Jump to content


Photo

WinXp / Large Amount Of Hijacked Domains


  • This topic is locked This topic is locked
17 replies to this topic

#1 EngravEER

EngravEER

    Member

  • Full Member
  • Pip
  • 55 posts

Posted 09 December 2009 - 10:50 AM

Greetings from Martinsburg, WV USA:

Came home from work to find an apologetic wife and an infected Dell XPS 410 desktop PC running Windows XP. She had clicked on a video link on a news site and that's all it took. Entering google.com now takes you to the Google Netherlands site. Trying to access gmail gives a security warning. Had been running Avira Antivirus but the infection will not let me update and run that program.

I have read the FAQ.

I downloaded and ran Spybot, Malwarebytes and HijackThis v 2.0.2. Logs are attached for both MB and HJT.

Scan in Spybot showed two infections...

Fraud.WindowsProtection Suite - Malware/15 entries
Microsoft.Windows.RedirectedHosts - SecurityC/3 entries

When I got to fix these infections in Spybot, I get a message saying, "Unexpected error in fixing problems (cannot create file). c:\windows\system32\drivers\etc\hosts access is denied"

Upon opening and running HJT, I get this message, "For some reason your system denied access to the Hosts file. You have a particularly large amount of hijacked domains."

Thanks in advance for any help you can provide!

Rick


Logs are as follows...

Malwarebytes:

Malwarebytes' Anti-Malware 1.42
Database version: 3331
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/9/2009 10:27:55 AM
mbam-log-2009-12-09 (10-27-55).txt

Scan type: Quick Scan
Objects scanned: 150567
Time elapsed: 10 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Astrocom (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\NeoChronos (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\neochronos (Trojan.FakeAlert) -> Quarantined and deleted

successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

**********************************************************************************************

HijackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:31:19 AM, on 12/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\dvd43\dvd43_tray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Documents and Settings\Rick Rohn\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Spb Backup\SpbBackupSync.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=1061209
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://desktop.googl...back.html?hl=en
O1 - Hosts: 74.125.45.100 4-open-davinci.com
O1 - Hosts: 74.125.45.100 securitysoftwarepayments.com
O1 - Hosts: 74.125.45.100 privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 secure-plus-payments.com
O1 - Hosts: 74.125.45.100 www.getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 www.secure-plus-payments.com
O1 - Hosts: 74.125.45.100 www.getavplusnow.com
O1 - Hosts: 74.125.45.100 safebrowsing-cache.google.com
O1 - Hosts: 74.125.45.100 urs.microsoft.com
O1 - Hosts: 74.125.45.100 www.securesoftwarebill.com
O1 - Hosts: 74.125.45.100 secure.paysecuresystem.com
O1 - Hosts: 74.125.45.100 paysoftbillsolution.com
O1 - Hosts: 74.125.45.100 protected.maxisoftwaremart.com
O1 - Hosts: 93.174.89.12 google.ae
O1 - Hosts: 93.174.89.12 google.as
O1 - Hosts: 93.174.89.12 google.at
O1 - Hosts: 93.174.89.12 google.az
O1 - Hosts: 93.174.89.12 google.ba
O1 - Hosts: 93.174.89.12 google.be
O1 - Hosts: 93.174.89.12 google.bg
O1 - Hosts: 93.174.89.12 google.bs
O1 - Hosts: 93.174.89.12 google.ca
O1 - Hosts: 93.174.89.12 google.cd
O1 - Hosts: 93.174.89.12 google.com.gh
O1 - Hosts: 93.174.89.12 google.com.hk
O1 - Hosts: 93.174.89.12 google.com.jm
O1 - Hosts: 93.174.89.12 google.com.mx
O1 - Hosts: 93.174.89.12 google.com.my
O1 - Hosts: 93.174.89.12 google.com.na
O1 - Hosts: 93.174.89.12 google.com.nf
O1 - Hosts: 93.174.89.12 google.com.ng
O1 - Hosts: 93.174.89.12 google.ch
O1 - Hosts: 93.174.89.12 google.com.np
O1 - Hosts: 93.174.89.12 google.com.pr
O1 - Hosts: 93.174.89.12 google.com.qa
O1 - Hosts: 93.174.89.12 google.com.sg
O1 - Hosts: 93.174.89.12 google.com.tj
O1 - Hosts: 93.174.89.12 google.com.tw
O1 - Hosts: 93.174.89.12 google.dj
O1 - Hosts: 93.174.89.12 google.de
O1 - Hosts: 93.174.89.12 google.dk
O1 - Hosts: 93.174.89.12 google.dm
O1 - Hosts: 93.174.89.12 google.ee
O1 - Hosts: 93.174.89.12 google.fi
O1 - Hosts: 93.174.89.12 google.fm
O1 - Hosts: 93.174.89.12 google.fr
O1 - Hosts: 93.174.89.12 google.ge
O1 - Hosts: 93.174.89.12 google.gg
O1 - Hosts: 93.174.89.12 google.gm
O1 - Hosts: 93.174.89.12 google.gr
O1 - Hosts: 93.174.89.12 google.ht
O1 - Hosts: 93.174.89.12 google.ie
O1 - Hosts: 93.174.89.12 google.im
O1 - Hosts: 93.174.89.12 google.in
O1 - Hosts: 93.174.89.12 google.it
O1 - Hosts: 93.174.89.12 google.ki
O1 - Hosts: 93.174.89.12 google.la
O1 - Hosts: 93.174.89.12 google.li
O1 - Hosts: 93.174.89.12 google.lv
O1 - Hosts: 93.174.89.12 google.ma
O1 - Hosts: 93.174.89.12 google.ms
O1 - Hosts: 93.174.89.12 google.mu
O1 - Hosts: 93.174.89.12 google.mw
O1 - Hosts: 93.174.89.12 google.nl
O1 - Hosts: 93.174.89.12 google.no
O1 - Hosts: 93.174.89.12 google.nr
O1 - Hosts: 93.174.89.12 google.nu
O1 - Hosts: 93.174.89.12 google.pl
O1 - Hosts: 93.174.89.12 google.pn
O1 - Hosts: 93.174.89.12 google.pt
O1 - Hosts: 93.174.89.12 google.ro
O1 - Hosts: 93.174.89.12 google.ru
O1 - Hosts: 93.174.89.12 google.rw
O1 - Hosts: 93.174.89.12 google.sc
O1 - Hosts: 93.174.89.12 google.se
O1 - Hosts: 93.174.89.12 google.sh
O1 - Hosts: 93.174.89.12 google.si
O1 - Hosts: 93.174.89.12 google.sm
O1 - Hosts: 93.174.89.12 google.sn
O1 - Hosts: 93.174.89.12 google.st
O1 - Hosts: 93.174.89.12 google.tl
O1 - Hosts: 93.174.89.12 google.tm
O1 - Hosts: 93.174.89.12 google.tt
O1 - Hosts: 93.174.89.12 google.us
O1 - Hosts: 93.174.89.12 google.vu
O1 - Hosts: 93.174.89.12 google.ws
O1 - Hosts: 93.174.89.12 google.co.ck
O1 - Hosts: 93.174.89.12 google.co.id
O1 - Hosts: 93.174.89.12 google.co.il
O1 - Hosts: 93.174.89.12 google.co.in
O1 - Hosts: 93.174.89.12 google.co.jp
O1 - Hosts: 93.174.89.12 google.co.kr
O1 - Hosts: 93.174.89.12 google.co.ls
O1 - Hosts: 93.174.89.12 google.co.ma
O1 - Hosts: 93.174.89.12 google.co.nz
O1 - Hosts: 93.174.89.12 google.co.tz
O1 - Hosts: 93.174.89.12 google.co.ug
O1 - Hosts: 93.174.89.12 google.co.uk
O1 - Hosts: 93.174.89.12 google.co.za
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [SansaDispatch] C:\Documents and Settings\Rick Rohn\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Spb Backup Sync.lnk = C:\Program Files\Spb Backup\SpbBackupSync.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - http://www.stonyfiel...criptX/smsx.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O16 - DPF: {2DEF4530-8CE6-41C9-84B6-A54536C90213} (Crystal Report Viewer Control 9) - https://www.etorepor...tivexviewer.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.onlinegis...AB/mgaxctrl.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1183553476281
O16 - DPF: {8569D715-FF88-44BA-8D1D-AD3E59543DDE} (ActiveReports Viewer2) - https://trax.nfocus....ort/arview2.cab
O16 - DPF: {8BC53B30-32E4-4ED3-BEF9-DB761DB77453} (CInstallLPCtrl Object) - http://u3.sandisk.co...LPInstaller.CAB
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.ad...Plus/1.6/gp.cab
O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} (Seagate SeaTools English Online) - http://www.seagate.c.../npseatools.cab
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 12471 bytes

#2 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,520 posts

Posted 11 December 2009 - 11:04 PM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.

If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.


[this is an automated reply]
This is an automated message. It does not count as help.

