Microsoft. Windows.RedirectedHosts

[iCharles]

I am running Vista Home Edition, SP1.

It first happened when I installed Unlocker 1.8.7. After I finished installing, I restarted my PC and found an ebayShortcuts.exe in my desktop. Being curious, I ran it and it went to "adon_demand" website which gave me a hint that I'm already infected. Scared, I deleted all ebayShortcuts.exe in my PC and then ran Sybot S&D 1.6.2 and it detected the RedirectedHosts, then when I clicked "Fix selected problems" a message popped out that said "Unexpected error in fixing problems (Cannot create file "C:\Windows\System32\drivers\etc\hosts". Access is denied)".


Logfile of HijackThis v1.99.1
Scan saved at 12:13:23 PM, on 28/10/2009
Platform: Unknown Windows (WinNT 6.00.1905 SP1)
MSIE: Internet Explorer v7.00 (7.00.6001.18319)

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\rundll32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\User\Documents\INSTALLER\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O1 - Hosts: ::1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Hotspot Shield Service (HotspotShieldService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\openvpnas.exe
O23 - Service: Hotspot Shield Routing Service (HssSrv) - AnchorFree Inc. - C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
O23 - Service: Hotspot Shield Tray Service (HssTrayService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\HssTrayService.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)


Any help will be greatly appreciated. Thanks.
-Charles

 

[Blade81]

Hi Charles,

Open notepad and then copy and paste the bolded lines below into it. Go to File > save as and name the file fixes.bat, change the Save as type to all files and save it to your desktop.
@echo off
type C:\Windows\System32\drivers\etc\hosts >c:\hostsCheck.txt
del %0

Right-click on fixes.bat file and select 'run as administrator' to execute it. Attach c:\hostsCheck.txt file to your post.

 

[iCharles]

Thanks Blade81.

 

[Blade81]

Ok. There seem to be some bad entries there. Let's take a closer look into system.

Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.

• When done, DDS will open two (2) logs:
  1. DDS.txt
  2. Attach.txt
• Save both reports to your desktop. Post them back to your topic.

Download GMER here by clicking download exe -button and then saving it your desktop:

• Double-click .exe that you downloaded
• Click rootkit-tab and then scan.
• Don't check
  Show All
  box while scanning in progress!
• When scanning is ready, click Copy.
• This copies log to clipboard
• Attach log in your reply (archive into zip file if needed).

 

[iCharles]

DDS (Ver_09-10-26.01) - NTFSx86
Run by User at 9:00:51.60 on Tue 03/11/2009
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_16
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.61.1033.18.2047.1206 [GMT 8:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
SP: AntiVir Desktop *enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
SP: Spybot - Search and Destroy *enabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\System32\rundll32.exe
C:\Users\User\AppData\Local\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Hotspot Shield\bin\openvpnas.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehRecvr.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\User\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} -
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Google Update] "c:\users\user\appdata\local\google\update\GoogleUpdate.exe" /c
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mPolicies-system: ConsentPromptBehaviorUser = 2 (0x2)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

================= FIREFOX ===================

FF - ProfilePath - c:\users\user\appdata\roaming\mozilla\firefox\profiles\bjb30s8d.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-USfficial
FF - plugin: c:\users\user\appdata\local\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-9-29 108289]
R2 HssSrv;Hotspot Shield Routing Service;c:\program files\hotspot shield\hsswpr\hsssrv.exe [2009-10-2 331824]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2009-10-10 1153368]
R3 HssDrv;Hotspot Shield Helper Miniport;c:\windows\system32\drivers\HssDrv.sys [2009-9-16 37376]
R3 taphss;Anchorfree HSS Adapter;c:\windows\system32\drivers\taphss.sys [2009-9-16 32768]
R3 VMHybrid;VMHybrid service;c:\windows\system32\drivers\VMHybrid.sys [2008-5-7 1059072]
S3 HssTrayService;Hotspot Shield Tray Service;c:\program files\hotspot shield\bin\HssTrayService.exe [2009-10-2 57640]
S3 VST_DPV;VST_DPV;c:\windows\system32\drivers\VSTDPV3.SYS [2006-11-2 987648]
S3 VSTHWBS2;VSTHWBS2;c:\windows\system32\drivers\VSTBS23.SYS [2006-11-2 251904]

=============== Created Last 30 ================

2009-11-02 06:44:26 77312 ----a-w- c:\windows\MBR.exe
2009-11-02 06:44:25 98816 ----a-w- c:\windows\sed.exe
2009-11-02 06:44:25 236544 ----a-w- c:\windows\PEV.exe
2009-11-02 06:44:25 161792 ----a-w- c:\windows\SWREG.exe
2009-10-28 02:23:49 310784 ----a-w- c:\windows\system32\unregmp2.exe
2009-10-28 02:23:45 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-10-26 02:56:13 0 d-----w- C:\$RECYCLE.BIN
2009-10-24 00:14:48 0 d-----w- c:\program files\Unlocker
2009-10-18 11:02:42 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2009-10-14 05:36:46 428544 ----a-w- c:\windows\system32\EncDec.dll
2009-10-14 05:36:46 217088 ----a-w- c:\windows\system32\psisrndr.ax
2009-10-14 05:36:44 80896 ----a-w- c:\windows\system32\MSNP.ax
2009-10-14 05:36:44 293376 ----a-w- c:\windows\system32\psisdecd.dll
2009-10-14 05:36:44 177664 ----a-w- c:\windows\system32\mpg2splt.ax
2009-10-14 03:25:30 213504 ----a-w- c:\windows\system32\msv1_0.dll
2009-10-14 03:25:30 175104 ----a-w- c:\windows\system32\wdigest.dll
2009-10-14 03:25:29 439896 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-10-14 03:25:29 1256448 ----a-w- c:\windows\system32\lsasrv.dll
2009-10-14 03:25:28 9728 ----a-w- c:\windows\system32\lsass.exe
2009-10-14 03:25:28 72704 ----a-w- c:\windows\system32\secur32.dll
2009-10-14 03:22:40 72192 ----a-w- c:\windows\system32\drivers\pacer.sys
2009-10-14 03:22:40 15360 ----a-w- c:\windows\system32\pacerprf.dll
2009-10-14 03:17:27 3597896 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-10-14 03:17:27 3546184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-10-13 15:23:30 0 d-----w- C:\PerfLogs
2009-10-13 14:34:26 0 d-----w- c:\programdata\Avg7
2009-10-13 04:01:01 0 d-----w- c:\users\user\appdata\roaming\Malwarebytes
2009-10-13 04:00:57 0 d-----w- c:\programdata\Malwarebytes
2009-10-13 03:01:44 691712 ----a-w- c:\windows\isRS-000.tmp
2009-10-13 02:40:01 0 d---a-w- c:\programdata\TEMP
2009-10-10 01:41:00 89360 ----a-w- c:\windows\system32\VB5DB.DLL
2009-10-09 23:13:19 0 d-----w- c:\programdata\Spybot - Search & Destroy
2009-10-09 23:13:19 0 d-----w- c:\program files\Spybot - Search & Destroy
2009-10-09 23:04:12 0 d-----w- c:\program files\CCleaner
2009-10-09 22:55:57 0 d-----w- c:\program files\Eusing Free Registry Cleaner
2009-10-09 22:33:42 0 d-----w- c:\program files\Trend Micro
2009-10-09 13:26:23 0 d-----w- c:\windows\pss
2009-10-09 11:53:44 0 d-sh--w- c:\programdata\cad9f57
2009-10-09 11:07:44 0 d-----w- c:\users\user\Battlefield 1942
2009-10-09 08:17:47 0 d-----w- C:\Hotspot Shield
2009-10-09 08:13:29 0 d-----w- c:\program files\Hotspot Shield
2009-10-07 00:43:10 0 d-----w- C:\Old PC Games

