1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved Google redirect trouble.

Discussion in 'Malware and Virus Removal Archive' started by neophyte, 2009/08/07.

Page 1 of 3
  1. 2009/08/07
    neophyte

    neophyte Inactive Thread Starter

    Joined:
    2009/08/07
    Messages:
    67
    Likes Received:
    0
    [Resolved] Google redirect trouble.

    Hi There,

    I just determined that I have the dreaded Google Redirect problem and have followed the directions to post to this forum. I think I've done everything right but I don't know how to zip the dds.attach file. If somebody would like to see it, please instruct me as to how to zip it. I will also include the HJT scan results. I have a second hand IBM intelliStation M Pro. purchased from a used computer Co. in Calgary. 2.5 Gig ram, 3.8 Gig processor. Intel P4. running XP. I would be very grateful for any assistance.

    KG.

    HJT Scan file.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:42:48 AM, on 07/08/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16876)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\AVG\AVG8\avgrsx.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\PROGRA~1\AVG\AVG8\avgtray.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Skype\Phone\Skype.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\Program Files\Skype\Plugin Manager\skypePM.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Skype\Toolbars\Shared\SkypeNames.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
    O1 - Hosts: 74.125.45.100 test1111.com
    O1 - Hosts: 74.125.45.100 test1112.com
    O1 - Hosts: 74.125.45.100 4-open-davinci.com
    O1 - Hosts: 74.125.45.100 securitysoftwarepayments.com
    O1 - Hosts: 74.125.45.100 privatesecuredpayments.com
    O1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.com
    O1 - Hosts: 74.125.45.100 getantivirusplusnow.com
    O1 - Hosts: 74.125.45.100 secure-plus-payments.com
    O1 - Hosts: 74.125.45.100 www.getantivirusplusnow.com
    O1 - Hosts: 74.125.45.100 www.secure-plus-payments.com
    O1 - Hosts: 74.125.45.100 www.getavplusnow.com
    O1 - Hosts: 74.125.45.100 www.securesoftwarebill.com
    O1 - Hosts: 89.248.168.188 google.ae
    O1 - Hosts: 89.248.168.188 google.as
    O1 - Hosts: 89.248.168.188 google.at
    O1 - Hosts: 89.248.168.188 google.az
    O1 - Hosts: 89.248.168.188 google.ba
    O1 - Hosts: 89.248.168.188 google.be
    O1 - Hosts: 89.248.168.188 google.bg
    O1 - Hosts: 89.248.168.188 google.bs
    O1 - Hosts: 89.248.168.188 google.ca
    O1 - Hosts: 89.248.168.188 google.cd
    O1 - Hosts: 89.248.168.188 google.com.gh
    O1 - Hosts: 89.248.168.188 google.com.hk
    O1 - Hosts: 89.248.168.188 google.com.jm
    O1 - Hosts: 89.248.168.188 google.com.mx
    O1 - Hosts: 89.248.168.188 google.com.my
    O1 - Hosts: 89.248.168.188 google.com.na
    O1 - Hosts: 89.248.168.188 google.com.nf
    O1 - Hosts: 89.248.168.188 google.com.ng
    O1 - Hosts: 89.248.168.188 google.ch
    O1 - Hosts: 89.248.168.188 google.com.np
    O1 - Hosts: 89.248.168.188 google.com.pr
    O1 - Hosts: 89.248.168.188 google.com.qa
    O1 - Hosts: 89.248.168.188 google.com.sg
    O1 - Hosts: 89.248.168.188 google.com.tj
    O1 - Hosts: 89.248.168.188 google.com.tw
    O1 - Hosts: 89.248.168.188 google.dj
    O1 - Hosts: 89.248.168.188 google.de
    O1 - Hosts: 89.248.168.188 google.dk
    O1 - Hosts: 89.248.168.188 google.dm
    O1 - Hosts: 89.248.168.188 google.ee
    O1 - Hosts: 89.248.168.188 google.fi
    O1 - Hosts: 89.248.168.188 google.fm
    O1 - Hosts: 89.248.168.188 google.fr
    O1 - Hosts: 89.248.168.188 google.ge
    O1 - Hosts: 89.248.168.188 google.gg
    O1 - Hosts: 89.248.168.188 google.gm
    O1 - Hosts: 89.248.168.188 google.gr
    O1 - Hosts: 89.248.168.188 google.ht
    O1 - Hosts: 89.248.168.188 google.ie
    O1 - Hosts: 89.248.168.188 google.im
    O1 - Hosts: 89.248.168.188 google.in
    O1 - Hosts: 89.248.168.188 google.it
    O1 - Hosts: 89.248.168.188 google.ki
    O1 - Hosts: 89.248.168.188 google.la
    O1 - Hosts: 89.248.168.188 google.li
    O1 - Hosts: 89.248.168.188 google.lv
    O1 - Hosts: 89.248.168.188 google.ma
    O1 - Hosts: 89.248.168.188 google.ms
    O1 - Hosts: 89.248.168.188 google.mu
    O1 - Hosts: 89.248.168.188 google.mw
    O1 - Hosts: 89.248.168.188 google.nl
    O1 - Hosts: 89.248.168.188 google.no
    O1 - Hosts: 89.248.168.188 google.nr
    O1 - Hosts: 89.248.168.188 google.nu
    O1 - Hosts: 89.248.168.188 google.pl
    O1 - Hosts: 89.248.168.188 google.pn
    O1 - Hosts: 89.248.168.188 google.pt
    O1 - Hosts: 89.248.168.188 google.ro
    O1 - Hosts: 89.248.168.188 google.ru
    O1 - Hosts: 89.248.168.188 google.rw
    O1 - Hosts: 89.248.168.188 google.sc
    O1 - Hosts: 89.248.168.188 google.se
    O1 - Hosts: 89.248.168.188 google.sh
    O1 - Hosts: 89.248.168.188 google.si
    O1 - Hosts: 89.248.168.188 google.sm
    O1 - Hosts: 89.248.168.188 google.sn
    O1 - Hosts: 89.248.168.188 google.st
    O1 - Hosts: 89.248.168.188 google.tl
    O1 - Hosts: 89.248.168.188 google.tm
    O1 - Hosts: 89.248.168.188 google.tt
    O1 - Hosts: 89.248.168.188 google.us
    O1 - Hosts: 89.248.168.188 google.vu
    O1 - Hosts: 89.248.168.188 google.ws
    O1 - Hosts: 89.248.168.188 google.co.ck
    O1 - Hosts: 89.248.168.188 google.co.id
    O1 - Hosts: 89.248.168.188 google.co.il
    O1 - Hosts: 89.248.168.188 google.co.in
    O1 - Hosts: 89.248.168.188 google.co.jp
    O1 - Hosts: 89.248.168.188 google.co.kr
    O1 - Hosts: 89.248.168.188 google.co.ls
    O1 - Hosts: 89.248.168.188 google.co.ma
    O1 - Hosts: 89.248.168.188 google.co.nz
    O1 - Hosts: 89.248.168.188 google.co.tz
    O1 - Hosts: 89.248.168.188 google.co.ug
    O1 - Hosts: 89.248.168.188 google.co.uk
    O1 - Hosts: 89.248.168.188 google.co.za
    O1 - Hosts: 89.248.168.188 google.co.zm
    O1 - Hosts: 89.248.168.188 google.com
    O1 - Hosts: 89.248.168.188 google.com.af
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
    O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
    O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\\Phone\Skype.exe" /nosplash /minimized
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {2DAD3559-2923-4935-AD49-B673D2539944} (IASRunner Class) - http://www-307.ibm.com/pc/support/acpir.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1220393998515
    O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
    O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

