
not allow the name to be claimed by this machine.
Error - 11/23/2010 6:33:47 PM | Computer Name = PC | Source = NetBT | ID = 4321
Description = The name "PC :20" could not be registered on the Interface
with IP address 10.193.51.255. The machine with the IP address 129.15.1.120 did
not allow the name to be claimed by this machine.
< End of report >
Hi,
Lets do this.
Download the HostsXpert 4.3 - Hosts File Manager (http://www.funkytoad.com/download/HostsXpert.zip).
Unzip HostsXpert 4.2.0.0 - Hosts File Manager to a convenient folder such as C:\HostsXpert
Click HostsXpert.exe to Run HostsXpert - Hosts File Manager from its new home
Click "Make Hosts Writable?" in the upper left corner.
Click Restore Microsoft's Hosts file and then click OK.
Click the X to exit the program.
Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.
Please download Malwarebytes from Here (http://www.malwarebytes.org/mbam-download.php) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)
Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
http://i24.photobucket.com/albums/c30/ken545/MBAMCapture.jpg
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Post the report please
Post the Malwarebytes log and then run OTL again and post a new log please
chas7605
2010-11-28, 18:10
The HostsXpert.zip would not let me click "Make Hosts Writeable?" which had a padlock next to it. Also, I tried to click the "Restore MS Hosts File" and it read as "ERROR: Cannot create file C:\WINDOWS\system32\DRIVERS\ETC\hosts".
Hi
How are ya doing, did you survive the holidays ?
Where going to delete your hosts file and create a new one as the one you have is infected. Make sure before you proceed that you still have HostsXpert on your desktop
Please download OTM by OldTimer (http://oldtimer.geekstogo.com/OTM.exe) and save it to your desktop.
Double click the http://billy-oneal.com/Canned%20Speeches/speechimages/OTM/OTMdesktopicon.png icon on your desktop.
Paste the following code under the http://billy-oneal.com/Canned%20Speeches/speechimages/OTM/pasteline.png area.
Do not include the word "Code".
:Processes
explorer.exe
:Services
:Reg
:Files
c:\windows\system32\drivers\etc\hosts
:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
Push the large http://billy-oneal.com/Canned%20Speeches/speechimages/OTM/btnmoveit.png button.
OTM may ask to reboot the machine. Please do so if asked.
Copy/Paste the contents under the http://billy-oneal.com/Canned%20Speeches/speechimages/OTM/results.png line here in your next reply.
If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
Now run HostsXpert
Restore Microsoft's Hosts file <-- You will get a message stating that there is no hosts file available do you want to create one SAY YES
chas7605
2010-11-28, 21:09
All processes killed
========== PROCESSES ==========
No active process named explorer.exe was found!
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
c:\windows\system32\drivers\etc\hosts moved successfully.
========== COMMANDS ==========
[EMPTYTEMP]
User: All Users
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 41620 bytes
User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 33170 bytes
User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 163980413 bytes
User: User
->Temp folder emptied: 3044794 bytes
->Temporary Internet Files folder emptied: 287742418 bytes
->Java cache emptied: 48713027 bytes
->Flash cache emptied: 216398 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2162283 bytes
%systemroot%\System32 .tmp files removed: 7103 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 3949870 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 96526352 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes
Total Files Cleaned = 578.00 mb
OTM by OldTimer - Version 3.1.17.2 log created on 11282010_135526
Files moved on Reboot...
Registry entries deleted on Reboot...
Open OTL and run a new scan and post the New Log and let me know how things are running now ?
chas7605
2010-11-28, 21:17
Thank you so much for your help. The holidays have only just begun and I haven't started shopping for my kid, yet. Busy times ahead. Is there anything else that I need to do after running HostExpert.exe? The OLT result is in the previous post.
chas7605
2010-11-28, 21:25
OTL logfile created on: 11/28/2010 2:22:12 PM - Run 3
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Documents and Settings\User\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
639.00 Mb Total Physical Memory | 299.00 Mb Available Physical Memory | 47.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 85.00% Paging File free
Paging file location(s): C:\pagefile.sys 960 1920 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 27.93 Gb Total Space | 4.11 Gb Free Space | 14.72% Space Free | Partition Type: NTFS
Drive G: | 1.92 Gb Total Space | 0.03 Gb Free Space | 1.31% Space Free | Partition Type: FAT
Drive H: | 983.72 Mb Total Space | 355.22 Mb Free Space | 36.11% Space Free | Partition Type: FAT
Computer Name: PC | User Name: User | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
========== Processes (SafeList) ==========
PRC - C:\Documents and Settings\User\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc.)