==================== Find3M ====================

2009-10-13 15:32:33 174 --sha-w- c:\program files\desktop.ini
2009-10-13 15:30:23 86016 ----a-w- c:\windows\inf\infstrng.dat
2009-10-13 15:30:23 86016 ----a-w- c:\windows\inf\infstor.dat
2009-10-13 15:30:23 51200 ----a-w- c:\windows\inf\infpub.dat
2009-10-13 15:23:27 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-10-13 15:13:35 101888 ----a-w- c:\windows\system32\ifxcardm.dll
2009-10-13 15:13:32 82432 ----a-w- c:\windows\system32\axaltocm.dll
2009-10-05 05:13:52 2516 --sha-w- c:\programdata\KGyGaAvL.sys
2009-10-01 02:29:14 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-09-28 23:46:54 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-15 20:04:58 37376 ----a-w- c:\windows\system32\drivers\HssDrv.sys
2009-09-15 20:04:58 32768 ----a-w- c:\windows\system32\drivers\taphss.sys
2009-09-14 09:44:57 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-09-04 12:24:34 61440 ----a-w- c:\windows\system32\msasn1.dll
2009-08-28 12:39:07 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-28 10:15:30 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-27 13:32:41 833024 ----a-w- c:\windows\system32\wininet.dll
2009-08-27 13:29:25 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-27 10:58:58 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-08-17 15:33:52 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-14 16:29:41 17920 ----a-w- c:\windows\system32\netevent.dll
2009-08-14 16:29:41 104960 ----a-w- c:\windows\system32\netiohlp.dll
2009-08-14 14:16:55 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-08-14 14:16:55 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-08-14 14:16:52 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-08-14 14:16:51 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-08-14 14:16:50 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-08-14 14:16:49 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-08-14 14:16:49 10240 ----a-w- c:\windows\system32\finger.exe
2009-08-07 01:45:15 2421760 ----a-w- c:\windows\system32\wucltux.dll
2009-08-07 01:44:40 87552 ----a-w- c:\windows\system32\wudriver.dll
2009-08-06 11:23:06 171608 ----a-w- c:\windows\system32\wuwebv.dll
2009-08-06 10:44:46 33792 ----a-w- c:\windows\system32\wuapp.exe
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-05-01 07:22:12 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2009-05-01 07:22:12 32768 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2009-05-01 07:22:12 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat

============= FINISH: 9:01:58.69 ===============

 

[iCharles]

Sorry, I posted the above 2 logs first because GMER took a long time scanning.

 

[Blade81]

Hi,

Download the HostsXpert.

* Unzip HostsXpert to a convenient folder such as C:\HostsXpert
* Right click HostsXpert.exe and select 'run as administrator' to Run HostsXpert from its new home
* Click
Make Hosts Writable?
in the upper right corner (If available).
* Click Restore Microsoft's Hosts file and then click OK.
* Click the X to exit the program.
* Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.



Uninstall old Adobe Reader versions and get the latest one (9.2) here or get Foxit Reader here. Make sure you don't install toolbar if choose Foxit Reader! You may also check free readers introduced here.


Check here to see if your Flash is up-to-date (do it separately with each of your browsers). If not, uninstall vulnerable versions by following instructions here. Fresh version can be obtained here.

After that, run the batch in my first post again and attach the results.

 

[iCharles]

Hi Blade81,

When running HostsXpert(right-click Run as Administrator), a message popped up that says:

Your HOSTS file is marked as a "system file" and can NOT be manipulated. Press OK to remove the system file attribute, CANCEL to Quit.

***HostsXpert will NOT reset these attributes.***

I don't know what to do with it so I clicked cancel. Should I click OK? I'm not a very computer savvy so I will need your confirmation on this, sorry.

Ok I uninstalled Adobe Reader and installed a fresh updated version 9.2, also my flash is up-to-date with version 10,0,32,18.

I need your confirmation with HostsXpert before continuing with the batch file, sorry.

 

[iCharles]

Thanks for the reply Blade81.

When running HostsXpert(right-click Run as Administrator), a message popped up that says:

Your HOSTS file is marked as a "system file" and can NOT be manipulated. Press OK to remove the system file attribute, CANCEL to Quit.

***HostsXpert will NOT reset these attributes.***

I don't know what to do with it so I clicked cancel. Should I click OK? I'm not a very computer savvy so I will need your confirmation on this, sorry.

Ok I uninstalled Adobe Reader and installed a fresh updated version 9.2, also my flash is up-to-date with version 10,0,32,18.

I need your confirmation with HostsXpert before continuing with the batch file, sorry.

By the way, I didn't edit/add any entries to the Hosts file before.

 

[Blade81]

Click OK to that question.

 

[iCharles]

Thanks for the reply Blade81.

I clicked OK then clicked the "Make Writeable?" button, then clicked the "Restore MS hosts File" button and came up with this message.

ERROR: Cannot create file C:\Windows\system32\DRIVERS\ETC\hosts

Attached is the new GMER log.

 

[iCharles]

Sorry for this second post. I mistook GMER for the batch file. Well, here it is.

 

[Blade81]

Hi,

Let's see contents of ComboFix.txt log from earlier ComboFix run (one shouldn't run it unsupervised!).

Are you able to delete C:\Windows\system32\DRIVERS\ETC\hosts file?

 

[iCharles]

Hi Blade81,

I have a weird problem. When I go to C:\Windows\System32\drivers\etc I see a hosts file with no entry but the default localhost. But when I use run and put C:\Windows\System32\drivers\etc\hosts I see a hosts file with the bad entries.

64.86.16.97 google.ae
64.86.16.97 google.as
64.86.16.97 google.at
etc...

I am able to delete the empty hosts file, but when I run C:\Windows\System32\drivers\etc\hosts the hosts file with the bad entries will still pop-up, which is very strange.

Anyway, here's the the combofix log. By the way, my brother used combofix but didn't disable the Anti Virus which then resulted in failure to remove the malware.


ComboFix 09-11-01.04 - User 02/11/2009 14:45.4.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.61.1033.18.2047.1249 [GMT 8:00]
Running from: c:\users\User\Documents\INSTALLER\ComboFix.exe
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
SP: AntiVir Desktop *enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\User\AppData\Roaming\Desktopicon

.
((((((((((((((((((((((((( Files Created from 2009-10-02 to 2009-11-02 )))))))))))))))))))))))))))))))
.