    --
    End of file - 9294 bytes

    NOW THE DDS.txt

    DDS (Ver_09-07-30.01) - NTFSx86
    Run by User at 11:33:05.50 on 07/08/2009
    Internet Explorer: 7.0.5730.13
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2558.2080 [GMT -6:00]

    AV: Windows Security Suite *On-access scanning enabled* (Updated) {3541755C-DABE-4D2C-AC58-0DA727F04333}
    AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    FW: Windows Security Suite *enabled* {32B9FDC6-8325-4CBB-AF70-2471AFC76111}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    C:\Program Files\AVG\AVG8\avgrsx.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\PROGRA~1\AVG\AVG8\avgtray.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Skype\Phone\Skype.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\Program Files\Skype\Plugin Manager\skypePM.exe
    svchost.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\User\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uInternet Connection Wizard,ShellNext = iexplore
    uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
    BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx
    BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
    BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
    TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [Skype] "c:\program files\skype\\phone\Skype.exe" /nosplash /minimized
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [nwiz] nwiz.exe /install
    mRun: [Share-to-Web Namespace Daemon] c:\program files\hewlett-packard\hp share-to-web\hpgs2wnd.exe
    mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
    IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
    DPF: {2DAD3559-2923-4935-AD49-B673D2539944} - hxxp://www-307.ibm.com/pc/support/acpir.cab
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1220393998515
    DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} - hxxp://ax.emsisoft.com/asquared.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Notify: avgrsstarter - avgrsstx.dll