PRC - C:\Program Files\Common Files\Java\Java Update\jucheck.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\OpenOffice.org 3\program\soffice.bin (OpenOffice.org)
PRC - C:\Program Files\OpenOffice.org 3\program\soffice.exe (OpenOffice.org)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe (Nero AG)
PRC - C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe (Nero AG)
========== Modules (SafeList) ==========
MOD - C:\Documents and Settings\User\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll (Microsoft Corporation)
========== Win32 Services (SafeList) ==========
SRV - (HidServ) -- C:\WINDOWS\System32\hidserv.dll File not found
SRV - (AntiVirService) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe File not found
SRV - (AntiVirSchedulerService) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe File not found
SRV - (Apple Mobile Device) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc.)
========== Driver Services (SafeList) ==========
DRV - (MTK) -- C:\WINDOWS\System32\Drivers\mtk.sys File not found
DRV - (avgio) -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys File not found
DRV - (avgntflt) -- C:\WINDOWS\system32\drivers\avgntflt.sys (Avira GmbH)
DRV - (ssmdrv) -- C:\WINDOWS\system32\drivers\ssmdrv.sys (Avira GmbH)
DRV - (avipbb) -- C:\WINDOWS\system32\drivers\avipbb.sys (Avira GmbH)
DRV - (nv) -- C:\WINDOWS\system32\drivers\nv4_mini.sys (NVIDIA Corporation)
DRV - (omci) -- C:\WINDOWS\system32\drivers\omci.sys (Dell Computer Corporation)
DRV - (Edspport) -- C:\WINDOWS\system32\drivers\es56tpi.sys (ESS Technology, Inc.)
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ig
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
O1 HOSTS File: ([2010/11/28 14:12:26 | 000,000,698 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\HOSTS
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe (Nero AG)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe (NVIDIA Corporation)
O4 - HKCU..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe (Nero AG)
O4 - HKCU..\Run: [NvMediaCenter] C:\WINDOWS\System32\NVMCTRAY.DLL (NVIDIA Corporation)
O4 - HKCU..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe File not found
O4 - Startup: C:\Documents and Settings\User\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE ()
O4 - Startup: C:\Documents and Settings\User\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {6F6FDB9E-5072-498C-BCB0-2B7F00C49EE7} http://support.dell.com/systemprofiler/DellSystemLite.CAB (DellSystemLite.Scanner)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 129.15.1.120 129.15.1.121
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/01/09 08:10:57 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
========== Files/Folders - Created Within 30 Days ==========
[2010/11/28 13:55:26 | 000,000,000 | ---D | C] -- C:\_OTM
[2010/11/28 13:51:12 | 000,519,680 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\User\Desktop\OTM.exe
[2010/11/28 13:14:55 | 000,014,592 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdhid.sys
[2010/11/28 09:32:02 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\User\Desktop\OTL.exe
[2010/11/21 15:02:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Apple Computer
[2010/11/16 00:17:42 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2010/11/16 00:17:20 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2010/11/08 16:38:25 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\NtmsData
========== Files - Modified Within 30 Days ==========
[2010/11/28 14:12:26 | 000,000,698 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\HOSTS
[2010/11/28 14:00:59 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/11/28 14:00:36 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/11/28 14:00:34 | 670,113,792 | -HS- | M] () -- C:\hiberfil.sys
[2010/11/28 13:51:13 | 000,519,680 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\User\Desktop\OTM.exe
[2010/11/28 11:00:40 | 000,353,485 | ---- | M] () -- C:\Documents and Settings\User\Desktop\HostsXpert.zip
[2010/11/28 09:32:03 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\User\Desktop\OTL.exe
[2010/11/27 23:17:02 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/11/22 21:45:23 | 000,056,320 | ---- | M] () -- C:\Documents and Settings\User\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/11/20 23:41:03 | 000,000,572 | ---- | M] () -- C:\Documents and Settings\User\My Documents\spider.sav