2009-10-28 04:22 . 2009-10-28 04:22 -------- d-----w- c:\program files\ERUNT
2009-10-28 02:23 . 2009-09-10 15:21 310784 ----a-w- c:\windows\system32\unregmp2.exe
2009-10-28 02:23 . 2009-09-10 15:21 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-10-24 00:14 . 2009-10-26 01:54 -------- d-----w- c:\program files\Unlocker
2009-10-14 05:36 . 2009-08-31 13:55 428544 ----a-w- c:\windows\system32\EncDec.dll
2009-10-14 05:36 . 2009-08-31 13:55 293376 ----a-w- c:\windows\system32\psisdecd.dll
2009-10-14 03:25 . 2009-09-10 17:30 213504 ----a-w- c:\windows\system32\msv1_0.dll
2009-10-14 03:25 . 2009-06-15 15:24 175104 ----a-w- c:\windows\system32\wdigest.dll
2009-10-14 03:25 . 2009-06-15 18:20 439896 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-10-14 03:25 . 2009-06-15 15:23 1256448 ----a-w- c:\windows\system32\lsasrv.dll
2009-10-14 03:25 . 2009-06-15 15:24 72704 ----a-w- c:\windows\system32\secur32.dll
2009-10-14 03:25 . 2009-06-15 12:57 9728 ----a-w- c:\windows\system32\lsass.exe
2009-10-14 03:22 . 2008-04-05 03:34 15360 ----a-w- c:\windows\system32\pacerprf.dll
2009-10-14 03:22 . 2008-04-05 01:21 72192 ----a-w- c:\windows\system32\drivers\pacer.sys
2009-10-14 03:17 . 2009-08-05 14:22 3597896 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-10-14 03:17 . 2009-08-05 14:22 3546184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-10-13 15:23 . 2009-10-13 15:23 -------- d-----w- C:\PerfLogs
2009-10-13 14:34 . 2009-10-13 14:34 -------- d-----w- c:\programdata\Avg7
2009-10-13 04:01 . 2009-10-13 04:01 -------- d-----w- c:\users\User\AppData\Roaming\Malwarebytes
2009-10-13 04:00 . 2009-10-13 04:00 -------- d-----w- c:\programdata\Malwarebytes
2009-10-10 01:57 . 2009-10-10 01:58 -------- d-----w- c:\users\User\AppData\Local\AnVir
2009-10-10 01:41 . 1998-06-17 16:00 89360 ----a-w- c:\windows\system32\VB5DB.DLL
2009-10-09 23:13 . 2009-10-26 03:19 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-10-09 23:13 . 2009-10-10 01:22 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-09 23:04 . 2009-10-09 23:04 -------- d-----w- c:\program files\CCleaner
2009-10-09 22:55 . 2009-10-09 23:01 -------- d-----w- c:\program files\Eusing Free Registry Cleaner
2009-10-09 22:33 . 2009-10-09 22:33 -------- d-----w- c:\program files\Trend Micro
2009-10-09 11:53 . 2009-10-14 00:53 -------- d-sh--w- c:\programdata\cad9f57
2009-10-09 11:07 . 2009-10-09 11:07 -------- d-----w- c:\users\User\Battlefield 1942
2009-10-09 08:17 . 2009-10-09 08:17 -------- d-----w- C:\Hotspot Shield
2009-10-09 08:13 . 2009-11-01 10:59 -------- d-----w- c:\program files\Hotspot Shield
2009-10-07 00:43 . 2009-10-07 00:52 -------- d-----w- C:\Old PC Games

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-31 20:13 . 2008-03-29 00:25 68808 ----a-w- c:\users\User\AppData\Local\GDIPFONTCACHEV1.DAT
2009-10-30 20:17 . 2008-08-23 01:22 -------- d-----w- c:\programdata\Microsoft Help
2009-10-30 20:16 . 2008-08-23 01:24 -------- d-----w- c:\program files\Microsoft Works
2009-10-18 11:02 . 2009-10-18 11:02 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2009-10-15 00:54 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-10-13 15:34 . 2008-03-29 04:15 -------- d-----w- c:\programdata\NVIDIA
2009-10-13 15:25 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2009-10-13 15:25 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2009-10-13 15:25 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2009-10-13 15:25 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2009-10-13 15:25 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2009-10-13 15:25 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2009-10-13 15:13 . 2006-11-02 10:32 101888 ----a-w- c:\windows\system32\ifxcardm.dll
2009-10-13 15:13 . 2006-11-02 10:32 82432 ----a-w- c:\windows\system32\axaltocm.dll
2009-10-13 14:36 . 2008-04-06 08:22 -------- d-----w- c:\program files\Google
2009-10-13 03:21 . 2008-04-11 04:52 -------- d-----w- c:\programdata\HP Product Assistant
2009-10-13 03:01 . 2009-10-13 03:01 691712 ----a-w- c:\windows\isRS-000.tmp
2009-10-10 01:48 . 2008-04-19 01:08 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-09 22:42 . 2008-04-06 09:18 -------- d-----w- c:\program files\Windows Live Toolbar
2009-10-05 05:13 . 2008-08-21 04:27 2516 --sha-w- c:\programdata\KGyGaAvL.sys
2009-10-03 06:09 . 2009-10-03 06:09 -------- d-----w- c:\users\User\AppData\Roaming\Apple Computer
2009-10-03 06:09 . 2009-10-03 06:08 -------- d-----w- c:\programdata\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-10-03 06:09 . 2009-10-03 06:08 -------- d-----w- c:\program files\iTunes
2009-10-03 06:08 . 2009-10-03 06:08 -------- d-----w- c:\program files\iPod
2009-10-03 06:08 . 2009-10-03 06:05 -------- d-----w- c:\program files\Common Files\Apple
2009-10-03 06:08 . 2009-10-03 06:06 -------- d-----w- c:\programdata\Apple Computer
2009-10-03 06:07 . 2009-10-03 06:07 -------- d-----w- c:\program files\Bonjour
2009-10-03 06:07 . 2009-10-03 06:06 -------- d-----w- c:\program files\QuickTime
2009-10-03 06:06 . 2009-10-03 06:05 -------- d-----w- c:\program files\Apple Software Update
2009-10-03 06:05 . 2009-10-03 06:05 -------- d-----w- c:\programdata\Apple
2009-10-02 22:23 . 2009-10-02 22:23 -------- d-----w- c:\program files\Chikka Messenger
2009-10-01 02:29 . 2009-10-03 04:54 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-09-30 01:22 . 2009-09-30 01:22 -------- d-----w- c:\program files\Opera
2009-09-28 23:46 . 2009-09-28 23:47 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-28 23:46 . 2009-09-28 23:46 -------- d-----w- c:\program files\Java
2009-09-28 23:35 . 2009-09-28 23:35 -------- d-----w- c:\programdata\Avira
2009-09-28 23:35 . 2009-09-28 23:35 -------- d-----w- c:\program files\Avira
2009-09-15 20:04 . 2009-09-15 20:04 37376 ----a-w- c:\windows\system32\drivers\HssDrv.sys
2009-09-15 20:04 . 2009-09-15 20:04 32768 ----a-w- c:\windows\system32\drivers\taphss.sys
2009-09-14 09:44 . 2009-10-14 02:01 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-09-04 12:24 . 2009-10-14 02:01 61440 ----a-w- c:\windows\system32\msasn1.dll
2009-08-28 12:39 . 2009-09-29 07:46 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-28 10:15 . 2009-09-29 07:46 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-27 13:32 . 2009-10-14 05:24 833024 ----a-w- c:\windows\system32\wininet.dll
2009-08-27 13:29 . 2009-10-14 05:24 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-27 10:58 . 2009-10-14 05:24 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-08-17 15:33 . 2009-08-17 15:33 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-14 17:07 . 2009-09-29 06:33 897608 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-08-14 16:29 . 2009-09-29 06:33 104960 ----a-w- c:\windows\system32\netiohlp.dll
2009-08-14 16:29 . 2009-09-29 06:33 17920 ----a-w- c:\windows\system32\netevent.dll
2009-08-14 14:16 . 2009-09-29 06:33 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-08-14 14:16 . 2009-09-29 06:33 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-08-14 14:16 . 2009-09-29 06:33 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-08-14 14:16 . 2009-09-29 06:33 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-08-14 14:16 . 2009-09-29 06:33 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-08-14 14:16 . 2009-09-29 06:33 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-08-14 14:16 . 2009-09-29 06:33 10240 ----a-w- c:\windows\system32\finger.exe
2009-08-07 02:24 . 2009-10-02 09:28 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-07 02:24 . 2009-10-02 09:29 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-07 02:24 . 2009-10-02 09:29 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-07 02:23 . 2009-10-02 09:28 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-07 02:23 . 2009-10-02 09:29 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-07 01:45 . 2009-10-02 09:29 2421760 ----a-w- c:\windows\system32\wucltux.dll
2009-08-07 01:44 . 2009-10-02 09:28 87552 ----a-w- c:\windows\system32\wudriver.dll
2009-08-06 11:23 . 2009-10-02 09:21 171608 ----a-w- c:\windows\system32\wuwebv.dll
2009-08-06 10:44 . 2009-10-02 09:21 33792 ----a-w- c:\windows\system32\wuapp.exe
.