    ============= SERVICES / DRIVERS ===============

    R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-6-26 335752]
    R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-6-26 27784]
    R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-6-26 108552]
    S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-6-26 298776]

    =============== Created Last 30 ================

    2009-08-06 22:57 <DIR> --d----- c:\program files\Trend Micro
    2009-07-31 13:29 <DIR> --d----- c:\docume~1\user\applic~1\Malwarebytes
    2009-07-31 13:29 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2009-07-31 13:24 <DIR> --d----- C:\_OTM
    2009-07-31 13:11 <DIR> --d----- c:\docume~1\user\applic~1\GetRightToGo
    2009-07-29 11:13 <DIR> --d----- c:\docume~1\user\applic~1\AVG8
    2009-07-29 00:21 <DIR> --d----- c:\program files\Spybot - Search & Destroy
    2009-07-29 00:21 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
    2009-07-28 23:50 <DIR> --dsh--- c:\docume~1\alluse~1\applic~1\af16f2c
    2009-07-26 10:04 <DIR> --d-h--- C:\$AVG8.VAULT$
    2009-07-12 12:15 <DIR> --d----- c:\program files\Punch! Home Design Complete

    ==================== Find3M ====================

    2009-07-16 22:37 164 a---h--- c:\documents and settings\all users\hpothb07.dat
    2009-07-06 09:40 335,752 a------- c:\windows\system32\drivers\avgldx86.sys
    2009-07-01 12:10 0 a---h--- c:\documents and settings\user\hpothb07.dat
    2009-06-30 14:38 0 a---h--- c:\docume~1\user\applic~1\hpothb07.dat
    2009-06-29 10:12 827,392 a------- c:\windows\system32\wininet.dll
    2009-06-29 10:12 78,336 a------- c:\windows\system32\ieencode.dll
    2009-06-29 10:12 17,408 a------- c:\windows\system32\corpol.dll
    2009-06-26 12:48 11,952 a------- c:\windows\system32\avgrsstx.dll
    2009-06-26 12:48 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
    2009-06-25 15:08 5,058 a------- c:\windows\help\hhcolreg.dat
    2009-06-16 08:36 119,808 a------- c:\windows\system32\t2embed.dll
    2009-06-16 08:36 81,920 a------- c:\windows\system32\fontsub.dll
    2009-06-03 13:09 1,291,264 a------- c:\windows\system32\quartz.dll
    2009-05-22 11:40 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat

    ============= FINISH: 11:33:17.04 ===============
     
    neophyte,
    #1
  2. 2009/08/07
    PeteC

    PeteC SuperGeek Staff

    Joined:
    2002/05/10
    Messages:
    28,896
    Likes Received:
    389
    Welcome to WindowsBBS :)
    Just copy/paste the file contents here.
     
    PeteC,
    #2


  3. to hide this advert.

  4. 2009/08/07
    neophyte

    neophyte Inactive Thread Starter

    Joined:
    2009/08/07
    Messages:
    67
    Likes Received:
    0
    Thanks Pete. Here's the attach. bunf.


    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_09-07-30.01)

    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 22/05/2009 11:23:27 AM
    System Uptime: 08/07/2009 10:00:21 AM (721 hours ago)

    Motherboard: MSIS | | MS-9158
    Processor: Intel(R) Pentium(R) 4 CPU 3.80GHz | LGA775/PRESCOTT | 3791/800mhz

    ==== Disk Partitions =========================

    A: is Removable
    C: is FIXED (NTFS) - 75 GiB total, 47.227 GiB free.
    D: is CDROM ()

    ==== Disabled Device Manager Items =============

    Class GUID: {4D36E96F-E325-11CE-BFC1-08002BE10318}
    Description: PS/2 Compatible Mouse
    Device ID: ACPI\PNP0F13\5&9583612&0
    Manufacturer: Microsoft
    Name: PS/2 Compatible Mouse
    PNP Device ID: ACPI\PNP0F13\5&9583612&0
    Service: i8042prt

    Class GUID: {4D36E96B-E325-11CE-BFC1-08002BE10318}
    Description: Standard 101/102-Key or Microsoft Natural PS/2 Keyboard
    Device ID: ACPI\PNP0303\5&9583612&0
    Manufacturer: (Standard keyboards)
    Name: Standard 101/102-Key or Microsoft Natural PS/2 Keyboard
    PNP Device ID: ACPI\PNP0303\5&9583612&0
    Service: i8042prt