[2010/11/16 00:18:42 | 000,001,542 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/11/08 17:43:16 | 000,432,664 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/11/08 17:43:16 | 000,067,428 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
========== Files Created - No Company Name ==========
[2010/11/28 11:00:38 | 000,353,485 | ---- | C] () -- C:\Documents and Settings\User\Desktop\HostsXpert.zip
[2010/11/20 23:41:03 | 000,000,572 | ---- | C] () -- C:\Documents and Settings\User\My Documents\spider.sav
[2010/11/16 00:18:42 | 000,001,542 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/09/09 21:51:58 | 000,005,335 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2010/01/20 20:42:46 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2010/01/17 20:46:15 | 000,076,407 | ---- | C] () -- C:\Documents and Settings\User\Application Data\Smiley.ico
[2010/01/16 10:54:43 | 000,056,320 | ---- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/01/15 22:07:34 | 000,021,504 | ---- | C] () -- C:\WINDOWS\jestertb.dll
[2010/01/09 02:07:00 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2003/10/06 14:16:00 | 000,027,136 | ---- | C] () -- C:\WINDOWS\System32\nvcod.dll
========== LOP Check ==========
[2010/01/17 21:25:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\25109
[2010/09/09 20:13:21 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\All Users\Application Data\26be784
[2010/09/09 20:00:50 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\All Users\Application Data\MSOFDHS
[2010/04/03 12:04:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2010/02/13 23:46:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2010/07/07 21:45:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Amazon
[2010/08/31 16:08:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\CVS
[2010/01/23 11:42:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\MSNInstaller
[2010/01/23 09:08:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\OpenOffice.org
========== Purity Check ==========
< End of report >
Looking good,
If you uninstalled ASK then lets fix this
Run OTL.exe
Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
:OTL
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
:Services
:Reg
:Files
:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
Then click the Run Fix button at the top
Let the program run unhindered, reboot when it is done
Then post the results of the log and a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
Please run this free online virus scanner from ESET (http://www.eset.com/onlinescan/)
Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is ticked, and the option Scan unwanted applications is checked
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic
chas7605
2010-11-28, 21:58
OTL logfile created on: 11/28/2010 2:54:32 PM - Run 4
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Documents and Settings\User\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
639.00 Mb Total Physical Memory | 307.00 Mb Available Physical Memory | 48.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 84.00% Paging File free
Paging file location(s): C:\pagefile.sys 960 1920 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 27.93 Gb Total Space | 4.10 Gb Free Space | 14.67% Space Free | Partition Type: NTFS
Drive G: | 1.92 Gb Total Space | 0.03 Gb Free Space | 1.31% Space Free | Partition Type: FAT
Drive H: | 983.72 Mb Total Space | 355.22 Mb Free Space | 36.11% Space Free | Partition Type: FAT
Computer Name: PC | User Name: User | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
========== Processes (SafeList) ==========
PRC - C:\Documents and Settings\User\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc.)
PRC - C:\Program Files\OpenOffice.org 3\program\soffice.bin (OpenOffice.org)
PRC - C:\Program Files\OpenOffice.org 3\program\soffice.exe (OpenOffice.org)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe (Nero AG)
PRC - C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe (Nero AG)
========== Modules (SafeList) ==========
MOD - C:\Documents and Settings\User\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll (Microsoft Corporation)
========== Win32 Services (SafeList) ==========
SRV - (HidServ) -- C:\WINDOWS\System32\hidserv.dll File not found
SRV - (AntiVirService) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe File not found
SRV - (AntiVirSchedulerService) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe File not found
SRV - (Apple Mobile Device) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc.)