#3 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 14,325 posts

Posted 14 December 2009 - 06:24 AM

Hi, and Welcome to SWI

Sorry it has taken so long to get to you, but the board has been very busy lately, and all the Helpers here are volunteers.

I suggest printing out each set of instructions and reading the entire post before proceeding. It will make following them easier. Please follow the directions in the order listed.

Download HostsXpert from here: http://www.funkytoad.../HostsXpert.zip
Extract the file HostsXpert.exe to your Desktop and run it.
Click 'Restore MS Hosts file' and press 'OK'
Exit Program.
Note: if you were using a custom Hosts file you will need to replace any of those entries yourself.

Please Run Malwarebytes' Anti-Malware.
  • Click the Update tab.
  • Click Check for Updates.
  • If an update is found, it will download and install.
  • Click the Scanner tab.
  • Select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy & Paste the entire report in your next reply along with a fresh HijackThis log.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Download "SUPERAntiSpyware Free Edition" from this link:
http://www.superanti...m/download.html

Install and update the scanner.

Start the scanner, click "Scan your computer", mark the drives that you want to scan (in the left window, select all your drives). Select "Perform Complete Scan" (in the right window). Click "next"

The scanner will now start to scan. As soon as it has finished, you should mark everything that is found, and let the scanner fix it.

Open the scanner again. Click "preferences"-> "stastics/logs". Mark the log. Click "View log", and copy the content of this log into your next reply along with a new HijackThis log.

Now you need to run HijackThis and click "Do a system scan only." Place a check next to the following entries (if they are still there):

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://desktop.googl...back.html?hl=en
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)


Now close all browser and other windows except for HijackThis, and click "Fix Checked" to have HijackThis fix the entries you checked.

Please go to VirusTotal and submit the following file for a scan and post the detection results (I don't need the "additional information") in your next reply:
C:\Program Files\Spb Backup\SpbBackupSync.exe

Please post a new HijackThis log, the log from MBAM, the log from Security Check (checkup.txt), The results form scanning the file at VirusTotal, and in a second reply (so nothing is cut off by the maximum post length) The log from SUPERAntiSpyware, and note any errors encountered.

Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005


#4 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 14,325 posts

Posted 14 December 2009 - 06:35 AM

Hi EngravEER, and Welcome to SWI

Sorry it has taken so long to get to you, but the board has been very busy lately, and all the Helpers here are volunteers.

I suggest printing out each set of instructions and reading the entire post before proceeding. It will make following them easier. Please follow the directions in the order listed.

Download HostsXpert from here: http://www.funkytoad.../HostsXpert.zip
Extract the file HostsXpert.exe to your Desktop and run it.
Click 'Restore MS Hosts file' and press 'OK'
Exit Program.
Note: if you were using a custom Hosts file you will need to replace any of those entries yourself.

Please Run Malwarebytes' Anti-Malware.
  • Click the Update tab.
  • Click Check for Updates.
  • If an update is found, it will download and install.
  • Click the Scanner tab.
  • Select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy & Paste the entire report in your next reply along with a fresh HijackThis log.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Now you need to run HijackThis and click "Do a system scan only." Place a check next to the following entries (if they are still there):

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://desktop.googl...back.html?hl=en
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)


Now close all browser and other windows except for HijackThis, and click "Fix Checked" to have HijackThis fix the entries you checked.

Download DDS by sUBs from one of the following links. Save it to your desktop.
DDS.com
DDS.scr
DDS.pif
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • When DDS has finished scanning, you will save two files, dds.txt and attach.txt
  • Please post both logs in your next reply
  • Close the program window, and delete the program from your desktop.

Please go to VirusTotal and submit the following file for a scan and post the detection results (I don't need the "additional information") in your next reply:
C:\Program Files\Spb Backup\SpbBackupSync.exe

Please post a new HijackThis log, the log from MBAM, the results from scanning the file at VirusTotal, and in a second reply (so nothing is cut off by the maximum post length) please post the contents of dds.txt from running DDS, and in a third reply, the contents of attach.txt.

Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005


#5 EngravEER

EngravEER

    Member

  • Full Member
  • Pip
  • 55 posts

Posted 14 December 2009 - 11:37 AM

Hi, and Welcome to SWI

Sorry it has taken so long to get to you, but the board has been very busy lately, and all the Helpers here are volunteers.

I suggest printing out each set of instructions and reading the entire post before proceeding. It will make following them easier. Please follow the directions in the order listed.

Download HostsXpert from here: http://www.funkytoad.../HostsXpert.zip
Extract the file HostsXpert.exe to your Desktop and run it.
Click 'Restore MS Hosts file' and press 'OK'
Exit Program.
Note: if you were using a custom Hosts file you will need to replace any of those entries yourself.

Please Run Malwarebytes' Anti-Malware.

  • Click the Update tab.
  • Click Check for Updates.
  • If an update is found, it will download and install.
  • Click the Scanner tab.
  • Select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy & Paste the entire report in your next reply along with a fresh HijackThis log.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Download "SUPERAntiSpyware Free Edition" from this link:
http://www.superanti...m/download.html

Install and update the scanner.

Start the scanner, click "Scan your computer", mark the drives that you want to scan (in the left window, select all your drives). Select "Perform Complete Scan" (in the right window). Click "next"

The scanner will now start to scan. As soon as it has finished, you should mark everything that is found, and let the scanner fix it.

Open the scanner again. Click "preferences"-> "stastics/logs". Mark the log. Click "View log", and copy the content of this log into your next reply along with a new HijackThis log.

Now you need to run HijackThis and click "Do a system scan only." Place a check next to the following entries (if they are still there):

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://desktop.googl...back.html?hl=en
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)


Now close all browser and other windows except for HijackThis, and click "Fix Checked" to have HijackThis fix the entries you checked.

Please go to VirusTotal and submit the following file for a scan and post the detection results (I don't need the "additional information") in your next reply:
C:\Program Files\Spb Backup\SpbBackupSync.exe

Please post a new HijackThis log, the log from MBAM, the log from Security Check (checkup.txt), The results form scanning the file at VirusTotal, and in a second reply (so nothing is cut off by the maximum post length) The log from SUPERAntiSpyware, and note any errors encountered.

Mr./Ms. Joker:

Thank you very much for replying and for working with me on this problem. You were always one of my favorite characters on the 1960's "Batman" sitcom :-)

You posted two replies back-to-back so I'm a little confused on which I should work from. The initial steps are the same in each though, so I'm going from your first post (the one from 6:24am my time).

I downloaded and ran HostsXpert from my Desktop. When I click on "Restore MS Hosts file" and press "OK", I'm immediately greeted with the message "ERROR: Cannot create file C;\WINDOWS/system32\DRIVERS\ETC\hosts". I know how important it is to do everything in the EXACT order you specify, so upon encountering that error message, I stopped and am now making this post to see how you want me to handle this error message? Do I just continue on with the other steps you outlined or do you want me to do something else.

Will wait to hear back. Thanks.

#6 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 14,325 posts

Posted 14 December 2009 - 05:22 PM

My apologies. I was editing and didn't realize that the first version had posted. Here's new instructions; really it's simply the second set of instructions I posted with the first part (running HostsXpert) being done in Safe mode, and if there's an error simply skipping that step (at any point).

Since you already have HostsXpert downloaded, there's no need to download it again.

Now reboot to Safe Mode - Restart your computer and begin tapping the F8 key on your keyboard.
If done right a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter.
To return to normal mode just restart your computer as you normally would.

Double-click on HostsXpert.exe on your Desktop to run it.
Click 'Restore MS Hosts file' and press 'OK'
Exit Program.
Note: if you were using a custom Hosts file you will need to replace any of those entries yourself.
If there is an error here, simply continue to the next step (rebooting).

Now reboot your system.

Please Run Malwarebytes' Anti-Malware.
  • Click the Update tab.
  • Click Check for Updates.
  • If an update is found, it will download and install.
  • Click the Scanner tab.
  • Select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy & Paste the entire report in your next reply along with a fresh HijackThis log.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Now you need to run HijackThis and click "Do a system scan only." Place a check next to the following entries (if they are still there):

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://desktop.googl...back.html?hl=en
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)


Now close all browser and other windows except for HijackThis, and click "Fix Checked" to have HijackThis fix the entries you checked.

Download DDS by sUBs from one of the following links. Save it to your desktop.
DDS.com
DDS.scr
DDS.pif
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • When DDS has finished scanning, you will save two files, dds.txt and attach.txt
  • Please post both logs in your next reply
  • Close the program window, and delete the program from your desktop.

Please go to VirusTotal and submit the following file for a scan and post the detection results (I don't need the "additional information") in your next reply:
C:\Program Files\Spb Backup\SpbBackupSync.exe

Please post a new HijackThis log, the log from MBAM, the results from scanning the file at VirusTotal, and in a second reply (so nothing is cut off by the maximum post length) please post the contents of dds.txt from running DDS, and in a third reply, the contents of attach.txt.

Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005


#7 EngravEER

EngravEER

    Member

  • Full Member
  • Pip
  • 55 posts

Posted 15 December 2009 - 01:32 AM

My apologies. I was editing and didn't realize that the first version had posted. Here's new instructions; really it's simply the second set of instructions I posted with the first part (running HostsXpert) being done in Safe mode, and if there's an error simply skipping that step (at any point).

Since you already have HostsXpert downloaded, there's no need to download it again.

Now reboot to Safe Mode - Restart your computer and begin tapping the F8 key on your keyboard.
If done right a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter.
To return to normal mode just restart your computer as you normally would.

Double-click on HostsXpert.exe on your Desktop to run it.
Click 'Restore MS Hosts file' and press 'OK'
Exit Program.
Note: if you were using a custom Hosts file you will need to replace any of those entries yourself.
If there is an error here, simply continue to the next step (rebooting).

Now reboot your system.

Please Run Malwarebytes' Anti-Malware.

  • Click the Update tab.
  • Click Check for Updates.
  • If an update is found, it will download and install.
  • Click the Scanner tab.
  • Select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy & Paste the entire report in your next reply along with a fresh HijackThis log.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Now you need to run HijackThis and click "Do a system scan only." Place a check next to the following entries (if they are still there):

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://desktop.googl...back.html?hl=en
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)


Now close all browser and other windows except for HijackThis, and click "Fix Checked" to have HijackThis fix the entries you checked.

Download DDS by sUBs from one of the following links. Save it to your desktop.
DDS.com
DDS.scr
DDS.pif
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • When DDS has finished scanning, you will save two files, dds.txt and attach.txt
  • Please post both logs in your next reply
  • Close the program window, and delete the program from your desktop.

Please go to VirusTotal and submit the following file for a scan and post the detection results (I don't need the "additional information") in your next reply:
C:\Program Files\Spb Backup\SpbBackupSync.exe

Please post a new HijackThis log, the log from MBAM, the results from scanning the file at VirusTotal, and in a second reply (so nothing is cut off by the maximum post length) please post the contents of dds.txt from running DDS, and in a third reply, the contents of attach.txt.

Joker:

Booted into safe Mode and ran HostsExpert. Same result as before... "ERROR: Cannot create file C:\WINDOWS\...\hosts".
Rebooted regularly, ran MB... nothing found.
Ran HJT, system scan only... found those two entries, checked, clicked "Fixed Checked"... done.
Remaining steps, per your instructions.

HJT logo, MB log & scanning results from VirusTotal attached below. dds.txt in next post. Contents of attached.txt in third post.

Thank you :-)


HJT Log...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:19:07 AM, on 12/15/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\dvd43\dvd43_tray.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Documents and Settings\Rick Rohn\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
C:\Program Files\Spb Backup\SpbBackupSync.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=1061209
O1 - Hosts: 74.125.45.100 4-open-davinci.com
O1 - Hosts: 74.125.45.100 securitysoftwarepayments.com
O1 - Hosts: 74.125.45.100 privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 secure-plus-payments.com
O1 - Hosts: 74.125.45.100 www.getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 www.secure-plus-payments.com
O1 - Hosts: 74.125.45.100 www.getavplusnow.com
O1 - Hosts: 74.125.45.100 safebrowsing-cache.google.com
O1 - Hosts: 74.125.45.100 urs.microsoft.com
O1 - Hosts: 74.125.45.100 www.securesoftwarebill.com
O1 - Hosts: 74.125.45.100 secure.paysecuresystem.com
O1 - Hosts: 74.125.45.100 paysoftbillsolution.com
O1 - Hosts: 74.125.45.100 protected.maxisoftwaremart.com
O1 - Hosts: 93.174.89.12 google.ae
O1 - Hosts: 93.174.89.12 google.as
O1 - Hosts: 93.174.89.12 google.at
O1 - Hosts: 93.174.89.12 google.az
O1 - Hosts: 93.174.89.12 google.ba
O1 - Hosts: 93.174.89.12 google.be
O1 - Hosts: 93.174.89.12 google.bg
O1 - Hosts: 93.174.89.12 google.bs
O1 - Hosts: 93.174.89.12 google.ca
O1 - Hosts: 93.174.89.12 google.cd
O1 - Hosts: 93.174.89.12 google.com.gh
O1 - Hosts: 93.174.89.12 google.com.hk
O1 - Hosts: 93.174.89.12 google.com.jm
O1 - Hosts: 93.174.89.12 google.com.mx
O1 - Hosts: 93.174.89.12 google.com.my
O1 - Hosts: 93.174.89.12 google.com.na
O1 - Hosts: 93.174.89.12 google.com.nf
O1 - Hosts: 93.174.89.12 google.com.ng
O1 - Hosts: 93.174.89.12 google.ch
O1 - Hosts: 93.174.89.12 google.com.np
O1 - Hosts: 93.174.89.12 google.com.pr
O1 - Hosts: 93.174.89.12 google.com.qa
O1 - Hosts: 93.174.89.12 google.com.sg
O1 - Hosts: 93.174.89.12 google.com.tj
O1 - Hosts: 93.174.89.12 google.com.tw
O1 - Hosts: 93.174.89.12 google.dj
O1 - Hosts: 93.174.89.12 google.de
O1 - Hosts: 93.174.89.12 google.dk
O1 - Hosts: 93.174.89.12 google.dm
O1 - Hosts: 93.174.89.12 google.ee
O1 - Hosts: 93.174.89.12 google.fi
O1 - Hosts: 93.174.89.12 google.fm
O1 - Hosts: 93.174.89.12 google.fr
O1 - Hosts: 93.174.89.12 google.ge
O1 - Hosts: 93.174.89.12 google.gg
O1 - Hosts: 93.174.89.12 google.gm
O1 - Hosts: 93.174.89.12 google.gr
O1 - Hosts: 93.174.89.12 google.ht
O1 - Hosts: 93.174.89.12 google.ie
O1 - Hosts: 93.174.89.12 google.im
O1 - Hosts: 93.174.89.12 google.in
O1 - Hosts: 93.174.89.12 google.it
O1 - Hosts: 93.174.89.12 google.ki
O1 - Hosts: 93.174.89.12 google.la
O1 - Hosts: 93.174.89.12 google.li
O1 - Hosts: 93.174.89.12 google.lv
O1 - Hosts: 93.174.89.12 google.ma
O1 - Hosts: 93.174.89.12 google.ms
O1 - Hosts: 93.174.89.12 google.mu
O1 - Hosts: 93.174.89.12 google.mw
O1 - Hosts: 93.174.89.12 google.nl
O1 - Hosts: 93.174.89.12 google.no
O1 - Hosts: 93.174.89.12 google.nr
O1 - Hosts: 93.174.89.12 google.nu
O1 - Hosts: 93.174.89.12 google.pl
O1 - Hosts: 93.174.89.12 google.pn
O1 - Hosts: 93.174.89.12 google.pt
O1 - Hosts: 93.174.89.12 google.ro
O1 - Hosts: 93.174.89.12 google.ru
O1 - Hosts: 93.174.89.12 google.rw
O1 - Hosts: 93.174.89.12 google.sc
O1 - Hosts: 93.174.89.12 google.se
O1 - Hosts: 93.174.89.12 google.sh
O1 - Hosts: 93.174.89.12 google.si
O1 - Hosts: 93.174.89.12 google.sm
O1 - Hosts: 93.174.89.12 google.sn
O1 - Hosts: 93.174.89.12 google.st
O1 - Hosts: 93.174.89.12 google.tl
O1 - Hosts: 93.174.89.12 google.tm
O1 - Hosts: 93.174.89.12 google.tt
O1 - Hosts: 93.174.89.12 google.us
O1 - Hosts: 93.174.89.12 google.vu
O1 - Hosts: 93.174.89.12 google.ws
O1 - Hosts: 93.174.89.12 google.co.ck
O1 - Hosts: 93.174.89.12 google.co.id
O1 - Hosts: 93.174.89.12 google.co.il
O1 - Hosts: 93.174.89.12 google.co.in
O1 - Hosts: 93.174.89.12 google.co.jp
O1 - Hosts: 93.174.89.12 google.co.kr
O1 - Hosts: 93.174.89.12 google.co.ls
O1 - Hosts: 93.174.89.12 google.co.ma
O1 - Hosts: 93.174.89.12 google.co.nz
O1 - Hosts: 93.174.89.12 google.co.tz
O1 - Hosts: 93.174.89.12 google.co.ug
O1 - Hosts: 93.174.89.12 google.co.uk
O1 - Hosts: 93.174.89.12 google.co.za
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [SansaDispatch] C:\Documents and Settings\Rick Rohn\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Spb Backup Sync.lnk = C:\Program Files\Spb Backup\SpbBackupSync.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - http://www.stonyfiel...criptX/smsx.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O16 - DPF: {2DEF4530-8CE6-41C9-84B6-A54536C90213} (Crystal Report Viewer Control 9) - https://www.etorepor...tivexviewer.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.onlinegis...AB/mgaxctrl.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1183553476281
O16 - DPF: {8569D715-FF88-44BA-8D1D-AD3E59543DDE} (ActiveReports Viewer2) - https://trax.nfocus....ort/arview2.cab
O16 - DPF: {8BC53B30-32E4-4ED3-BEF9-DB761DB77453} (CInstallLPCtrl Object) - http://u3.sandisk.co...LPInstaller.CAB
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.ad...Plus/1.6/gp.cab
O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} (Seagate SeaTools English Online) - http://www.seagate.c.../npseatools.cab
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 12204 bytes


MB Log...