    ==== System Restore Points ===================

    RP1: 22/05/2009 11:23:29 AM - System Checkpoint
    RP2: 25/06/2009 2:57:32 PM - Installed HP Photo and Imaging 2.2 - Scanjet 3970 Series
    RP3: 25/06/2009 2:58:29 PM - Installed HP Memories Disc
    RP4: 25/06/2009 3:06:45 PM - Installed Microsoft Office 2000 Premium
    RP5: 26/06/2009 12:47:57 PM - Installed AVG Free 8.5
    RP6: 26/06/2009 1:11:03 PM - Software Distribution Service 3.0
    RP7: 27/06/2009 11:19:26 AM - Avg8 Update
    RP8: 29/06/2009 10:00:20 AM - System Checkpoint
    RP9: 30/06/2009 12:33:05 PM - System Checkpoint
    RP10: 01/07/2009 4:32:24 PM - System Checkpoint
    RP11: 02/07/2009 4:39:02 PM - System Checkpoint
    RP12: 03/07/2009 6:32:22 PM - System Checkpoint
    RP13: 04/07/2009 6:49:50 PM - System Checkpoint
    RP14: 05/07/2009 8:26:12 PM - System Checkpoint
    RP15: 06/07/2009 9:40:19 AM - Avg8 Update
    RP16: 06/07/2009 9:40:49 AM - Avg8 Update
    RP17: 07/07/2009 12:13:11 PM - System Checkpoint
    RP18: 08/07/2009 12:49:36 PM - System Checkpoint
    RP19: 09/07/2009 8:41:45 AM - Avg8 Update
    RP20: 10/07/2009 11:25:02 AM - System Checkpoint
    RP21: 11/07/2009 11:56:38 AM - System Checkpoint
    RP22: 13/07/2009 12:23:31 PM - System Checkpoint
    RP23: 14/07/2009 3:59:47 PM - System Checkpoint
    RP24: 15/07/2009 4:47:07 PM - System Checkpoint
    RP25: 16/07/2009 3:00:12 AM - Software Distribution Service 3.0
    RP26: 17/07/2009 11:16:34 AM - Avg8 Update
    RP27: 19/07/2009 4:04:12 PM - System Checkpoint
    RP28: 20/07/2009 9:36:43 PM - System Checkpoint
    RP29: 22/07/2009 12:31:20 PM - System Checkpoint
    RP30: 26/07/2009 10:39:05 AM - System Checkpoint
    RP31: 28/07/2009 9:30:30 AM - System Checkpoint
    RP32: 29/07/2009 9:31:36 AM - Software Distribution Service 3.0
    RP33: 29/07/2009 11:17:19 AM - Configured AVG Free 8.5
    RP34: 29/07/2009 11:20:09 AM - Configured AVG Free 8.5
    RP35: 31/07/2009 9:10:20 AM - System Checkpoint
    RP36: 31/07/2009 10:13:19 PM - Configured AVG Free 8.5
    RP37: 03/08/2009 10:54:58 AM - System Checkpoint
    RP38: 04/08/2009 11:06:30 AM - System Checkpoint
    RP39: 04/08/2009 2:16:10 PM - Configured AVG Free 8.5
    RP40: 04/08/2009 2:26:46 PM - Configured AVG Free 8.5
    RP41: 05/08/2009 3:10:58 PM - System Checkpoint
    RP42: 06/08/2009 3:31:45 PM - System Checkpoint

    ==== Installed Programs ======================

    Adobe Acrobat 5.0
    Adobe Flash Player ActiveX
    AVG Free 8.5
    HijackThis 2.0.2
    Hotfix for Windows XP (KB952287)
    HP Memories Disc
    HP Photo and Imaging 2.2 - Scanjet 3970 Series
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft National Language Support Downlevel APIs
    Microsoft Office 2000 Premium
    Microsoft Visual C++ 2005 Redistributable
    NVIDIA Drivers
    Punch! Home Design Complete
    Quintessential Media Player
    Quintessential Player
    Security Update for Windows Internet Explorer 7 (KB938127-v2)
    Security Update for Windows Internet Explorer 7 (KB953838)
    Security Update for Windows Internet Explorer 7 (KB969897)
    Security Update for Windows Internet Explorer 7 (KB972260)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player 10 (KB936782)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB923789)
    Security Update for Windows XP (KB938464-v2)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB973346)
    Skype web features
    Skype™ 4.1
    SoundMAX
    Update for Windows XP (KB898461)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    WebFldrs XP
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Internet Explorer 7
    Windows Media Format Runtime
    Windows Media Player 10