((((((((((((((((((((((((((((( SnapShot_2009-10-26_02.55.24 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-03-29 00:49 . 2009-11-02 06:40 43406 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2009-11-02 06:40 62040 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-03-29 00:26 . 2009-11-02 06:40 10174 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1528258781-958764860-922923996-1000_UserData.bin
+ 2008-08-23 01:24 . 2008-11-10 03:41 67472 c:\windows\System32\spool\drivers\w32x86\msonpui.dll
+ 2008-08-23 01:24 . 2008-11-10 03:41 67472 c:\windows\System32\spool\drivers\w32x86\3\msonpui.dll
+ 2008-08-23 01:24 . 2008-11-10 03:41 32656 c:\windows\System32\msonpmon.dll
+ 2006-11-02 13:02 . 2009-11-02 06:40 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2006-11-02 13:02 . 2009-10-26 01:55 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2006-11-02 13:02 . 2009-11-02 06:40 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2006-11-02 13:02 . 2009-10-26 01:55 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2006-11-02 13:02 . 2009-11-02 06:40 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2006-11-02 13:02 . 2009-10-26 01:55 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-08-23 01:24 . 2009-10-30 20:17 35088 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\oisicon.exe
- 2008-08-23 01:24 . 2009-10-15 00:35 35088 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\oisicon.exe
+ 2008-08-23 01:24 . 2009-10-30 20:17 18704 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\mspicons.exe
- 2008-08-23 01:24 . 2009-10-15 00:35 18704 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\mspicons.exe
- 2008-08-23 01:24 . 2009-10-15 00:35 20240 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\cagicon.exe
+ 2008-08-23 01:24 . 2009-10-30 20:17 20240 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\cagicon.exe
+ 2009-10-30 20:16 . 2009-10-30 20:16 10576 c:\windows\assembly\GAC\Policy.11.0.office\12.0.0.0__71e9bce111e9429c\Policy.11.0.Office.dll
+ 2009-10-30 20:16 . 2009-10-30 20:16 11112 c:\windows\assembly\GAC\Policy.11.0.Microsoft.Vbe.Interop\12.0.0.0__71e9bce111e9429c\Policy.11.0.Microsoft.Vbe.Interop.dll
+ 2009-10-30 20:16 . 2009-10-30 20:16 11128 c:\windows\assembly\GAC\Policy.11.0.Microsoft.Office.Interop.Word\12.0.0.0__71e9bce111e9429c\Policy.11.0.Microsoft.Office.Interop.Word.dll
+ 2009-10-30 20:16 . 2009-10-30 20:16 11136 c:\windows\assembly\GAC\Policy.11.0.Microsoft.Office.Interop.SmartTag\12.0.0.0__71e9bce111e9429c\Policy.11.0.Microsoft.Office.Interop.SmartTag.dll
+ 2009-10-30 20:17 . 2009-10-30 20:17 11152 c:\windows\assembly\GAC\Policy.11.0.Microsoft.Office.Interop.PowerPoint\12.0.0.0__71e9bce111e9429c\Policy.11.0.Microsoft.Office.Interop.PowerPoint.dll
+ 2009-10-30 20:16 . 2009-10-30 20:16 11128 c:\windows\assembly\GAC\Policy.11.0.Microsoft.Office.Interop.Graph\12.0.0.0__71e9bce111e9429c\Policy.11.0.Microsoft.Office.Interop.Graph.dll
+ 2009-10-30 20:16 . 2009-10-30 20:16 11144 c:\windows\assembly\GAC\Policy.11.0.Microsoft.Office.Interop.Excel\12.0.0.0__71e9bce111e9429c\Policy.11.0.Microsoft.Office.Interop.Excel.dll
+ 2009-10-30 20:16 . 2009-10-30 20:16 63336 c:\windows\assembly\GAC\Microsoft.Vbe.Interop\12.0.0.0__71e9bce111e9429c\Microsoft.Vbe.Interop.dll
+ 2009-10-30 20:16 . 2009-10-30 20:16 19320 c:\windows\assembly\GAC\Microsoft.Office.Interop.SmartTag\12.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.SmartTag.dll
+ 2009-10-28 02:23 . 2009-09-10 15:10 7680 c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6002.22223_none_0dc73a70656b2706\spwmp.dll
+ 2009-10-28 02:23 . 2009-09-10 15:10 4096 c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6002.22223_none_0dc73a70656b2706\dxmasf.dll
+ 2009-09-29 06:13 . 2009-07-15 12:39 7680 c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6002.18111_none_0d466cfd4c47389d\spwmp.dll
+ 2009-09-29 06:13 . 2009-07-15 12:39 4096 c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6002.18111_none_0d466cfd4c47389d\dxmasf.dll
+ 2009-10-28 02:23 . 2009-09-10 20:45 7680 c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.22520_none_0bddc7aa684785dd\spwmp.dll
+ 2009-10-28 02:23 . 2009-09-10 20:45 4096 c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.22520_none_0bddc7aa684785dd\dxmasf.dll
+ 2009-09-29 06:13 . 2009-07-14 12:58 7680 c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.18330_none_0b49590d4f3204dd\spwmp.dll
+ 2009-09-29 06:13 . 2009-07-14 12:59 4096 c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.18330_none_0b49590d4f3204dd\dxmasf.dll
+ 2009-10-28 02:23 . 2009-09-10 17:30 7680 c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.21125_none_09fc60b26b1ca9ba\spwmp.dll
+ 2009-10-28 02:23 . 2009-09-10 17:31 4096 c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.21125_none_09fc60b26b1ca9ba\dxmasf.dll
+ 2009-10-28 02:23 . 2009-09-10 17:39 7680 c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.16926_none_0973ec0f51fdf005\spwmp.dll
+ 2009-10-28 02:23 . 2009-09-10 17:40 4096 c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.16926_none_0973ec0f51fdf005\dxmasf.dll
- 2009-10-26 01:55 . 2009-10-26 01:55 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-11-02 06:38 . 2009-11-02 06:38 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-10-26 01:55 . 2009-10-26 01:55 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-11-02 06:38 . 2009-11-02 06:38 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-10-28 02:23 . 2009-09-10 15:10 310784 c:\windows\winsxs\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.0.6002.22223_none_b05140d2ecdc475e\unregmp2.exe
+ 2009-10-28 02:23 . 2009-09-10 14:58 310784 c:\windows\winsxs\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.0.6002.18111_none_afd0735fd3b858f5\unregmp2.exe
+ 2009-10-28 02:23 . 2009-09-10 15:23 310784 c:\windows\winsxs\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.0.6001.22520_none_ae67ce0cefb8a635\unregmp2.exe
+ 2009-10-28 02:23 . 2009-09-10 15:21 310784 c:\windows\winsxs\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.0.6001.18330_none_add35f6fd6a32535\unregmp2.exe
+ 2009-10-28 02:23 . 2009-09-10 15:14 311296 c:\windows\winsxs\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.0.6000.21125_none_ac866714f28dca12\unregmp2.exe
+ 2009-10-28 02:23 . 2009-09-10 15:29 311296 c:\windows\winsxs\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.0.6000.16926_none_abfdf271d96f105d\unregmp2.exe
+ 2009-10-28 02:23 . 2009-09-10 15:10 107520 c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6002.22223_none_0dc73a70656b2706\wmpshare.exe
+ 2009-10-28 02:23 . 2009-09-10 15:10 168960 c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6002.22223_none_0dc73a70656b2706\wmplayer.exe
+ 2009-10-28 02:23 . 2009-09-10 15:10 107520 c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6002.22223_none_0dc73a70656b2706\wmpconfig.exe
+ 2009-09-29 06:13 . 2009-07-15 12:39 107520 c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6002.18111_none_0d466cfd4c47389d\wmpshare.exe
+ 2009-10-28 02:23 . 2009-09-10 14:58 168960 c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6002.18111_none_0d466cfd4c47389d\wmplayer.exe
+ 2009-09-29 06:13 . 2009-07-15 12:39 107520 c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6002.18111_none_0d466cfd4c47389d\wmpconfig.exe
+ 2009-10-28 02:23 . 2009-09-10 15:23 107520 c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.22520_none_0bddc7aa684785dd\wmpshare.exe
+ 2009-10-28 02:23 . 2009-09-10 15:23 168960 c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.22520_none_0bddc7aa684785dd\wmplayer.exe
+ 2009-10-28 02:23 . 2009-09-10 15:23 107520 c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.22520_none_0bddc7aa684785dd\wmpconfig.exe
+ 2009-09-29 06:13 . 2009-07-14 10:58 107520 c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.18330_none_0b49590d4f3204dd\wmpshare.exe
+ 2009-10-28 02:23 . 2009-09-10 15:21 168960 c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.18330_none_0b49590d4f3204dd\wmplayer.exe