Malwarebytes' Anti-Malware 1.42
Database version: 3363
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/15/2009 12:51:14 AM
mbam-log-2009-12-15 (00-51-14).txt

Scan type: Quick Scan
Objects scanned: 151313
Time elapsed: 10 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


VirusTotal text...

File SpbBackupSync.exe received on 2009.12.15 06:12:22 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/41 (0%)
Loading server information...
Your file is queued in position: 9.
Estimated start time is between 90 and 128 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
a-squared 4.5.0.43 2009.12.15 -
AhnLab-V3 5.0.0.2 2009.12.15 -
AntiVir 7.9.1.108 2009.12.14 -
Antiy-AVL 2.0.3.7 2009.12.14 -
Authentium 5.2.0.5 2009.12.02 -
Avast 4.8.1351.0 2009.12.14 -
AVG 8.5.0.427 2009.12.14 -
BitDefender 7.2 2009.12.15 -
CAT-QuickHeal 10.00 2009.12.15 -
ClamAV 0.94.1 2009.12.15 -
Comodo 3248 2009.12.15 -
DrWeb 5.0.0.12182 2009.12.14 -
eSafe 7.0.17.0 2009.12.14 -
eTrust-Vet 35.1.7175 2009.12.14 -
F-Prot 4.5.1.85 2009.12.14 -
F-Secure 9.0.15370.0 2009.12.15 -
Fortinet 4.0.14.0 2009.12.15 -
GData 19 2009.12.15 -
Ikarus T3.1.1.74.0 2009.12.15 -
Jiangmin 13.0.900 2009.12.15 -
K7AntiVirus 7.10.920 2009.12.14 -
Kaspersky 7.0.0.125 2009.12.15 -
McAfee 5832 2009.12.14 -
McAfee+Artemis 5832 2009.12.14 -
McAfee-GW-Edition 6.8.5 2009.12.15 -
Microsoft 1.5302 2009.12.15 -
NOD32 4688 2009.12.15 -
Norman 6.04.03 2009.12.14 -
nProtect 2009.1.8.0 2009.12.15 -
Panda 10.0.2.2 2009.12.14 -
PCTools 7.0.3.5 2009.12.15 -
Prevx 3.0 2009.12.15 -
Rising 22.26.01.01 2009.12.15 -
Sophos 4.48.0 2009.12.15 -
Sunbelt 3.2.1858.2 2009.12.15 -
Symantec 1.4.4.12 2009.12.15 -
TheHacker 6.5.0.2.093 2009.12.15 -
TrendMicro 9.100.0.1001 2009.12.15 -
VBA32 3.12.12.0 2009.12.13 -
ViRobot 2009.12.15.2088 2009.12.15 -
VirusBuster 5.0.21.0 2009.12.14 -

#8 EngravEER

EngravEER

    Member

  • Full Member
  • Pip
  • 55 posts

Posted 15 December 2009 - 01:36 AM

dds.txt contents...


DDS (Ver_09-12-01.01) - NTFSx86
Run by Rick Rohn at 1:06:24.68 on Tue 12/15/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1501 [GMT -5:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Additional Guard *On-access scanning enabled* (Updated) {F31DD4F1-7C7B-466A-8ACD-1BA6EF903A58}
FW: Additional Guard *enabled* {975FD0D1-9183-45FA-8DD3-202E7420FA6D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\dvd43\dvd43_tray.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Documents and Settings\Rick Rohn\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
C:\Program Files\Spb Backup\SpbBackupSync.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Rick Rohn\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [SansaDispatch] c:\documents and settings\rick rohn\application data\sandisk\sansa updater\SansaDispatch.exe
mRun: [NvCplDaemon] "RUNDLL32.EXE" c:\windows\system32\NvCpl.dll,NvStartup
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [dvd43] c:\program files\dvd43\dvd43_tray.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -startup
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\spbbac~1.lnk - c:\program files\spb backup\SpbBackupSync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} - hxxp://www.stonyfield.com/coupons/scriptX/smsx.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://download.ewido.net/ewidoOnlineScan.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {2DEF4530-8CE6-41C9-84B6-A54536C90213} - hxxps://www.etoreports.com/viewer9/activeXViewer/activexviewer.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
DPF: {62789780-B744-11D0-986B-00609731A21D} - hxxp://www.onlinegis.net/download/MgViewer6.0CAB/mgaxctrl.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1183553476281
DPF: {8569D715-FF88-44BA-8D1D-AD3E59543DDE} - hxxps://trax.nfocus.com/AppSupport/arview2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8BC53B30-32E4-4ED3-BEF9-DB761DB77453} - hxxp://u3.sandisk.com/download/apps/LPInstaller.CAB
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} - hxxp://www.seagate.com/support/disc/asp/tools/en/bin/npseatools.cab
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\puresp3.dll
Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\coreftp\pftpns.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
IFEO: image file execution options - svchost.exe
IFEO: brastk.exe - svchost.exe
Hosts: 74.125.45.100 4-open-davinci.com
Hosts: 74.125.45.100 securitysoftwarepayments.com
Hosts: 74.125.45.100 privatesecuredpayments.com
Hosts: 74.125.45.100 secure.privatesecuredpayments.com
Hosts: 74.125.45.100 getantivirusplusnow.com

Note: multiple HOSTS entries found. Please refer to Attach.txt

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\rickro~1\applic~1\mozilla\firefox\profiles\ul0sxj74.default\
FF - prefs.js: browser.search.selectedEngine - search
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\documents and settings\becca rohn\application data\move networks\plugins\npqmp071505000011.dll
FF - plugin: c:\documents and settings\rick rohn\application data\move networks\plugins\npqmp071500000347.dll
FF - plugin: c:\documents and settings\rick rohn\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\rick rohn\application data\move networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\rick rohn\application data\move networks\plugins\npqmp071505000011.dll
FF - plugin: c:\documents and settings\rick rohn\application data\move networks\plugins\npqmp071701000002.dll
FF - plugin: c:\documents and settings\rick rohn\application data\mozilla\firefox\profiles\ul0sxj74.default\extensions\{9eb34849-81d3-4841-939d-666d522b889a}\plugins\npSlingPlayer.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-5-2 55656]
S1 avgio;avgio;\??\c:\program files\avira\antivir desktop\avgio.sys --> c:\program files\avira\antivir desktop\avgio.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-11-8 135664]
S4 AntiVirSchedulerService;Avira AntiVir Scheduler;"c:\program files\avira\antivir desktop\sched.exe" --> c:\program files\avira\antivir desktop\sched.exe [?]
S4 AntiVirService;Avira AntiVir Guard;"c:\program files\avira\antivir desktop\avguard.exe" --> c:\program files\avira\antivir desktop\avguard.exe [?]

=============== Created Last 30 ================

2009-12-07 02:57:26 0 d-----w- c:\docume~1\rickro~1\applic~1\Malwarebytes
2009-12-07 01:53:44 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-07 01:53:43 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-07 01:53:43 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-07 01:53:43 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-12-06 23:28:48 0 d-sh--w- c:\docume~1\alluse~1\applic~1\WIEASIOFLDNAG
2009-12-06 23:28:10 0 d-sh--w- c:\docume~1\alluse~1\applic~1\2224c41
2009-11-20 05:41:14 54156 ---ha-w- c:\windows\QTFont.qfn
2009-11-20 05:41:14 1409 ----a-w- c:\windows\QTFont.for

==================== Find3M ====================

2009-10-28 14:40:47 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 75776 ------w- c:\windows\system32\dllcache\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-21 05:38:36 25088 ------w- c:\windows\system32\dllcache\httpapi.dll
2009-10-20 16:20:16 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-20 16:20:16 265728 ------w- c:\windows\system32\dllcache\http.sys
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-13 10:30:16 270336 ------w- c:\windows\system32\dllcache\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:19 149504 ------w- c:\windows\system32\dllcache\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:38:18 79872 ------w- c:\windows\system32\dllcache\raschap.dll
2009-10-11 09:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-13 01:56:08 848 --sha-w- c:\windows\system32\KGyGaAvL.sys
2008-05-13 05:26:54 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008051320080514\index.dat
2009-03-23 23:45:34 32768 --sha-w- c:\windows\temp\cookies\index.dat
2009-03-24 00:19:09 81920 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2009-03-24 00:23:23 376832 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 1:06:46.63 ===============

#9 EngravEER

EngravEER

    Member

  • Full Member
  • Pip
  • 55 posts

Posted 15 December 2009 - 01:39 AM

attach.txt contents...