    ==== Event Viewer Messages From Past Week ========

    31/07/2009 11:17:55 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: i8042prt PCIIde
    31/07/2009 11:17:45 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
    31/07/2009 1:26:35 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the NVIDIA Display Driver Service service to connect.
    31/07/2009 1:26:35 PM, error: Service Control Manager [7000] - The NVIDIA Display Driver Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    01/08/2009 10:09:43 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: i8042prt
    01/08/2009 10:09:38 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the AVG Free8 WatchDog service to connect.
    01/08/2009 10:09:38 PM, error: Service Control Manager [7000] - The AVG Free8 WatchDog service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

    ==== End Of File ===========================
     
    neophyte,
    #3
  5. 2009/08/07
    PeteC

    PeteC SuperGeek Staff

    Joined:
    2002/05/10
    Messages:
    28,896
    Likes Received:
    389
    Thanks :)

    One of our trained malware analysts will take a look at your logs ASAP, but it may be a day or so before you get a response as they are always very busy. All logs are dealt with in the order received.

    Thank you for your patience.
     
    PeteC,
    #4
  6. 2009/08/07
    neophyte

    neophyte Inactive Thread Starter

    Joined:
    2009/08/07
    Messages:
    67
    Likes Received:
    0
    Thanks Pete. It's been long enough already, I don't think a day or two will hurt me.

    Regards,

    KG
     
    neophyte,
    #5
  7. 2009/08/08
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Download HostsXpert ( http://www.majorgeeks.com/Hoster_d4626.html ) and then follow the steps below:

    * Unzip HostsXpert.zip
    * It will create a folder named HostsXpert in whatever folder you extract it to.
    * Run HostsXpert.exe by double clicking on it.
    * click Restore MS Hosts File and then click OK.
    * Click the X to exit the program

    Restart computer.

    ==============================================================

    Print these instructions out.

    NOTE. If any of the programs listed below refuse to run, try renaming executive file to something else; for instance, rename hijackthis.exe to scanner.exe

    ***VERY IMPORTANT! Make sure, you update Superantispyware, and Malwarebytes before running the scans.***

    STEP 1. Download SUPERAntiSpyware Free for Home Users:
    http://www.superantispyware.com/

    * Double-click SUPERAntiSpyware.exe and use the default settings for installation.
    * An icon will be created on your desktop. Double-click that icon to launch the program.
    * If asked to update the program definitions, click "Yes ". If not, update the definitions before scanning by selecting "Check for Updates ". (If you encounter any problems while downloading the updates, manually download and unzip them from here: http://www.superantispyware.com/definitions.html.)
    * Close SUPERAntiSpyware.

    PHYSICALLY DISCONNECT FROM THE INTERNET

    Restart computer in Safe Mode.
    To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; select Safe Mode; you'll see "Safe Mode" in all four corners of your screen

    * Open SUPERAntiSpyware.
    * Click Scan your Computer... button.
    * Click Scanning Preferences/Control Center... button.
    * Under General and Startup tab, make sure, Start SUPERAntiSpyware when Windows starts option is UN-checked.
    * Click the Scanning Control tab.
    * Under Scanner Options make sure the following are checked (leave all others unchecked):
    - Close browsers before scanning.
    - Terminate memory threats before quarantining.
    * Click the Close button to leave the control center screen.
    * On the left, make sure you check C:\Fixed Drive.
    * On the right, choose Perform Complete Scan.
    * Click Next to start the scan. Please be patient while it scans your computer.
    * After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click OK.
    * Make sure everything has a checkmark next to it and click Next.
    * A notification will appear that Quarantine and Removal is Complete. Click OK and then click the Finish button to return to the main menu.
    * If asked if you want to reboot, click Yes.
    * To retrieve the removal information after reboot, launch SUPERAntispyware again.
    - Click Preferences, then click the Statistics/Logs tab.
    - Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    - If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    - Please copy and paste the Scan Log results in your next reply.
    * Click Close to exit the program.
    Post SUPERAntiSpyware log.

    RECONNECT TO THE INTERNET

    RESTART COMPUTER!

    STEP 2. Download Malwarebytes' Anti-Malware: http://www.malwarebytes.org/mbam.php to your desktop.
    (Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform full scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.
    * When completed, a log will open in Notepad.
    * Post the log back here.

    The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
    Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

    RESTART COMPUTER!

    STEP 3. Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
    Alternative downloads:
    - http://majorgeeks.com/GMER_d5198.html
    - http://www.softpedia.com/get/Interne...ers/GMER.shtml
    Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
    When scan is completed, click Save button, and save the results as gmer.log
    Warning ! Please, do not select the "Show all" checkbox during the scan.
    Post the log to your next reply.