+ 2009-09-29 06:13 . 2009-07-14 10:59 107520 c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.18330_none_0b49590d4f3204dd\wmpconfig.exe
+ 2009-10-28 02:23 . 2009-09-10 15:14 107520 c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.21125_none_09fc60b26b1ca9ba\wmpshare.exe
+ 2009-10-28 02:23 . 2009-09-10 15:14 168960 c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.21125_none_09fc60b26b1ca9ba\wmplayer.exe
+ 2009-10-28 02:23 . 2009-09-10 15:14 107520 c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.21125_none_09fc60b26b1ca9ba\wmpconfig.exe
+ 2009-10-28 02:23 . 2009-09-10 15:29 107520 c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.16926_none_0973ec0f51fdf005\wmpshare.exe
+ 2009-10-28 02:23 . 2009-09-10 15:29 168960 c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.16926_none_0973ec0f51fdf005\wmplayer.exe
+ 2009-10-28 02:23 . 2009-09-10 15:29 107520 c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.16926_none_0973ec0f51fdf005\wmpconfig.exe
+ 2008-08-23 01:24 . 2008-11-10 03:41 864144 c:\windows\System32\spool\drivers\w32x86\msonpdrv.dll
+ 2008-08-23 01:24 . 2008-11-10 03:41 864144 c:\windows\System32\spool\drivers\w32x86\3\msonpdrv.dll
- 2006-11-02 10:33 . 2009-10-26 02:01 599942 c:\windows\System32\perfh009.dat
+ 2006-11-02 10:33 . 2009-11-02 06:43 599942 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2009-10-26 02:01 105448 c:\windows\System32\perfc009.dat
+ 2006-11-02 10:33 . 2009-11-02 06:43 105448 c:\windows\System32\perfc009.dat
+ 2006-11-02 12:47 . 2009-10-30 20:34 285304 c:\windows\System32\FNTCACHE.DAT
+ 2008-08-23 01:24 . 2009-10-30 20:17 888080 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\wordicon.exe
- 2008-08-23 01:24 . 2009-10-15 00:35 888080 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\wordicon.exe
+ 2008-08-23 01:24 . 2009-10-30 20:17 922384 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\pptico.exe
- 2008-08-23 01:24 . 2009-10-15 00:35 922384 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\pptico.exe
- 2008-08-23 01:24 . 2009-10-15 00:35 217864 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\misc.exe
+ 2008-08-23 01:24 . 2009-10-30 20:17 217864 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\misc.exe
+ 2008-08-23 01:24 . 2009-10-30 20:17 184080 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\joticon.exe
- 2008-08-23 01:24 . 2009-10-15 00:35 184080 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\joticon.exe
+ 2009-10-30 20:15 . 2009-10-30 20:15 217864 c:\windows\Installer\{90120000-006E-0409-0000-0000000FF1CE}\misc.exe
- 2009-04-30 00:47 . 2009-04-30 00:47 217864 c:\windows\Installer\{90120000-006E-0409-0000-0000000FF1CE}\misc.exe
+ 2009-10-30 20:16 . 2009-10-30 20:16 423784 c:\windows\assembly\GAC\office\12.0.0.0__71e9bce111e9429c\OFFICE.DLL
+ 2009-10-30 20:16 . 2009-10-30 20:16 870256 c:\windows\assembly\GAC\Microsoft.Office.Interop.Word\12.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.Word.dll
+ 2009-10-30 20:16 . 2009-10-30 20:16 149352 c:\windows\assembly\GAC\Microsoft.Office.Interop.Graph\12.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.Graph.dll
+ 2009-10-28 02:23 . 2009-09-10 15:10 1418752 c:\windows\winsxs\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.0.6002.22223_none_b05140d2ecdc475e\setup_wm.exe
+ 2009-10-28 02:23 . 2009-09-10 14:58 1418752 c:\windows\winsxs\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.0.6002.18111_none_afd0735fd3b858f5\setup_wm.exe
+ 2009-10-28 02:23 . 2009-09-10 15:23 1418752 c:\windows\winsxs\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.0.6001.22520_none_ae67ce0cefb8a635\setup_wm.exe
+ 2009-10-28 02:23 . 2009-09-10 15:21 1418752 c:\windows\winsxs\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.0.6001.18330_none_add35f6fd6a32535\setup_wm.exe
+ 2009-10-28 02:23 . 2009-09-10 15:14 1418240 c:\windows\winsxs\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.0.6000.21125_none_ac866714f28dca12\setup_wm.exe
+ 2009-10-28 02:23 . 2009-09-10 15:29 1418240 c:\windows\winsxs\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.0.6000.16926_none_abfdf271d96f105d\setup_wm.exe
+ 2009-10-28 02:23 . 2009-09-10 15:11 8147456 c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6002.22223_none_0dc73a70656b2706\wmploc.DLL
+ 2009-10-28 02:23 . 2009-09-10 14:59 8147456 c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6002.18111_none_0d466cfd4c47389d\wmploc.DLL
+ 2009-10-28 02:23 . 2009-09-10 15:24 8147456 c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.22520_none_0bddc7aa684785dd\wmploc.DLL
+ 2009-10-28 02:23 . 2009-09-10 15:21 8147456 c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.18330_none_0b49590d4f3204dd\wmploc.DLL
+ 2009-10-28 02:23 . 2009-09-10 15:14 8147968 c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.21125_none_09fc60b26b1ca9ba\wmploc.DLL
+ 2009-10-28 02:23 . 2009-09-10 15:29 8147968 c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.16926_none_0973ec0f51fdf005\wmploc.DLL
- 2006-11-02 10:22 . 2009-10-20 13:51 6553600 c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
+ 2006-11-02 10:22 . 2009-10-29 12:45 6553600 c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
- 2006-11-02 12:47 . 2009-10-15 00:56 2677804 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareLicensing\tokens.dat
+ 2006-11-02 12:47 . 2009-10-28 23:16 2677804 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareLicensing\tokens.dat
+ 2009-04-04 09:10 . 2009-04-04 09:10 1282560 c:\windows\Installer\5581b.msp
+ 2009-04-04 09:10 . 2009-04-04 09:10 7888384 c:\windows\Installer\55814.msp
+ 2009-04-04 09:10 . 2009-04-04 09:10 9926144 c:\windows\Installer\5580b.msp
+ 2008-08-23 01:24 . 2009-10-30 20:17 1172240 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\xlicons.exe
- 2008-08-23 01:24 . 2009-10-15 00:35 1172240 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\xlicons.exe
+ 2009-10-30 20:16 . 2009-10-30 20:16 1279848 c:\windows\assembly\GAC\Microsoft.Office.Interop.Excel\12.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.Excel.dll
+ 2009-10-28 02:23 . 2009-09-10 17:10 10627584 c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6002.22223_none_0dc73a70656b2706\wmp.dll
+ 2009-10-28 02:23 . 2009-09-10 16:49 10627584 c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6002.18111_none_0d466cfd4c47389d\wmp.dll
+ 2009-10-28 02:23 . 2009-09-10 20:46 10627584 c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.22520_none_0bddc7aa684785dd\wmp.dll
+ 2009-10-28 02:23 . 2009-09-10 17:33 10626048 c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.18330_none_0b49590d4f3204dd\wmp.dll
+ 2009-10-28 02:23 . 2009-09-10 17:31 10622464 c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.21125_none_09fc60b26b1ca9ba\wmp.dll
+ 2009-10-28 02:23 . 2009-09-10 17:40 10622464 c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.16926_none_0973ec0f51fdf005\wmp.dll
+ 2009-10-28 02:23 . 2009-09-10 17:33 10626048 c:\windows\System32\wmp.dll
- 2009-09-29 06:13 . 2009-07-14 13:00 10626048 c:\windows\System32\wmp.dll
+ 2009-04-04 03:36 . 2009-04-04 03:36 21390848 c:\windows\Installer\55720.msp
+ 2009-04-04 09:09 . 2009-04-04 09:09 15190016 c:\windows\Installer\55712.msp
+ 2009-09-28 21:00 . 2009-10-28 02:20 310122950 c:\windows\winsxs\ManifestCache\6.0.6002.18005_001c11ba_blobs.bin
+ 2009-04-04 09:08 . 2009-04-04 09:08 343058432 c:\windows\Installer\55801.msp
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Google Update"="c:\users\User\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-10-01 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-09-11 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-11 8497696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-09-11 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 2 (0x2)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^User^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^ERUNT AutoBackup.lnk]
path=c:\users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
backup=c:\windows\pss\ERUNT AutoBackup.lnk.Startup
backupExtension=.Startup