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 12/16/2006 9:52:22 AM
System Uptime: 12/15/2009 12:33:24 AM (1 hours ago)

Motherboard: Dell Inc. | | 0WG855
Processor: Intel® Core™2 CPU 6600 @ 2.40GHz | Microprocessor | 2394/1066mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 98 GiB total, 72.027 GiB free.
D: is CDROM ()
G: is Removable
H: is Removable
I: is FIXED (NTFS) - 36 GiB total, 33.119 GiB free.
J: is FIXED (NTFS) - 328 GiB total, 322.556 GiB free.
K: is FIXED (NTFS) - 47 GiB total, 46.012 GiB free.
L: is FIXED (NTFS) - 105 GiB total, 102.303 GiB free.
M: is FIXED (NTFS) - 314 GiB total, 310.706 GiB free.
N: is Removable
O: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP450: 9/17/2009 8:59:58 PM - System Checkpoint
RP451: 9/21/2009 9:39:13 PM - System Checkpoint
RP452: 9/23/2009 7:04:46 AM - System Checkpoint
RP453: 9/26/2009 11:36:56 AM - System Checkpoint
RP454: 9/27/2009 12:17:13 PM - System Checkpoint
RP455: 9/28/2009 12:59:02 PM - System Checkpoint
RP456: 9/29/2009 10:06:19 PM - System Checkpoint
RP457: 10/1/2009 10:13:48 AM - System Checkpoint
RP458: 10/2/2009 8:59:23 PM - System Checkpoint
RP459: 10/3/2009 8:59:50 PM - System Checkpoint
RP460: 10/4/2009 10:13:11 PM - System Checkpoint
RP461: 10/6/2009 1:05:19 AM - System Checkpoint
RP462: 10/7/2009 1:47:47 AM - System Checkpoint
RP463: 10/8/2009 1:59:47 AM - System Checkpoint
RP464: 10/9/2009 2:59:47 AM - System Checkpoint
RP465: 10/10/2009 3:59:47 AM - System Checkpoint
RP466: 10/11/2009 4:24:42 AM - System Checkpoint
RP467: 10/12/2009 5:35:37 AM - System Checkpoint
RP468: 10/13/2009 10:56:23 PM - System Checkpoint
RP469: 10/16/2009 7:06:30 AM - System Checkpoint
RP470: 10/17/2009 12:32:25 PM - Software Distribution Service 3.0
RP471: 10/18/2009 2:03:34 PM - System Checkpoint
RP472: 10/21/2009 9:41:01 AM - System Checkpoint
RP473: 10/22/2009 11:28:32 AM - System Checkpoint
RP474: 10/23/2009 12:29:30 PM - System Checkpoint
RP475: 10/24/2009 1:56:34 PM - System Checkpoint
RP476: 10/25/2009 2:03:01 PM - System Checkpoint
RP477: 10/26/2009 3:01:19 PM - System Checkpoint
RP478: 10/27/2009 9:57:00 PM - System Checkpoint
RP479: 10/30/2009 4:37:36 PM - System Checkpoint
RP480: 10/31/2009 5:56:34 PM - System Checkpoint
RP481: 11/1/2009 6:27:48 PM - System Checkpoint
RP482: 11/5/2009 8:12:32 AM - System Checkpoint
RP483: 11/6/2009 4:00:15 AM - Software Distribution Service 3.0
RP484: 11/7/2009 4:37:13 AM - System Checkpoint
RP485: 11/9/2009 1:59:30 AM - System Checkpoint
RP486: 11/10/2009 7:06:36 AM - System Checkpoint
RP487: 11/11/2009 3:00:21 AM - Software Distribution Service 3.0
RP488: 11/14/2009 9:07:09 AM - System Checkpoint
RP489: 11/16/2009 2:36:32 AM - System Checkpoint
RP490: 11/17/2009 2:44:36 AM - System Checkpoint
RP491: 11/18/2009 3:44:44 AM - System Checkpoint
RP492: 11/19/2009 7:03:11 AM - System Checkpoint
RP493: 11/19/2009 11:10:06 PM - Installed Java™ 6 Update 17
RP494: 11/21/2009 11:27:06 AM - System Checkpoint
RP495: 11/22/2009 12:43:04 PM - System Checkpoint
RP496: 11/23/2009 9:36:09 PM - System Checkpoint
RP497: 11/24/2009 10:20:03 PM - System Checkpoint
RP498: 11/25/2009 3:00:14 AM - Software Distribution Service 3.0
RP499: 11/26/2009 3:12:11 AM - System Checkpoint
RP500: 11/27/2009 4:01:02 AM - System Checkpoint
RP501: 11/30/2009 7:33:54 PM - System Checkpoint
RP502: 12/1/2009 7:40:21 PM - System Checkpoint
RP503: 12/2/2009 7:44:29 PM - System Checkpoint
RP504: 12/3/2009 8:14:15 PM - System Checkpoint
RP505: 12/4/2009 8:54:24 PM - System Checkpoint
RP506: 12/5/2009 9:18:59 PM - System Checkpoint
RP507: 12/6/2009 10:41:32 PM - System Checkpoint
RP508: 12/8/2009 12:16:24 AM - System Checkpoint
RP509: 12/9/2009 8:48:40 AM - System Checkpoint
RP510: 12/14/2009 11:14:37 AM - Software Distribution Service 3.0