    RESTART COMPUTER

    STEP 4.
    Post fresh HijackThis log.
    Do NOT attempt to "fix" anything!


    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
    broni,
    #6
  8. 2009/08/10
    neophyte

    neophyte Inactive Thread Starter

    Joined:
    2009/08/07
    Messages:
    67
    Likes Received:
    0
    Just one quick question.

    OK, firstly, thanks for the help you are giving me. Next, your instructions say to run Malwarebytes Anti-Malware and remove all malware files it identifies. Was I not told previously to not do this as it identifies useful files as well? I have run SuperAntispyware already and it came up clean; no files found. I will wait to hear from you about removing all Malwarebytes found files.

    Kevin
     
    neophyte,
    #7
  9. 2009/08/10
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    By whom?
    Malwarebytes very rarely makes any mistakes. Handful of them, I had a chance to see, were no crucial to computer operation.
    Please, proceed.
     
    broni,
    #8
  10. 2009/08/10
    neophyte

    neophyte Inactive Thread Starter

    Joined:
    2009/08/07
    Messages:
    67
    Likes Received:
    0
    My mistake. It was Hijack this that I was told not to let loose.

    OK, I ran Superantispyware twice, once in safe mode and once when connected to the web and in normal mode. It turned up no malware.

    My Malwarebytes latest scan turned up NO FILES INFECTED.

    My GMER scan turned up the following log:

    GMER 1.0.15.15020 [gs9o3hok[1].exe] - http://www.gmer.net
    Rootkit scan 2009-08-10 12:41:12
    Windows 5.1.2600 Service Pack 3


    ---- Kernel code sections - GMER 1.0.15 ----

    ? lgdpv.sys The system cannot find the file specified. !

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2844] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E1DF4B9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2844] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E351F8F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2844] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E351F10 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2844] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E351F54 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2844] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E351E9C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2844] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E351ED6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2844] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E351FCA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2844] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E2017EA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2844] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E35218C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    ---- EOF - GMER 1.0.15 ----
    The latest HijackThis log is as follows:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 1:25:59 PM, on 10/08/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16876)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\AVG\AVG8\avgrsx.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\PROGRA~1\AVG\AVG8\avgtray.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Skype\Phone\Skype.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\Program Files\Skype\Plugin Manager\skypePM.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\Program Files\Microsoft Office\Office\WINWORD.EXE