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [29/09/2009 7:35 AM 108289]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [10/10/2009 7:13 AM 1153368]
R3 VMHybrid;VMHybrid service;c:\windows\System32\drivers\VMHybrid.sys [7/05/2008 12:11 AM 1059072]
S3 VST_DPV;VST_DPV;c:\windows\System32\drivers\VSTDPV3.SYS [2/11/2006 6:25 PM 987648]
S3 VSTHWBS2;VSTHWBS2;c:\windows\System32\drivers\VSTBS23.SYS [2/11/2006 6:25 PM 251904]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*NewlyCreated* - PROCEXP113
*Deregistered* - mbr
*Deregistered* - PROCEXP113

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2008-04-06 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 01:20]

2009-11-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1528258781-958764860-922923996-1000Core.job
- c:\users\User\AppData\Local\Google\Update\GoogleUpdate.exe [2009-10-01 13:25]

2009-11-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1528258781-958764860-922923996-1000UA.job
- c:\users\User\AppData\Local\Google\Update\GoogleUpdate.exe [2009-10-01 13:25]

2009-11-02 c:\windows\Tasks\User_Feed_Synchronization-{F9FF09AC-153B-4608-B8DC-F5F1858EFF8A}.job
- c:\windows\system32\msfeedssync.exe [2008-07-29 07:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
FF - ProfilePath - c:\users\User\AppData\Roaming\Mozilla\Firefox\Profiles\bjb30s8d.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-USfficial
FF - plugin: c:\users\User\AppData\Local\Google\Update\1.2.183.13\npGoogleOneClick8.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-02 14:52
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-11-02 14:54
ComboFix-quarantined-files.txt 2009-11-02 06:54
ComboFix2.txt 2009-10-26 02:56
ComboFix3.txt 2009-10-13 15:59
ComboFix4.txt 2009-10-13 14:26

Pre-Run: 105,990,565,888 bytes free
Post-Run: 105,939,128,320 bytes free

- - End Of File - - FD8AD6E55348C57C03355B6A06DD3B30


Thanks in advance.

 

[Blade81]

Hi,

Let's try to nuke the file.

Disable Spybot's TeaTimer to make sure it won't interfere with fixes. You can re-enable it when you're clean again:

• Run Spybot-S&D in Advanced Mode
• If it is not already set to do this, go to the Mode menu
  select
  Advanced Mode
  
• On the left hand side, click on Tools
• Then click on the Resident icon in the list
• Uncheck
  Resident TeaTimer
  and OK any prompts.
• Restart your computer

Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\Windows\System32\drivers\etc\hosts

Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe (let combofix update itself if asked for permission).
Then post the resultant log.

 

[iCharles]

Disabled Tea Timer, Avira AntiVir, Windows Defender and done the procedure. I checked the MS Security Center and they're all turned off.

Even though I disabled them all, a pop-up message still says that,

Combofix has detected the following real time scanner(s) to be active:

antivirus: AntiVir Desktop
antispyware: AntiVir Desktop

Antivirus and intrusion prevention programs are known to interfere with Combofix's running. This may lead to unpredictable results or machine damage.

Please disable these scanners before clicking 'OK'.

I closed the message and another message popped-up,

antivirus: AntiVir Desktop
antispyware: AntiVir Desktop

The above real time scanner(s) are still active but Combofix shall continue to run. Kindly note that this is at your own risk

I closed the message, Combofix runs then I closed it before it displays any progress/message.

I need your permission on this or else I might damage this machine. :sad:

 

[Blade81]

Let ComboFix run. Shouldn't cause any trouble.

 

[iCharles]

ComboFix 09-11-01.04 - User 05/11/2009 15:04.5.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.61.1033.18.2047.1371 [GMT 8:00]
Running from: c:\users\User\Desktop\ComboFix.exe
Command switches used :: c:\users\User\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
SP: AntiVir Desktop *enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

FILE ::
"c:\windows\System32\drivers\etc\hosts"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\System32\drivers\etc\hosts

.
((((((((((((((((((((((((( Files Created from 2009-10-05 to 2009-11-05 )))))))))))))))))))))))))))))))
.

2009-11-05 07:10 . 2009-11-05 07:10 -------- d-----w- c:\users\User\AppData\Local\temp
2009-11-05 07:10 . 2009-11-05 07:10 -------- d-----w- c:\users\Public\AppData\Local\temp
2009-11-05 07:10 . 2009-11-05 07:10 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-11-04 02:39 . 2009-11-04 02:39 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-11-04 02:35 . 2009-11-04 02:51 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-04 00:52 . 2009-11-04 11:30 -------- d-----w- C:\HostsXpert
2009-11-03 03:58 . 2009-11-05 06:12 -------- d-----w- c:\users\User\AppData\Roaming\vlc
2009-11-03 03:57 . 2009-11-03 03:57 -------- d-----w- c:\program files\VideoLAN
2009-10-28 04:22 . 2009-10-28 04:22 -------- d-----w- c:\program files\ERUNT
2009-10-28 02:23 . 2009-09-10 15:21 310784 ----a-w- c:\windows\system32\unregmp2.exe
2009-10-28 02:23 . 2009-09-10 15:21 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-10-24 00:14 . 2009-10-26 01:54 -------- d-----w- c:\program files\Unlocker
2009-10-14 05:36 . 2009-08-31 13:55 428544 ----a-w- c:\windows\system32\EncDec.dll
2009-10-14 05:36 . 2009-08-31 13:55 293376 ----a-w- c:\windows\system32\psisdecd.dll
2009-10-14 03:25 . 2009-09-10 17:30 213504 ----a-w- c:\windows\system32\msv1_0.dll
2009-10-14 03:25 . 2009-06-15 15:24 175104 ----a-w- c:\windows\system32\wdigest.dll
2009-10-14 03:25 . 2009-06-15 18:20 439896 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-10-14 03:25 . 2009-06-15 15:23 1256448 ----a-w- c:\windows\system32\lsasrv.dll
2009-10-14 03:25 . 2009-06-15 15:24 72704 ----a-w- c:\windows\system32\secur32.dll
2009-10-14 03:25 . 2009-06-15 12:57 9728 ----a-w- c:\windows\system32\lsass.exe
2009-10-14 03:22 . 2008-04-05 03:34 15360 ----a-w- c:\windows\system32\pacerprf.dll
2009-10-14 03:22 . 2008-04-05 01:21 72192 ----a-w- c:\windows\system32\drivers\pacer.sys
2009-10-14 03:17 . 2009-08-05 14:22 3597896 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-10-14 03:17 . 2009-08-05 14:22 3546184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-10-13 15:23 . 2009-10-13 15:23 -------- d-----w- C:\PerfLogs
2009-10-13 14:34 . 2009-10-13 14:34 -------- d-----w- c:\programdata\Avg7
2009-10-13 04:01 . 2009-10-13 04:01 -------- d-----w- c:\users\User\AppData\Roaming\Malwarebytes
2009-10-13 04:00 . 2009-10-13 04:00 -------- d-----w- c:\programdata\Malwarebytes
2009-10-10 01:57 . 2009-10-10 01:58 -------- d-----w- c:\users\User\AppData\Local\AnVir
2009-10-10 01:41 . 1998-06-17 16:00 89360 ----a-w- c:\windows\system32\VB5DB.DLL
2009-10-09 23:13 . 2009-10-26 03:19 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-10-09 23:13 . 2009-10-10 01:22 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-09 23:04 . 2009-10-09 23:04 -------- d-----w- c:\program files\CCleaner
2009-10-09 22:55 . 2009-10-09 23:01 -------- d-----w- c:\program files\Eusing Free Registry Cleaner
2009-10-09 22:33 . 2009-10-09 22:33 -------- d-----w- c:\program files\Trend Micro
2009-10-09 11:53 . 2009-10-14 00:53 -------- d-sh--w- c:\programdata\cad9f57
2009-10-09 11:07 . 2009-10-09 11:07 -------- d-----w- c:\users\User\Battlefield 1942
2009-10-09 08:17 . 2009-10-09 08:17 -------- d-----w- C:\Hotspot Shield
2009-10-09 08:13 . 2009-11-01 10:59 -------- d-----w- c:\program files\Hotspot Shield
2009-10-07 00:43 . 2009-10-07 00:52 -------- d-----w- C:\Old PC Games