==== Hosts File Hijack ======================

Hosts: 74.125.45.100 4-open-davinci.com
Hosts: 74.125.45.100 securitysoftwarepayments.com
Hosts: 74.125.45.100 privatesecuredpayments.com
Hosts: 74.125.45.100 secure.privatesecuredpayments.com
Hosts: 74.125.45.100 getantivirusplusnow.com
Hosts: 74.125.45.100 secure-plus-payments.com
Hosts: 74.125.45.100 www.getantivirusplusnow.com
Hosts: 74.125.45.100 www.secure-plus-payments.com
Hosts: 74.125.45.100 www.getavplusnow.com
Hosts: 74.125.45.100 safebrowsing-cache.google.com
Hosts: 74.125.45.100 urs.microsoft.com
Hosts: 74.125.45.100 www.securesoftwarebill.com
Hosts: 74.125.45.100 secure.paysecuresystem.com
Hosts: 74.125.45.100 paysoftbillsolution.com
Hosts: 74.125.45.100 protected.maxisoftwaremart.com
Hosts: 93.174.89.12 google.ae
Hosts: 93.174.89.12 google.as
Hosts: 93.174.89.12 google.at
Hosts: 93.174.89.12 google.az
Hosts: 93.174.89.12 google.ba
Hosts: 93.174.89.12 google.be
Hosts: 93.174.89.12 google.bg
Hosts: 93.174.89.12 google.bs
Hosts: 93.174.89.12 google.ca
Hosts: 93.174.89.12 google.cd
Hosts: 93.174.89.12 google.com.gh
Hosts: 93.174.89.12 google.com.hk
Hosts: 93.174.89.12 google.com.jm
Hosts: 93.174.89.12 google.com.mx
Hosts: 93.174.89.12 google.com.my
Hosts: 93.174.89.12 google.com.na
Hosts: 93.174.89.12 google.com.nf
Hosts: 93.174.89.12 google.com.ng
Hosts: 93.174.89.12 google.ch
Hosts: 93.174.89.12 google.com.np
Hosts: 93.174.89.12 google.com.pr
Hosts: 93.174.89.12 google.com.qa
Hosts: 93.174.89.12 google.com.sg
Hosts: 93.174.89.12 google.com.tj
Hosts: 93.174.89.12 google.com.tw
Hosts: 93.174.89.12 google.dj
Hosts: 93.174.89.12 google.de
Hosts: 93.174.89.12 google.dk
Hosts: 93.174.89.12 google.dm
Hosts: 93.174.89.12 google.ee
Hosts: 93.174.89.12 google.fi
Hosts: 93.174.89.12 google.fm
Hosts: 93.174.89.12 google.fr
Hosts: 93.174.89.12 google.ge
Hosts: 93.174.89.12 google.gg
Hosts: 93.174.89.12 google.gm
Hosts: 93.174.89.12 google.gr
Hosts: 93.174.89.12 google.ht
Hosts: 93.174.89.12 google.ie
Hosts: 93.174.89.12 google.im
Hosts: 93.174.89.12 google.in
Hosts: 93.174.89.12 google.it
Hosts: 93.174.89.12 google.ki
Hosts: 93.174.89.12 google.la
Hosts: 93.174.89.12 google.li
Hosts: 93.174.89.12 google.lv
Hosts: 93.174.89.12 google.ma
Hosts: 93.174.89.12 google.ms
Hosts: 93.174.89.12 google.mu
Hosts: 93.174.89.12 google.mw
Hosts: 93.174.89.12 google.nl
Hosts: 93.174.89.12 google.no
Hosts: 93.174.89.12 google.nr
Hosts: 93.174.89.12 google.nu
Hosts: 93.174.89.12 google.pl
Hosts: 93.174.89.12 google.pn
Hosts: 93.174.89.12 google.pt
Hosts: 93.174.89.12 google.ro
Hosts: 93.174.89.12 google.ru
Hosts: 93.174.89.12 google.rw
Hosts: 93.174.89.12 google.sc
Hosts: 93.174.89.12 google.se
Hosts: 93.174.89.12 google.sh
Hosts: 93.174.89.12 google.si
Hosts: 93.174.89.12 google.sm
Hosts: 93.174.89.12 google.sn
Hosts: 93.174.89.12 google.st
Hosts: 93.174.89.12 google.tl
Hosts: 93.174.89.12 google.tm
Hosts: 93.174.89.12 google.tt
Hosts: 93.174.89.12 google.us
Hosts: 93.174.89.12 google.vu
Hosts: 93.174.89.12 google.ws
Hosts: 93.174.89.12 google.co.ck
Hosts: 93.174.89.12 google.co.id
Hosts: 93.174.89.12 google.co.il
Hosts: 93.174.89.12 google.co.in
Hosts: 93.174.89.12 google.co.jp
Hosts: 93.174.89.12 google.co.kr
Hosts: 93.174.89.12 google.co.ls
Hosts: 93.174.89.12 google.co.ma
Hosts: 93.174.89.12 google.co.nz
Hosts: 93.174.89.12 google.co.tz
Hosts: 93.174.89.12 google.co.ug
Hosts: 93.174.89.12 google.co.uk
Hosts: 93.174.89.12 google.co.za
Hosts: 93.174.89.12 google.co.zm
Hosts: 93.174.89.12 google.com
Hosts: 93.174.89.12 google.com.af
Hosts: 93.174.89.12 google.com.ag
Hosts: 93.174.89.12 google.com.ar
Hosts: 93.174.89.12 google.com.au
Hosts: 93.174.89.12 google.com.bn
Hosts: 93.174.89.12 google.com.br
Hosts: 93.174.89.12 google.com.by
Hosts: 93.174.89.12 google.com.bz
Hosts: 93.174.89.12 google.com.cu
Hosts: 93.174.89.12 google.com.ec
Hosts: 93.174.89.12 google.com.fj
Hosts: 93.174.89.12 www.google.ae
Hosts: 93.174.89.12 www.google.as
Hosts: 93.174.89.12 www.google.at
Hosts: 93.174.89.12 www.google.az
Hosts: 93.174.89.12 www.google.ba
Hosts: 93.174.89.12 www.google.be
Hosts: 93.174.89.12 www.google.bg
Hosts: 93.174.89.12 www.google.bs
Hosts: 93.174.89.12 www.google.ca
Hosts: 93.174.89.12 www.google.cd
Hosts: 93.174.89.12 www.google.com.gh
Hosts: 93.174.89.12 www.google.com.hk
Hosts: 93.174.89.12 www.google.com.jm
Hosts: 93.174.89.12 www.google.com.mx
Hosts: 93.174.89.12 www.google.com.my
Hosts: 93.174.89.12 www.google.com.na
Hosts: 93.174.89.12 www.google.com.nf
Hosts: 93.174.89.12 www.google.com.ng
Hosts: 93.174.89.12 www.google.ch
Hosts: 93.174.89.12 www.google.com.np
Hosts: 93.174.89.12 www.google.com.pr
Hosts: 93.174.89.12 www.google.com.qa
Hosts: 93.174.89.12 www.google.com.sg
Hosts: 93.174.89.12 www.google.com.tj
Hosts: 93.174.89.12 www.google.com.tw
Hosts: 93.174.89.12 www.google.dj
Hosts: 93.174.89.12 www.google.de
Hosts: 93.174.89.12 www.google.dk
Hosts: 93.174.89.12 www.google.dm
Hosts: 93.174.89.12 www.google.ee
Hosts: 93.174.89.12 www.google.fi
Hosts: 93.174.89.12 www.google.fm
Hosts: 93.174.89.12 www.google.fr
Hosts: 93.174.89.12 www.google.ge
Hosts: 93.174.89.12 www.google.gg
Hosts: 93.174.89.12 www.google.gm
Hosts: 93.174.89.12 www.google.gr
Hosts: 93.174.89.12 www.google.ht
Hosts: 93.174.89.12 www.google.ie
Hosts: 93.174.89.12 www.google.im
Hosts: 93.174.89.12 www.google.in
Hosts: 93.174.89.12 www.google.it
Hosts: 93.174.89.12 www.google.ki
Hosts: 93.174.89.12 www.google.la
Hosts: 93.174.89.12 www.google.li
Hosts: 93.174.89.12 www.google.lv
Hosts: 93.174.89.12 www.google.ma
Hosts: 93.174.89.12 www.google.ms
Hosts: 93.174.89.12 www.google.mu
Hosts: 93.174.89.12 www.google.mw
Hosts: 93.174.89.12 www.google.nl
Hosts: 93.174.89.12 www.google.no
Hosts: 93.174.89.12 www.google.nr
Hosts: 93.174.89.12 www.google.nu
Hosts: 93.174.89.12 www.google.pl
Hosts: 93.174.89.12 www.google.pn
Hosts: 93.174.89.12 www.google.pt
Hosts: 93.174.89.12 www.google.ro
Hosts: 93.174.89.12 www.google.ru
Hosts: 93.174.89.12 www.google.rw
Hosts: 93.174.89.12 www.google.sc
Hosts: 93.174.89.12 www.google.se
Hosts: 93.174.89.12 www.google.sh
Hosts: 93.174.89.12 www.google.si
Hosts: 93.174.89.12 www.google.sm
Hosts: 93.174.89.12 www.google.sn
Hosts: 93.174.89.12 www.google.st
Hosts: 93.174.89.12 www.google.tl
Hosts: 93.174.89.12 www.google.tm
Hosts: 93.174.89.12 www.google.tt
Hosts: 93.174.89.12 www.google.us
Hosts: 93.174.89.12 www.google.vu
Hosts: 93.174.89.12 www.google.ws
Hosts: 93.174.89.12 www.google.co.ck
Hosts: 93.174.89.12 www.google.co.id
Hosts: 93.174.89.12 www.google.co.il
Hosts: 93.174.89.12 www.google.co.in
Hosts: 93.174.89.12 www.google.co.jp
Hosts: 93.174.89.12 www.google.co.kr
Hosts: 93.174.89.12 www.google.co.ls
Hosts: 93.174.89.12 www.google.co.ma
Hosts: 93.174.89.12 www.google.co.nz
Hosts: 93.174.89.12 www.google.co.tz
Hosts: 93.174.89.12 www.google.co.ug
Hosts: 93.174.89.12 www.google.co.uk
Hosts: 93.174.89.12 www.google.co.za
Hosts: 93.174.89.12 www.google.co.zm
Hosts: 93.174.89.12 www.google.com
Hosts: 93.174.89.12 www.google.com.af
Hosts: 93.174.89.12 www.google.com.ag
Hosts: 93.174.89.12 www.google.com.ar
Hosts: 93.174.89.12 www.google.com.au
Hosts: 93.174.89.12 www.google.com.bn
Hosts: 93.174.89.12 www.google.com.br
Hosts: 93.174.89.12 www.google.com.by
Hosts: 93.174.89.12 www.google.com.bz
Hosts: 93.174.89.12 www.google.com.cu
Hosts: 93.174.89.12 www.google.com.ec
Hosts: 93.174.89.12 www.google.com.fj
Hosts: 93.174.89.12 google.com
Hosts: 93.174.89.12 www.google.com
Hosts: 93.174.89.12 bing.com
Hosts: 93.174.89.12 www.bing.com
Hosts: 93.174.89.12 search.yahoo.com
Hosts: 93.174.89.12 www.search.yahoo.com
Hosts: 93.174.89.12 search.live.com
Hosts: 93.174.89.12 search.msn.com