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
    O1 - Hosts: 74.125.45.100 test1111.com
    O1 - Hosts: 74.125.45.100 test1112.com
    O1 - Hosts: 74.125.45.100 4-open-davinci.com
    O1 - Hosts: 74.125.45.100 securitysoftwarepayments.com
    O1 - Hosts: 74.125.45.100 privatesecuredpayments.com
    O1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.com
    O1 - Hosts: 74.125.45.100 getantivirusplusnow.com
    O1 - Hosts: 74.125.45.100 secure-plus-payments.com
    O1 - Hosts: 74.125.45.100 www.getantivirusplusnow.com
    O1 - Hosts: 74.125.45.100 www.secure-plus-payments.com
    O1 - Hosts: 74.125.45.100 www.getavplusnow.com
    O1 - Hosts: 74.125.45.100 www.securesoftwarebill.com
    O1 - Hosts: 89.248.168.188 google.ae
    O1 - Hosts: 89.248.168.188 google.as
    O1 - Hosts: 89.248.168.188 google.at
    O1 - Hosts: 89.248.168.188 google.az
    O1 - Hosts: 89.248.168.188 google.ba
    O1 - Hosts: 89.248.168.188 google.be
    O1 - Hosts: 89.248.168.188 google.bg
    O1 - Hosts: 89.248.168.188 google.bs
    O1 - Hosts: 89.248.168.188 google.ca
    O1 - Hosts: 89.248.168.188 google.cd
    O1 - Hosts: 89.248.168.188 google.com.gh
    O1 - Hosts: 89.248.168.188 google.com.hk
    O1 - Hosts: 89.248.168.188 google.com.jm
    O1 - Hosts: 89.248.168.188 google.com.mx
    O1 - Hosts: 89.248.168.188 google.com.my
    O1 - Hosts: 89.248.168.188 google.com.na
    O1 - Hosts: 89.248.168.188 google.com.nf
    O1 - Hosts: 89.248.168.188 google.com.ng
    O1 - Hosts: 89.248.168.188 google.ch
    O1 - Hosts: 89.248.168.188 google.com.np
    O1 - Hosts: 89.248.168.188 google.com.pr
    O1 - Hosts: 89.248.168.188 google.com.qa
    O1 - Hosts: 89.248.168.188 google.com.sg
    O1 - Hosts: 89.248.168.188 google.com.tj
    O1 - Hosts: 89.248.168.188 google.com.tw
    O1 - Hosts: 89.248.168.188 google.dj
    O1 - Hosts: 89.248.168.188 google.de
    O1 - Hosts: 89.248.168.188 google.dk
    O1 - Hosts: 89.248.168.188 google.dm
    O1 - Hosts: 89.248.168.188 google.ee
    O1 - Hosts: 89.248.168.188 google.fi
    O1 - Hosts: 89.248.168.188 google.fm
    O1 - Hosts: 89.248.168.188 google.fr
    O1 - Hosts: 89.248.168.188 google.ge
    O1 - Hosts: 89.248.168.188 google.gg
    O1 - Hosts: 89.248.168.188 google.gm
    O1 - Hosts: 89.248.168.188 google.gr
    O1 - Hosts: 89.248.168.188 google.ht
    O1 - Hosts: 89.248.168.188 google.ie
    O1 - Hosts: 89.248.168.188 google.im
    O1 - Hosts: 89.248.168.188 google.in
    O1 - Hosts: 89.248.168.188 google.it
    O1 - Hosts: 89.248.168.188 google.ki
    O1 - Hosts: 89.248.168.188 google.la
    O1 - Hosts: 89.248.168.188 google.li
    O1 - Hosts: 89.248.168.188 google.lv
    O1 - Hosts: 89.248.168.188 google.ma
    O1 - Hosts: 89.248.168.188 google.ms
    O1 - Hosts: 89.248.168.188 google.mu
    O1 - Hosts: 89.248.168.188 google.mw
    O1 - Hosts: 89.248.168.188 google.nl
    O1 - Hosts: 89.248.168.188 google.no
    O1 - Hosts: 89.248.168.188 google.nr
    O1 - Hosts: 89.248.168.188 google.nu
    O1 - Hosts: 89.248.168.188 google.pl
    O1 - Hosts: 89.248.168.188 google.pn
    O1 - Hosts: 89.248.168.188 google.pt
    O1 - Hosts: 89.248.168.188 google.ro
    O1 - Hosts: 89.248.168.188 google.ru
    O1 - Hosts: 89.248.168.188 google.rw
    O1 - Hosts: 89.248.168.188 google.sc
    O1 - Hosts: 89.248.168.188 google.se
    O1 - Hosts: 89.248.168.188 google.sh
    O1 - Hosts: 89.248.168.188 google.si
    O1 - Hosts: 89.248.168.188 google.sm
    O1 - Hosts: 89.248.168.188 google.sn
    O1 - Hosts: 89.248.168.188 google.st
    O1 - Hosts: 89.248.168.188 google.tl
    O1 - Hosts: 89.248.168.188 google.tm
    O1 - Hosts: 89.248.168.188 google.tt
    O1 - Hosts: 89.248.168.188 google.us
    O1 - Hosts: 89.248.168.188 google.vu
    O1 - Hosts: 89.248.168.188 google.ws
    O1 - Hosts: 89.248.168.188 google.co.ck
    O1 - Hosts: 89.248.168.188 google.co.id
    O1 - Hosts: 89.248.168.188 google.co.il
    O1 - Hosts: 89.248.168.188 google.co.in
    O1 - Hosts: 89.248.168.188 google.co.jp
    O1 - Hosts: 89.248.168.188 google.co.kr
    O1 - Hosts: 89.248.168.188 google.co.ls
    O1 - Hosts: 89.248.168.188 google.co.ma
    O1 - Hosts: 89.248.168.188 google.co.nz
    O1 - Hosts: 89.248.168.188 google.co.tz
    O1 - Hosts: 89.248.168.188 google.co.ug
    O1 - Hosts: 89.248.168.188 google.co.uk
    O1 - Hosts: 89.248.168.188 google.co.za
    O1 - Hosts: 89.248.168.188 google.co.zm
    O1 - Hosts: 89.248.168.188 google.com
    O1 - Hosts: 89.248.168.188 google.com.af
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
    O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
    O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\\Phone\Skype.exe" /nosplash /minimized
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {2DAD3559-2923-4935-AD49-B673D2539944} (IASRunner Class) - http://www-307.ibm.com/pc/support/acpir.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1220393998515
    O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
    O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

    --
    End of file - 9329 bytes

    Thanks again for all the help.

