ok, doing it now
ok, doing it now
do i need to restart my comp after running HostsXpert and before running hjt?
No, it's not necessary.
Microsoft MVP Consumer Security 2008-2011
Member of ASAP and UNITE since 2006
HostsXpert
I Opened HostsXpert and
Clicked "Make Hosts Writable?" upper left corner (if available) and
Clicked "Restore MS Hosts File" and then click OK and
Closed HostsXpert
is that it an is it supposted to run or somethng before i do hjt?
That is fine, just post now HijackThis log
It is supposed to run only once.
Microsoft MVP Consumer Security 2008-2011
Member of ASAP and UNITE since 2006
hjt after HostsXpert
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:48:20 PM, on 9/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Safe mode with network support
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\taskmgr.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn6\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {FC64D173-5A2F-4840-991D-CE64FAD8D132} - (no file)
O3 - Toolbar: (no name) - {3FCAEB7D-F8AE-4A67-AE6C-57EE1416BB6D} - (no file)
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autofix
O4 - HKLM\..\Run: [c017ea80] rundll32.exe "C:\WINDOWS\system32\qinsppmn.dll",b
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\RunOnce: [SpybotDeletingA5531] command /c del "C:\WINDOWS\kvxqmtre.dll_tobedeleted_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2634] cmd /c del "C:\WINDOWS\kvxqmtre.dll_tobedeleted_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA232] command /c del "C:\WINDOWS\qndsfmao.dll_tobedeleted_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1672] cmd /c del "C:\WINDOWS\qndsfmao.dll_tobedeleted_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA3571] command /c del "C:\WINDOWS\evgratsm.dll_tobedeleted_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2534] cmd /c del "C:\WINDOWS\evgratsm.dll_tobedeleted_old"
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA4453] command /c del "C:\WINDOWS\SYSTEM32\urqomJcY.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9521] cmd /c del "C:\WINDOWS\SYSTEM32\urqomJcY.dll"
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autofix
O4 - HKLM\..\RunOnce: [SpybotDeletingA8264] command /c del "C:\WINDOWS\SYSTEM32\urqomJcY.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC576] cmd /c del "C:\WINDOWS\SYSTEM32\urqomJcY.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA5940] command /c del "C:\WINDOWS\SYSTEM32\urqomJcY.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7399] cmd /c del "C:\WINDOWS\SYSTEM32\urqomJcY.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA9537] command /c del "C:\WINDOWS\SYSTEM32\urqomJcY.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8890] cmd /c del "C:\WINDOWS\SYSTEM32\urqomJcY.dll"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB4667] command /c del "C:\WINDOWS\kvxqmtre.dll_tobedeleted_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7274] cmd /c del "C:\WINDOWS\kvxqmtre.dll_tobedeleted_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB4151] command /c del "C:\WINDOWS\qndsfmao.dll_tobedeleted_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4275] cmd /c del "C:\WINDOWS\qndsfmao.dll_tobedeleted_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB4180] command /c del "C:\WINDOWS\evgratsm.dll_tobedeleted_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7308] cmd /c del "C:\WINDOWS\evgratsm.dll_tobedeleted_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB6564] command /c del "C:\WINDOWS\SYSTEM32\urqomJcY.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8526] cmd /c del "C:\WINDOWS\SYSTEM32\urqomJcY.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB4805] command /c del "C:\WINDOWS\SYSTEM32\urqomJcY.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7643] cmd /c del "C:\WINDOWS\SYSTEM32\urqomJcY.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB6494] command /c del "C:\WINDOWS\SYSTEM32\urqomJcY.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5302] cmd /c del "C:\WINDOWS\SYSTEM32\urqomJcY.dll"
O4 - HKCU\..\RunOnce: [] C:\Program Files\Internet Explorer\iexplore.exe http://www.symantec.com/techsupp/ser...build=Symantec
O4 - HKCU\..\RunOnce: [MISPInst] "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\McInstallTemp\Install.exe" /Resume /Restart
O4 - HKCU\..\RunOnce: [SpybotDeletingB5126] command /c del "C:\WINDOWS\SYSTEM32\urqomJcY.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9891] cmd /c del "C:\WINDOWS\SYSTEM32\urqomJcY.dll"
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info...TunesSetup.exe
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - AppInit_DLLs: afioqv.dll
O21 - SSODL: kvxqmtre - {E4475E2C-522F-439A-9A9E-E82007264E9D} - (no file)
O21 - SSODL: evgratsm - {6373CF60-D7F2-4694-B8A3-F193FEE33C0F} - (no file)
O23 - Service: McAfee Application Installer Cleanup (0180121220775799) (0180121220775799mcinstcleanup) - Unknown owner - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\018012~1.EXE (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Aventail VPN Client (NgVpnMgr) - Aventail Corporation - C:\WINDOWS\system32\ngvpnmgr.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Microsoft WMI Performance Adapter AddOn (WMIPerAddOn) - Unknown owner - C:\WINDOWS\wmiapsrv.exe (file missing)
--
End of file - 11533 bytes
Create own folder for HijackThis to desktop and move it there.
Rename HijackThis.exe to orleans.exe.
We will continue with ComboFix. Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/comb...o-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.
The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Once installed, you should see a blue screen prompt that says:
The Recovery Console was successfully installed.
Please continue as follows:
- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
Remember to re-enable them afterwards.
- Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Please include the following reports for further review, and so we may continue cleansing the system:
C:\ComboFix.txt
New HijackThis log.
A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.
Microsoft MVP Consumer Security 2008-2011
Member of ASAP and UNITE since 2006
combofix
sorry for the delay
combofix doesn't "seem" to be absorbing bootdisk as in the picture - i am getting a prompt "open file - security warning; should i click run?
little nervous about messing this up
Yes run should be fine.
Microsoft MVP Consumer Security 2008-2011
Member of ASAP and UNITE since 2006
i've got a bluescreen saying combfix preparing to run not that recovery was installed and spybot keeps trying to open
Posting Permissions