==== Installed Programs ======================

AC3Filter (remove only)
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.1.3
Adobe Shockwave Player 11
Advanced Decoder Patch
AOLIcon
Avira AntiVir Personal - Free Antivirus
BeeLineGPS
CinepPlayer 30 Update
Compatibility Pack for the 2007 Office system
Core FTP LE 2.1
CorelDRAW Graphics Suite X3
CorePlayer Mobile for PocketPC Version 1.3.0.6213 (remove only)
Coupon Printer for Windows
Creative MediaSource
Critical Update for Windows Media Player 11 (KB959772)
Dell CinePlayer
Dell Driver Reset Tool
Dell Media Experience
Dell Support 3.2.1
Dell System Restore
DivX Web Player
Documentation & Support Launcher
DVD Decrypter (Remove Only)
DVD43 v3.9.0
EN
FontNav
Google Earth
Google Update Helper
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
ImgBurn
Intel® Matrix Storage Manager
Intel® PRO Network Connections
J2SE Runtime Environment 5.0 Update 6
Java™ 6 Update 17
Java™ 6 Update 2
LG USB Modem Drivers
Malwarebytes' Anti-Malware
Microsoft .NET Compact Framework 3.5
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft ActiveSync
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Small Business Edition 2003
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Move Media Player
Mozilla Firefox (3.5.5)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser (KB933579)
Network Magic
Norton PartitionMagic
Norton PartitionMagic 8.0
NVIDIA Drivers
Ots Studio 1.1.1
OtsAV Pro 1.77.001
palmOne
Phone Dashboard
Pocket-DVD Studio(remove only)
Pocket Informant 8.51
QuickBooks Pro 2006
QuickTime
Resco Explorer
Roxio DLA
Roxio MyDVD LE
Roxio RecordNow Audio
Roxio RecordNow Copy
Roxio RecordNow Data
Run.GPS 2.3.1
Sansa Updater
Seagate SeaTools English Online
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
SlingPlayer Mobile
Sonic Activation Module
Sonic Update Manager
Sound Blaster X-Fi
Spb Backup
Spb Backup 2.0
Spb Mobile DVD
Spectec SDIO WLAN-11g Card
Spelling Dictionaries Support For Adobe Reader 9
Sprint music manager
Spybot - Search & Destroy
TCPMP
Time Zone Data Update Tool for Microsoft Office Outlook
Treo 700wx User Guide
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB968220)
Update for Windows Internet Explorer 8 (KB971930)
Update for Windows Internet Explorer 8 (KB972636)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951618-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update Manager
VBA
VC80CRTRedist - 8.0.50727.762
WebFldrs XP
Windows Driver Package - Pure Networks, Inc. Network Magic Device Discovery Driver (02/08/2007 4.1.7039.0)
Windows Driver Package - Pure Networks, Inc. Network Magic Wireless Driver (02/08/2007 4.1.7039.0)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 10
Windows Media Player 11
Windows Mobile Daylight Saving Time 2007 Updates
Windows Presentation Foundation
Windows Rights Management Client Backwards Compatibility SP2
Windows Rights Management Client with Service Pack 2
Windows Search 4.0
Windows XP Service Pack 3
WinRAR archiver
XML Paper Specification Shared Components Pack 1.0
XSitePro2
XviD MPEG-4 Video Codec
Yahoo! Install Manager

==== Event Viewer Messages From Past Week ========

12/15/2009 12:31:59 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD avgio avipbb Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss ssmdrv Tcpip
12/15/2009 12:31:59 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
12/15/2009 12:31:59 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
12/15/2009 12:31:59 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
12/15/2009 12:31:59 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
12/15/2009 12:30:52 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
12/15/2009 12:30:49 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
12/14/2009 11:19:38 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: avgio

==== End Of File ===========================

#10 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 14,325 posts

Posted 15 December 2009 - 06:07 AM

Please use the Posted Image button to reply. It's easier to read (it doesn't quote the entire previous post). Thanks.

Go to Start > Control Panel > Add or Remove Programs and remove the following program:
Java™ 6 Update 2

Your Adobe Reader is outdated and vulnerable. Start Adobe Reader, go to Help > Check for Updates, and install any update found.

Open HijackThis:
  • Click the 'Open the Misc Tools section' button.
  • Click the 'Delete a file on reboot...' button.
  • In the window that opens, copy and paste the text below in the 'File name' field:
    C:\Windows\System32]Drivers\etc\HOSTS
  • Click the 'Open' button.
  • HijackThis will tell you that this file will be deleted when the system restarts and ask if you want to restart your system now.
  • Click Yes.
  • Your system should reboot now.
  • If your system does not automatically reboot, restart your system manually.
Double-click on HostsXpert.exe on your Desktop to run it.
Click 'Restore MS Hosts file' and press 'OK'
Exit Program.
Note: if you were using a custom Hosts file you will need to replace any of those entries yourself.
If you receive an error, please let me know

Launch Notepad (Start > Run > notepad), and copy/paste the contents of the box below into a new text file. Select "all files" in the "save as type" field. Save it as look.bat and save it on your Desktop.

if exist %systemdrive%\look.txt del %systemdrive%\look.txt
cd\
cd %allusersprofile%\Application Data\WIEASIOFLDNAG
dir /x >> %systemdrive%\look.txt
cd %allusersprofile%\Application Data\2224c41
dir /x >> %systemdrive%\look.txt
dir %Windir%\tasks /a:h >> C:\look.txt
start notepad %systemdrive%\look.txt
Locate look.bat on your Desktop and double-click on it. It will open Notepad with some text in it. Please post the text here and let me know if you are aware of what either folder is for (C:\Documents and Settings\All Users\Application Data\WIEASIOFLDNAG and C:\Documents and Settings\All Users\Application Data\2224c41).

In Internet Explorer, please run the BitDefender online scan at BitDefender.com
You will need to allow an ActiveX control to install for the scan to run.
Leave the scanning options at default and press "click here to scan"
When finished scanning, click on "click here to export the scan report"
Save it to your desktop, at "file name" type in "bdscan" then click save.
Please post the contents of the log in your nest reply.

Download "SUPERAntiSpyware Free Edition" from this link:
http://www.superanti...m/download.html

Install and update the scanner.

Start the scanner, click "Scan your computer", mark the drives that you want to scan (in the left window, select all your drives). Select "Perform Complete Scan" (in the right window). Click "next"

The scanner will now start to scan. As soon as it has finished, you should mark everything that is found, and let the scanner fix it.

Restart your system.

Open the scanner again. Click "preferences"-> "stastics/logs". Mark the log. Click "View log", and copy the content of this log into your next reply.

Please post a new HijakThis log, the contents of C:\look.txt, the log from SUPERAntiSpyware, and in a second reply the log from BitDefender's online scan and note any errors encountered.

Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005


#11 EngravEER

EngravEER

    Member

  • Full Member
  • Pip
  • 55 posts

Posted 15 December 2009 - 08:10 PM

Joker:

Removed Java 6 Update 2

Updated Adobe Reader to current version

Ran HJT, set to delete HOSTS file on reboot

Rebooted

Ran HostsXpert.exe. Message IMMEDIATELY came up "Hosts file does not exist. Pres 'OK' to create Hosts file, cancel to quit." Clicked "OK". THEN clicked "Restore MS Hosts file" and pressed "OK".

Ran your little Notepad *.bat file without problem. I do NOT know what either folder is for (C:\Documents and Settings\All Users\Application Data\WIEASIOFLDNAG and C:\Documents and Settings\All Users\Application Data\2224c41).

Ran BitDefender Online Scanner and "SUPERAntiSpyware Free Edition" as instructed and generated log files. Rebooted per SASFE after the scan found and fixed numerous entries.

Ran HJT, generating a log which is posted below. Other logs requested follow in this post. BitDefender results posted in second reply per your request.

Respectfully submitted,

EngravEER


******************************************************************************


HJT Log...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:40:48 PM, on 12/15/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\dvd43\dvd43_tray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Documents and Settings\Rick Rohn\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Spb Backup\SpbBackupSync.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=1061209
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [SansaDispatch] C:\Documents and Settings\Rick Rohn\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Spb Backup Sync.lnk = C:\Program Files\Spb Backup\SpbBackupSync.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - http://www.stonyfiel...criptX/smsx.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O16 - DPF: {2DEF4530-8CE6-41C9-84B6-A54536C90213} (Crystal Report Viewer Control 9) - https://www.etorepor...tivexviewer.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.onlinegis...AB/mgaxctrl.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1183553476281
O16 - DPF: {8569D715-FF88-44BA-8D1D-AD3E59543DDE} (ActiveReports Viewer2) - https://trax.nfocus....ort/arview2.cab
O16 - DPF: {8BC53B30-32E4-4ED3-BEF9-DB761DB77453} (CInstallLPCtrl Object) - http://u3.sandisk.co...LPInstaller.CAB
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.ad...Plus/1.6/gp.cab
O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} (Seagate SeaTools English Online) - http://www.seagate.c.../npseatools.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 8950 bytes


****************************************************


look.txt contents...