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-04 02:52 . 2008-08-21 04:27 2516 --sha-w- c:\programdata\KGyGaAvL.sys
2009-11-04 02:52 . 2008-08-21 04:27 -------- d-----w- c:\users\User\AppData\Roaming\Corel
2009-10-31 20:13 . 2008-03-29 00:25 68808 ----a-w- c:\users\User\AppData\Local\GDIPFONTCACHEV1.DAT
2009-10-30 20:17 . 2008-08-23 01:22 -------- d-----w- c:\programdata\Microsoft Help
2009-10-30 20:16 . 2008-08-23 01:24 -------- d-----w- c:\program files\Microsoft Works
2009-10-18 11:02 . 2009-10-18 11:02 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2009-10-15 00:54 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-10-13 15:34 . 2008-03-29 04:15 -------- d-----w- c:\programdata\NVIDIA
2009-10-13 15:25 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2009-10-13 15:25 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2009-10-13 15:25 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2009-10-13 15:25 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2009-10-13 15:25 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2009-10-13 15:25 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2009-10-13 15:13 . 2006-11-02 10:32 101888 ----a-w- c:\windows\system32\ifxcardm.dll
2009-10-13 15:13 . 2006-11-02 10:32 82432 ----a-w- c:\windows\system32\axaltocm.dll
2009-10-13 14:36 . 2008-04-06 08:22 -------- d-----w- c:\program files\Google
2009-10-13 03:21 . 2008-04-11 04:52 -------- d-----w- c:\programdata\HP Product Assistant
2009-10-13 03:01 . 2009-10-13 03:01 691712 ----a-w- c:\windows\isRS-000.tmp
2009-10-10 01:48 . 2008-04-19 01:08 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-09 22:42 . 2008-04-06 09:18 -------- d-----w- c:\program files\Windows Live Toolbar
2009-10-03 06:09 . 2009-10-03 06:09 -------- d-----w- c:\users\User\AppData\Roaming\Apple Computer
2009-10-03 06:09 . 2009-10-03 06:08 -------- d-----w- c:\programdata\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-10-03 06:09 . 2009-10-03 06:08 -------- d-----w- c:\program files\iTunes
2009-10-03 06:08 . 2009-10-03 06:08 -------- d-----w- c:\program files\iPod
2009-10-03 06:08 . 2009-10-03 06:05 -------- d-----w- c:\program files\Common Files\Apple
2009-10-03 06:08 . 2009-10-03 06:06 -------- d-----w- c:\programdata\Apple Computer
2009-10-03 06:07 . 2009-10-03 06:07 -------- d-----w- c:\program files\Bonjour
2009-10-03 06:07 . 2009-10-03 06:06 -------- d-----w- c:\program files\QuickTime
2009-10-03 06:06 . 2009-10-03 06:05 -------- d-----w- c:\program files\Apple Software Update
2009-10-03 06:05 . 2009-10-03 06:05 -------- d-----w- c:\programdata\Apple
2009-10-02 22:23 . 2009-10-02 22:23 -------- d-----w- c:\program files\Chikka Messenger
2009-10-01 01:29 . 2009-10-03 04:54 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-09-30 01:22 . 2009-09-30 01:22 -------- d-----w- c:\program files\Opera
2009-09-28 23:46 . 2009-09-28 23:47 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-28 23:46 . 2009-09-28 23:46 -------- d-----w- c:\program files\Java
2009-09-28 23:35 . 2009-09-28 23:35 -------- d-----w- c:\programdata\Avira
2009-09-28 23:35 . 2009-09-28 23:35 -------- d-----w- c:\program files\Avira
2009-09-15 20:04 . 2009-09-15 20:04 37376 ----a-w- c:\windows\system32\drivers\HssDrv.sys
2009-09-15 20:04 . 2009-09-15 20:04 32768 ----a-w- c:\windows\system32\drivers\taphss.sys
2009-09-14 09:44 . 2009-10-14 02:01 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-09-04 12:24 . 2009-10-14 02:01 61440 ----a-w- c:\windows\system32\msasn1.dll
2009-08-28 12:39 . 2009-09-29 07:46 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-28 10:15 . 2009-09-29 07:46 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-27 13:32 . 2009-10-14 05:24 833024 ----a-w- c:\windows\system32\wininet.dll
2009-08-27 13:29 . 2009-10-14 05:24 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-27 10:58 . 2009-10-14 05:24 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-08-17 15:33 . 2009-08-17 15:33 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-14 17:07 . 2009-09-29 06:33 897608 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-08-14 16:29 . 2009-09-29 06:33 104960 ----a-w- c:\windows\system32\netiohlp.dll
2009-08-14 16:29 . 2009-09-29 06:33 17920 ----a-w- c:\windows\system32\netevent.dll
2009-08-14 14:16 . 2009-09-29 06:33 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-08-14 14:16 . 2009-09-29 06:33 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-08-14 14:16 . 2009-09-29 06:33 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-08-14 14:16 . 2009-09-29 06:33 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-08-14 14:16 . 2009-09-29 06:33 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-08-14 14:16 . 2009-09-29 06:33 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-08-14 14:16 . 2009-09-29 06:33 10240 ----a-w- c:\windows\system32\finger.exe
.