    Kevin
     
    neophyte,
    #9
  11. 2009/08/10
    neophyte

    neophyte Inactive Thread Starter

    Joined:
    2009/08/07
    Messages:
    67
    Likes Received:
    0
    Also note, when running HijackThis, I get this warning when running a scan:

    For some reason your system denied write access to the Hosts file. If any hijacked domains are in this field, Hijack This may NOT be able to fix this.

    If that happens, you need to edit the file yourself. To do this, click Start, Run and type:

    Notepad c:\WINDOWS\System32\drivers\etc\hosts

    And press Enter. Find the line Hijack This reports and delete them. Save the file as ‘hosts’, [with quotes], and reboot. For Vista etc. etc. etc
     
    neophyte,
    #10
  12. 2009/08/10
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Download HostsXpert ( http://www.majorgeeks.com/Hoster_d4626.html ) and then follow the steps below:

    * Unzip HostsXpert.zip
    * It will create a folder named HostsXpert in whatever folder you extract it to.
    * Run HostsXpert.exe by double clicking on it.
    * click Restore MS Hosts File and then click OK.
    * Click the X to exit the program

    Restart computer.

    Post fresh HJT log.
     
    broni,
    #11
  13. 2009/08/10
    neophyte

    neophyte Inactive Thread Starter

    Joined:
    2009/08/07
    Messages:
    67
    Likes Received:
    0
    OK, opened and tried to run Restore MS Hosts File and got the error message:

    ERROR: Cannot create file C:\WINDOWS\system32\DRIVERS\ETC\hosts
     
    neophyte,
    #12
  14. 2009/08/10
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    broni,
    #13
  15. 2009/08/10
    neophyte

    neophyte Inactive Thread Starter

    Joined:
    2009/08/07
    Messages:
    67
    Likes Received:
    0
    OK, I'm following those instructions but when I try to change the setting by checking Replace owner on subcontainers and objects, I don't get the warning box that is supposed to pop up saying You do not have permssion etc. etc.
     
    neophyte,
    #14
  16. 2009/08/10
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    You're suppose to follow instruction for taking ownership of a file, not a folder:

    To take ownership of a file, follow these steps

    * Right-click the file that you want to take ownership of, and then click Properties.
    * Click the Security tab, and then click OK on the Security message (if one appears).
    * Click Advanced, and then click the Owner tab.
    * In the Name list, click Administrator, or click the Administrators group, and then click OK.

    The administrator or the Administrators group now owns the file.
     
    broni,
    #15
  17. 2009/08/10
    neophyte

    neophyte Inactive Thread Starter

    Joined:
    2009/08/07
    Messages:
    67
    Likes Received:
    0
    I don't know why, but I don't have a file named HOSTS even though the error message is:
    in reference to C:\WINDOWS\system32\DRIVERS\ETC\hosts.

    That folder contains 4 files named lmhosts.sam, networks, protocol, services.
     
    neophyte,
    #16
  18. 2009/08/10
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    It shouldn't be hidden file, but just in case...

    Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders.
    Restart Windows Explorer, and check again for hosts file.
     
    broni,
    #17
  19. 2009/08/10
    neophyte

    neophyte Inactive Thread Starter

    Joined:
    2009/08/07
    Messages:
    67
    Likes Received:
    0
    That feature is indeed checked. My computer has always shown hidden files and folders. I'm afraid the closest thing to host is the file called lmhost.sam. Is that the one we are dealing with?
     
    neophyte,
    #18
  20. 2009/08/10
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    No, lmhost.sam is just a sample file.

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2
    • Double-click SystemLook.exe to run it.
    • Vista users:: Right click on SystemLook.exe, click Run As Administrator
    • Copy the content of the following box into the main textfield:
      Code:
      :filefind
hosts
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
     
    broni,
    #19
  21. 2009/08/10
    neophyte

    neophyte Inactive Thread Starter

    Joined:
    2009/08/07
    Messages:
    67
    Likes Received:
    0
    And there it is. File called hosts. Don't ask me why one doesn't see it by looking it up on the cdrive.

    SystemLook v1.0 by jpshortstuff (22.05.09)
    Log created at 18:44 on 10/08/2009 by User (Administrator - Elevation successful)

    ========== filefind ==========

    Searching for "hosts "
    C:\WINDOWS\system32\drivers\etc\hosts -rahs- 7599 bytes [12:00 20/06/2003] [14:53 31/07/2009] 7AF6164C766A40800DC262899F546404

    -=End Of File=-
     
    neophyte,
    #20
Page 1 of 3

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...