========== Driver Services (SafeList) ==========
DRV - (MTK) -- C:\WINDOWS\System32\Drivers\mtk.sys File not found
DRV - (avgio) -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys File not found
DRV - (avgntflt) -- C:\WINDOWS\system32\drivers\avgntflt.sys (Avira GmbH)
DRV - (ssmdrv) -- C:\WINDOWS\system32\drivers\ssmdrv.sys (Avira GmbH)
DRV - (avipbb) -- C:\WINDOWS\system32\drivers\avipbb.sys (Avira GmbH)
DRV - (nv) -- C:\WINDOWS\system32\drivers\nv4_mini.sys (NVIDIA Corporation)
DRV - (omci) -- C:\WINDOWS\system32\drivers\omci.sys (Dell Computer Corporation)
DRV - (Edspport) -- C:\WINDOWS\system32\drivers\es56tpi.sys (ESS Technology, Inc.)
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ig
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
O1 HOSTS File: ([2010/11/28 14:12:26 | 000,000,698 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\HOSTS
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe (Nero AG)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe (NVIDIA Corporation)
O4 - HKCU..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe (Nero AG)
O4 - HKCU..\Run: [NvMediaCenter] C:\WINDOWS\System32\NVMCTRAY.DLL (NVIDIA Corporation)
O4 - HKCU..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe File not found
O4 - Startup: C:\Documents and Settings\User\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE ()
O4 - Startup: C:\Documents and Settings\User\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {6F6FDB9E-5072-498C-BCB0-2B7F00C49EE7} http://support.dell.com/systemprofiler/DellSystemLite.CAB (DellSystemLite.Scanner)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 129.15.1.120 129.15.1.121
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/01/09 08:10:57 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
========== Files/Folders - Created Within 30 Days ==========
[2010/11/28 14:47:04 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/11/28 14:29:57 | 006,153,352 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\User\Desktop\mbam-setup-1.46.exe
[2010/11/28 13:55:26 | 000,000,000 | ---D | C] -- C:\_OTM
[2010/11/28 13:51:12 | 000,519,680 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\User\Desktop\OTM.exe
[2010/11/28 13:14:55 | 000,014,592 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdhid.sys
[2010/11/28 09:32:02 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\User\Desktop\OTL.exe
[2010/11/21 15:02:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Apple Computer
[2010/11/16 00:17:42 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2010/11/16 00:17:20 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2010/11/08 16:38:25 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\NtmsData
========== Files - Modified Within 30 Days ==========
[2010/11/28 14:48:50 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/11/28 14:48:19 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/11/28 14:48:17 | 670,113,792 | -HS- | M] () -- C:\hiberfil.sys
[2010/11/28 14:29:57 | 006,153,352 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\User\Desktop\mbam-setup-1.46.exe
[2010/11/28 14:12:26 | 000,000,698 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\HOSTS
[2010/11/28 13:51:13 | 000,519,680 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\User\Desktop\OTM.exe
[2010/11/28 11:00:40 | 000,353,485 | ---- | M] () -- C:\Documents and Settings\User\Desktop\HostsXpert.zip
[2010/11/28 09:32:03 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\User\Desktop\OTL.exe
[2010/11/27 23:17:02 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/11/22 21:45:23 | 000,056,320 | ---- | M] () -- C:\Documents and Settings\User\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/11/20 23:41:03 | 000,000,572 | ---- | M] () -- C:\Documents and Settings\User\My Documents\spider.sav
[2010/11/16 00:18:42 | 000,001,542 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/11/08 17:43:16 | 000,432,664 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/11/08 17:43:16 | 000,067,428 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
========== Files Created - No Company Name ==========
[2010/11/28 11:00:38 | 000,353,485 | ---- | C] () -- C:\Documents and Settings\User\Desktop\HostsXpert.zip
[2010/11/20 23:41:03 | 000,000,572 | ---- | C] () -- C:\Documents and Settings\User\My Documents\spider.sav
[2010/11/16 00:18:42 | 000,001,542 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/09/09 21:51:58 | 000,005,335 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2010/01/20 20:42:46 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2010/01/17 20:46:15 | 000,076,407 | ---- | C] () -- C:\Documents and Settings\User\Application Data\Smiley.ico
[2010/01/16 10:54:43 | 000,056,320 | ---- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/01/15 22:07:34 | 000,021,504 | ---- | C] () -- C:\WINDOWS\jestertb.dll
[2010/01/09 02:07:00 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2003/10/06 14:16:00 | 000,027,136 | ---- | C] () -- C:\WINDOWS\System32\nvcod.dll
< End of report >
chas7605
2010-11-28, 22:00
All processes killed
========== OTL ==========
No active process named explorer.exe was found!