((((((((((((((((((((((((((((( SnapShot_2009-11-02_06.52.38 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-03-29 00:49 . 2009-11-05 00:04 43486 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
- 2006-11-02 13:05 . 2009-11-02 06:40 62040 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2009-11-05 00:04 62040 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-03-29 00:26 . 2009-11-02 06:40 10174 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1528258781-958764860-922923996-1000_UserData.bin
+ 2008-03-29 00:26 . 2009-11-05 00:04 10174 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1528258781-958764860-922923996-1000_UserData.bin
+ 2006-11-02 13:02 . 2009-11-05 06:40 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2006-11-02 13:02 . 2009-11-02 06:40 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2006-11-02 13:02 . 2009-11-05 06:40 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2006-11-02 13:02 . 2009-11-02 06:40 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2006-11-02 13:02 . 2009-11-05 06:40 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2006-11-02 13:02 . 2009-11-02 06:40 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-11-04 02:39 . 2009-11-04 02:39 20480 c:\windows\Installer\63e2e0.msi
+ 2009-11-04 02:39 . 2009-11-04 02:39 26112 c:\windows\Installer\63e2db.msi
+ 2009-02-27 09:10 . 2009-02-27 09:10 35696 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA7FFFFB7449A0100000010\9.1.0\reader_sl.exe
+ 2009-02-27 08:32 . 2009-02-27 08:32 26464 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA7FFFFB7449A0100000010\9.1.0\acrotextextractor.exe
+ 2009-02-27 04:18 . 2009-02-27 04:18 15216 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA7FFFFB7449A0100000010\9.1.0\AcroRd32Info.exe
+ 2009-11-05 00:10 . 2009-11-05 00:10 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-11-02 06:38 . 2009-11-02 06:38 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-11-05 00:10 . 2009-11-05 00:10 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-11-02 06:38 . 2009-11-02 06:38 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2006-11-02 10:33 . 2009-11-05 00:09 596218 c:\windows\System32\perfh009.dat
+ 2006-11-02 10:33 . 2009-11-05 00:09 101724 c:\windows\System32\perfc009.dat
+ 2009-01-18 08:05 . 2009-01-18 08:05 675840 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA7FFFFB7449A0100000010\9.1.0\JP2KLib.dll
+ 2009-02-27 09:10 . 2009-02-27 09:10 349544 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA7FFFFB7449A0100000010\9.1.0\AcroRd32.exe
+ 2009-02-27 04:07 . 2009-02-27 04:07 660840 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA7FFFFB7449A0100000010\9.1.0\AcroPDF.dll
+ 2009-02-27 04:50 . 2009-02-27 04:50 279952 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA7FFFFB7449A0100000010\9.1.0\acrobroker.exe
+ 2009-11-04 00:54 . 2009-10-19 13:49 3602432 c:\windows\winsxs\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_6.0.6002.22247_none_158eeb3d388785cb\mshtml.dll
+ 2009-11-04 00:54 . 2009-10-19 13:36 3599872 c:\windows\winsxs\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_6.0.6002.18124_none_1517ed6c1f5c621a\mshtml.dll
+ 2009-11-04 00:54 . 2009-10-19 14:09 3586560 c:\windows\winsxs\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_6.0.6001.22544_none_13a578773b63e4a2\mshtml.dll
+ 2009-11-04 00:54 . 2009-10-19 14:25 3584000 c:\windows\winsxs\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_6.0.6001.18344_none_131bd9c6224647b1\mshtml.dll
+ 2009-11-04 00:54 . 2009-10-19 14:19 3602432 c:\windows\winsxs\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_6.0.6000.21142_none_11bd0f793e3f571e\mshtml.dll
+ 2009-11-04 00:54 . 2009-10-19 14:40 3598336 c:\windows\winsxs\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_6.0.6000.16939_none_11456c7e25131982\mshtml.dll
+ 2006-11-02 10:22 . 2009-11-05 00:07 6553600 c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
- 2006-11-02 10:22 . 2009-10-29 12:45 6553600 c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
- 2009-10-14 05:24 . 2009-08-27 13:30 3584000 c:\windows\System32\mshtml.dll
+ 2009-11-04 00:54 . 2009-10-19 14:25 3584000 c:\windows\System32\mshtml.dll
+ 2009-02-27 04:08 . 2009-02-27 04:08 2409808 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA7FFFFB7449A0100000010\9.1.0\rt3d.dll
+ 2007-12-10 23:19 . 2007-12-10 23:19 1204224 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA7FFFFB7449A0100000010\9.1.0\Onix32.dll
+ 2009-02-27 04:39 . 2009-02-27 04:39 1302760 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA7FFFFB7449A0100000010\9.1.0\JSByteCodeWin.bin
+ 2008-12-18 08:48 . 2008-12-18 08:48 3645440 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA7FFFFB7449A0100000010\9.1.0\authplay.dll
+ 2009-02-27 08:36 . 2009-02-27 08:36 5712384 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA7FFFFB7449A0100000010\9.1.0\AGM.dll
+ 2009-11-05 07:03 . 2009-11-05 07:03 6373376 c:\windows\ERDNT\Hiv-backup\SCHEMA.DAT
+ 2009-10-02 20:51 . 2009-10-02 20:51 23085056 c:\windows\Installer\63e392.msp
+ 2009-11-04 02:39 . 2009-11-04 02:39 21352448 c:\windows\Installer\63e2d6.msi
+ 2009-02-27 08:37 . 2009-02-27 08:37 20403568 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA7FFFFB7449A0100000010\9.1.0\AcroRd32.dll
+ 2009-09-28 21:00 . 2009-11-04 00:53 313078810 c:\windows\winsxs\ManifestCache\6.0.6002.18005_001c11ba_blobs.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\users\User\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-10-01 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-09-11 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-11 8497696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-09-11 81920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 2 (0x2)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^User^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^ERUNT AutoBackup.lnk]
path=c:\users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
backup=c:\windows\pss\ERUNT AutoBackup.lnk.Startup
backupExtension=.Startup

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [29/09/2009 7:35 AM 108289]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [10/10/2009 7:13 AM 1153368]
R3 VMHybrid;VMHybrid service;c:\windows\System32\drivers\VMHybrid.sys [7/05/2008 12:11 AM 1059072]
S3 VST_DPV;VST_DPV;c:\windows\System32\drivers\VSTDPV3.SYS [2/11/2006 6:25 PM 987648]
S3 VSTHWBS2;VSTHWBS2;c:\windows\System32\drivers\VSTBS23.SYS [2/11/2006 6:25 PM 251904]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
*Deregistered* - PROCEXP113

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2008-04-06 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 01:20]

2009-11-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1528258781-958764860-922923996-1000Core.job
- c:\users\User\AppData\Local\Google\Update\GoogleUpdate.exe [2009-10-01 13:25]

2009-11-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1528258781-958764860-922923996-1000UA.job
- c:\users\User\AppData\Local\Google\Update\GoogleUpdate.exe [2009-10-01 13:25]

2009-11-04 c:\windows\Tasks\User_Feed_Synchronization-{F9FF09AC-153B-4608-B8DC-F5F1858EFF8A}.job
- c:\windows\system32\msfeedssync.exe [2008-07-29 07:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
IE: Open with WordPerfect - c:\program files\Corel\WordPerfect Office X4\Programs\WPLauncher.hta
FF - ProfilePath - c:\users\User\AppData\Roaming\Mozilla\Firefox\Profiles\bjb30s8d.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-USfficial
FF - plugin: c:\users\User\AppData\Local\Google\Update\1.2.183.13\npGoogleOneClick8.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-05 15:10
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-11-05 15:12
ComboFix-quarantined-files.txt 2009-11-05 07:12
ComboFix2.txt 2009-11-02 06:54
ComboFix3.txt 2009-10-26 02:56
ComboFix4.txt 2009-10-13 15:59
ComboFix5.txt 2009-11-05 07:02

Pre-Run: 105,407,975,424 bytes free
Post-Run: 105,367,883,776 bytes free

- - End Of File - - E80F29E5488234CAD666A355295D2ED5

 

[iCharles]

Just a follow up, I ran Spybot and it came with "No immediate threats found." So I thought of making a new HJT log. By the way, there were no longer message pop-ups when running HJT! :bigthumb:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:14:53 PM, on 29/10/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18319)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\System32\notepad.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\System32\notepad.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O1 - Hosts: ::1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Hotspot Shield Service (HotspotShieldService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\openvpnas.exe
O23 - Service: Hotspot Shield Routing Service (HssSrv) - AnchorFree Inc. - C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
O23 - Service: Hotspot Shield Tray Service (HssTrayService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\HssTrayService.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe

--
End of file - 3279 bytes

 

[Blade81]

Hi,

Looks like the hosts file was removed. Could you verify this? Then run HostsXpert by following earlier given instructions.