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{D4027C7F-154A-4066-A1AD-4243D8127440} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\ not found.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
========== COMMANDS ==========
[EMPTYTEMP]
User: All Users
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: User
->Temp folder emptied: 241644 bytes
->Temporary Internet Files folder emptied: 4656456 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 483 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes
Total Files Cleaned = 5.00 mb
OTL by OldTimer - Version 3.2.17.3 log created on 11282010_144704
Files\Folders moved on Reboot...
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\CM5DC3JX\showthread[2].htm moved successfully.
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.
Registry entries deleted on Reboot...
:bigthumb:
Please run this free online virus scanner from ESET (http://www.eset.com/onlinescan/)
Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is ticked, and the option Scan unwanted applications is checked
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic
chas7605
2010-11-28, 23:23
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=023e786a9d23094086b137d8bc000bb9
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-11-28 10:16:31
# local_time=2010-11-28 04:16:31 (-0600, Central Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1797 16775126 100 0 0 0 25807053 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=45584
# found=79
# cleaned=79
# scan_time=3317
C:\Documents and Settings\All Users\Application Data\26be784\236.mof Win32/RogueAV.A trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\drivers\etc\hosts.20100909-225135.backup Win32/Qhost trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\drivers\etc\hosts.20100909-225141.backup Win32/Qhost trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\drivers\etc\hosts.20100909-225142.backup Win32/Qhost trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\drivers\etc\hosts.20100909-225144.backup Win32/Qhost trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\drivers\etc\hosts.20100909-225148.backup Win32/Qhost trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\drivers\etc\hosts.20100909-225149.backup Win32/Qhost trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\drivers\etc\hosts.20100909-225150.backup Win32/Qhost trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\drivers\etc\hosts.20100909-225151.backup Win32/Qhost trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\drivers\etc\hosts.20100909-225243.backup Win32/Qhost trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\drivers\etc\hosts.20100909-225245.backup Win32/Qhost trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\drivers\etc\hosts.20100909-225301.backup Win32/Qhost trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\drivers\etc\hosts.20100909-225303.backup Win32/Qhost trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\drivers\etc\hosts.20100909-225304.backup Win32/Qhost trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\drivers\etc\hosts.20100909-225307.backup Win32/Qhost trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\drivers\etc\hosts.20100909-225308.backup Win32/Qhost trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\drivers\etc\hosts.20100909-225309.backup Win32/Qhost trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\drivers\etc\hosts.20100909-225316.backup Win32/Qhost trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\drivers\etc\hosts.20100909-225409.backup Win32/Qhost trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\drivers\etc\hosts.20100909-225423.backup Win32/Qhost trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\drivers\etc\hosts.20100909-225424.backup Win32/Qhost trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\drivers\etc\hosts.20100909-225425.backup Win32/Qhost trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\drivers\etc\hosts.20100909-225426.backup Win32/Qhost trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\drivers\etc\hosts.20100909-225427.backup Win32/Qhost trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\drivers\etc\hosts.20100909-225428.backup Win32/Qhost trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\drivers\etc\hosts.20100909-225429.backup Win32/Qhost trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\drivers\etc\hosts.20100909-225431.backup Win32/Qhost trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\drivers\etc\hosts.20100909-225659.backup Win32/Qhost trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\drivers\etc\hosts.20100909-225741.backup Win32/Qhost trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\drivers\etc\hosts.20100909-225943.backup Win32/Qhost trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\drivers\etc\hosts.20100909-225945.backup Win32/Qhost trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\drivers\etc\hosts.20100909-225946.backup Win32/Qhost trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\drivers\etc\hosts.20100909-225947.backup Win32/Qhost trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\drivers\etc\hosts.20100909-225948.backup Win32/Qhost trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\drivers\etc\hosts.20100909-225949.backup Win32/Qhost trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\drivers\etc\hosts.20100909-225950.backup Win32/Qhost trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\drivers\etc\hosts.20100909-225951.backup Win32/Qhost trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\drivers\etc\hosts.20100909-225952.backup Win32/Qhost trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\drivers\etc\hosts.20101009-123324.backup Win32/Qhost trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\drivers\etc\hosts.20101009-123329.backup Win32/Qhost trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\drivers\etc\hosts.20101009-123331.backup Win32/Qhost trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\drivers\etc\hosts.20101009-123332.backup Win32/Qhost trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\drivers\etc\hosts.20101009-123333.backup Win32/Qhost trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\drivers\etc\hosts.20101009-123334.backup Win32/Qhost trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\drivers\etc\hosts.20101009-123335.backup Win32/Qhost trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\drivers\etc\hosts.20101009-123336.backup Win32/Qhost trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\drivers\etc\hosts.20101009-123405.backup Win32/Qhost trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\drivers\etc\hosts.20101009-123408.backup Win32/Qhost trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\drivers\etc\hosts.20101009-123409.backup Win32/Qhost trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\drivers\etc\hosts.20101009-123410.backup Win32/Qhost trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\drivers\etc\hosts.20101009-123411.backup Win32/Qhost trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\drivers\etc\hosts.20101009-123412.backup Win32/Qhost trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\drivers\etc\hosts.20101009-123413.backup Win32/Qhost trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\drivers\etc\hosts.20101009-123414.backup Win32/Qhost trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\drivers\etc\hosts.20101009-123415.backup Win32/Qhost trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\drivers\etc\hosts.20101009-123416.backup Win32/Qhost trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\drivers\etc\hosts.20101009-123417.backup Win32/Qhost trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\drivers\etc\hosts.20101009-123526.backup Win32/Qhost trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\drivers\etc\hosts.20101009-123630.backup Win32/Qhost trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\drivers\etc\hosts.20101009-123631.backup Win32/Qhost trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\drivers\etc\hosts.20101009-123632.backup Win32/Qhost trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\drivers\etc\hosts.20101009-123633.backup Win32/Qhost trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\drivers\etc\hosts.20101009-123634.backup Win32/Qhost trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\drivers\etc\hosts.20101009-123635.backup Win32/Qhost trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\drivers\etc\hosts.20101009-123636.backup Win32/Qhost trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\drivers\etc\hosts.20101009-123637.backup Win32/Qhost trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\drivers\etc\hosts.20101009-123638.backup Win32/Qhost trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\drivers\etc\hosts.20101009-123639.backup Win32/Qhost trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\drivers\etc\hosts.20101009-123640.backup Win32/Qhost trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\drivers\etc\hosts.20101009-124104.backup Win32/Qhost trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\drivers\etc\hosts.20101009-132333.backup Win32/Qhost trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\drivers\etc\hosts.20101009-132334.backup Win32/Qhost trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\drivers\etc\hosts.20101009-132335.backup Win32/Qhost trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\drivers\etc\hosts.20101009-132336.backup Win32/Qhost trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\drivers\etc\hosts.20101009-132337.backup Win32/Qhost trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\drivers\etc\hosts.20101009-132338.backup Win32/Qhost trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\drivers\etc\hosts.20101009-132339.backup Win32/Qhost trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\drivers\etc\hosts.20101009-132340.backup Win32/Qhost trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\_OTM\MovedFiles\11282010_135526\c_windows\system32\drivers\etc\hosts Win32/Qhost trojan (cleaned by deleting (after the next restart) - quarantined) 00000000000000000000000000000000 C
Hi,
All ESET removed was backups of what we removed. How are things running now ?
chas7605
2010-11-29, 03:05
Hi,
Things are running great, now. Internet Explorer isn't being redirected to an "off" site that I didn't want. Thanks, again, for all of your help.
Sincerely,
Leon
Your very welcome. Glad things are better .
Open OTL and click on the Cleanup Tab and it will remove most of the tools we used to clean your system along with there backups
How did I get infected in the first place ?
Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)
Safe Surfn
Ken
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.