Volume in drive C is Win XP Pro OS & Programs
Volume Serial Number is B891-CE69

Directory of C:\Documents and Settings\All Users\Application Data\WIEASIOFLDNAG

Volume in drive C is Win XP Pro OS & Programs
Volume Serial Number is B891-CE69

Directory of C:\Documents and Settings\All Users\Application Data\2224c41

12/06/2009 06:28 PM 330 3527.mof
12/06/2009 06:28 PM <DIR> BackUp
11/06/2009 02:57 PM 722,392 mozcrt19.dll
12/06/2009 06:28 PM <DIR> QUARAN~1 Quarantine Items
11/06/2009 02:57 PM 457,688 sqlite3.dll
12/06/2009 06:28 PM 2,256,896 WI2224.exe
12/06/2009 06:28 PM 4,286 WINAG.ico
12/06/2009 06:28 PM <DIR> WINAGSys
5 File(s) 3,441,592 bytes
3 Dir(s) 77,319,520,256 bytes free
Volume in drive C is Win XP Pro OS & Programs
Volume Serial Number is B891-CE69

Directory of C:\WINDOWS\tasks

08/04/2004 06:00 AM 65 desktop.ini
12/15/2009 10:35 AM 6 SA.DAT
2 File(s) 71 bytes
0 Dir(s) 77,319,520,256 bytes free



****************************************************


SUPERAntiSpyware log...

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/15/2009 at 12:34 PM

Application Version : 4.31.1000

Core Rules Database Version : 4374
Trace Rules Database Version: 2214

Scan type : Complete Scan
Total Scan Time : 00:31:02

Memory items scanned : 481
Memory threats detected : 0
Registry items scanned : 6980
Registry threats detected : 0
File items scanned : 29290
File threats detected : 305

Adware.Tracking Cookie
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@www.burstbeacon[1].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@ru4[1].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@ads.ireel[2].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@content.yieldmanager[3].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@lfstmedia[1].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@collective-media[1].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@track.singleedge[2].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@ads.bridgetrack[2].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@ww1.thefind[2].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@2o7[2].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@overture[1].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@kontera[2].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@media6degrees[2].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@trafficmp[2].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@ads.nba[1].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@specificclick[2].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@videoegg.adbureau[1].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@realmedia[2].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@serving-sys[2].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@burstbeacon[1].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@ads.widgetbucks[1].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@ads.realtechnetwork[2].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@ad.yieldmanager[1].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@cms.trafficmp[1].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@pointroll[2].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@a1.interclick[2].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@tracking.realtor[1].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@ad.wsod[2].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@ads.pointroll[2].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@server.cpmstar[2].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@click.bsftransmit1[1].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@edge.ru4[2].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@stat.blogorama[1].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@ads.ad4game[2].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@socialmedia[2].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@bs.serving-sys[1].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@oasn04.247realmedia[1].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@adlegend[2].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@specificmedia[3].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@azjmp[1].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@dominionenterprises.112.2o7[1].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@imrworldwide[2].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@content.yieldmanager[4].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@adsense11-web-officelive-com.sitereports.officelive[2].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@server.iad.liveperson[3].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@atdmt[1].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@invitemedia[2].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@adbrite[2].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@ads.undertone[2].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@richmedia.yahoo[2].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@timeinc.122.2o7[1].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@tacoda[2].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@tribalfusion[1].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@s.clickability[2].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@msnportal.112.2o7[1].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@247realmedia[1].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@adserver.adtechus[1].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@rotator.adjuggler[1].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@insightexpressai[1].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@citi.bridgetrack[1].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@interclick[1].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@revsci[1].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@questionmarket[2].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@iacas.adbureau[1].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@dc.tremormedia[2].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@advertising[2].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@cdn4.specificclick[2].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@marketlive.122.2o7[1].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@stats.washingtonpost[1].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@server.iad.liveperson[1].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@homestore.122.2o7[1].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@thefind[1].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@www.jartrack[1].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@adtech[1].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@stats2.clicktracks[2].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@network.realmedia[1].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@berkeleycountyschools[1].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@www.berkeleycountyschools[2].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@us.adserver.yahoo[1].txt
C:\Documents and Settings\Becca Rohn\Cookies\becca_rohn@questionmarket[2].txt
C:\Documents and Settings\Becca Rohn\Cookies\becca_rohn@clickbooth[2].txt
C:\Documents and Settings\Becca Rohn\Cookies\becca_rohn@gcc-00.googleadservices[1].txt
C:\Documents and Settings\Becca Rohn\Cookies\becca_rohn@content.yieldmanager[1].txt
C:\Documents and Settings\Becca Rohn\Cookies\becca_rohn@server.cpmstar[2].txt
C:\Documents and Settings\Becca Rohn\Cookies\becca_rohn@ads4.blastro[2].txt
C:\Documents and Settings\Becca Rohn\Cookies\becca_rohn@ads.us.e-planning[1].txt
C:\Documents and Settings\Becca Rohn\Cookies\becca_rohn@media303[2].txt
C:\Documents and Settings\Becca Rohn\Cookies\becca_rohn@media.ntsserve[1].txt
C:\Documents and Settings\Becca Rohn\Cookies\becca_rohn@www.advertyz[1].txt
C:\Documents and Settings\Becca Rohn\Cookies\becca_rohn@www.googleadservices[2].txt
C:\Documents and Settings\Becca Rohn\Cookies\becca_rohn@insightexpressai[2].txt
C:\Documents and Settings\Becca Rohn\Cookies\becca_rohn@kontera[2].txt
C:\Documents and Settings\Becca Rohn\Cookies\becca_rohn@videoegg.adbureau[2].txt
C:\Documents and Settings\Becca Rohn\Cookies\becca_rohn@adinterax[2].txt
C:\Documents and Settings\Becca Rohn\Cookies\becca_rohn@atdmt[1].txt
C:\Documents and Settings\Becca Rohn\Cookies\becca_rohn@atlas.entrepreneur[2].txt
C:\Documents and Settings\Becca Rohn\Cookies\becca_rohn@ads.widgetbucks[1].txt
C:\Documents and Settings\Becca Rohn\Cookies\becca_rohn@www.burstnet[2].txt
C:\Documents and Settings\Becca Rohn\Cookies\becca_rohn@ad.yieldmanager[2].txt
C:\Documents and Settings\Becca Rohn\Cookies\becca_rohn@ads.associatedcontent[1].txt
C:\Documents and Settings\Becca Rohn\Cookies\becca_rohn@mediatraffic[2].txt
C:\Documents and Settings\Becca Rohn\Cookies\becca_rohn@stats.crossmediaservices[1].txt
C:\Documents and Settings\Becca Rohn\Cookies\becca_rohn@interclick[2].txt
C:\Documents and Settings\Becca Rohn\Cookies\becca_rohn@adfi.adbureau[1].txt
C:\Documents and Settings\Becca Rohn\Cookies\becca_rohn@oasn04.247realmedia[1].txt
C:\Documents and Settings\Becca Rohn\Cookies\becca_rohn@dmtracker[1].txt
C:\Documents and Settings\Becca Rohn\Cookies\becca_rohn@prospect.adbureau[1].txt
C:\Documents and Settings\Becca Rohn\Cookies\becca_rohn@ads.trashypretty[2].txt
C:\Documents and Settings\Becca Rohn\Cookies\becca_rohn@server.koadserver[1].txt
C:\Documents and Settings\Becca Rohn\Cookies\becca_rohn@us.adserver.yahoo[1].txt
C:\Documents and Settings\Becca Rohn\Cookies\becca_rohn@trafficdashboard[1].txt
C:\Documents and Settings\Becca Rohn\Cookies\becca_rohn@tremor.adbureau[1].txt
C:\Documents and Settings\Becca Rohn\Cookies\becca_rohn@apmebf[1].txt
C:\Documents and Settings\Becca Rohn\Cookies\becca_rohn@trafficvenuedirect[2].txt
C:\Documents and Settings\Becca Rohn\Cookies\becca_rohn@adserver.adtechus[1].txt
C:\Documents and Settings\Becca Rohn\Cookies\becca_rohn@server2.bkvtrack[2].txt
C:\Documents and Settings\Becca Rohn\Cookies\becca_rohn@a.websponsors[2].txt
C:\Documents and Settings\Becca Rohn\Cookies\becca_rohn@chitika[1].txt
C:\Documents and Settings\Becca Rohn\Cookies\becca_rohn@adserving.contextualmarketplace[2].txt
C:\Documents and Settings\Becca Rohn\Cookies\becca_rohn@burstnet[2].txt
C:\Documents and Settings\Becca Rohn\Cookies\becca_rohn@crossmediaservices[2].txt
C:\Documents and Settings\Becca Rohn\Cookies\becca_rohn@zillow.adbureau[2].txt
C:\Documents and Settings\Becca Rohn\Cookies\becca_rohn@ads.cnn[1].txt
C:\Documents and Settings\Becca Rohn\Cookies\becca_rohn@media.photobucket[2].txt
C:\Documents and Settings\Becca Rohn\Cookies\becca_rohn@ads.tnt[1].txt
C:\Documents and Settings\Becca Rohn\Cookies\becca_rohn@adbrite[2].txt
C:\Documents and Settings\Becca Rohn\Cookies\becca_rohn@mediaplex[1].txt
C:\Documents and Settings\Becca Rohn\Cookies\becca_rohn@imrworldwide[2].txt
C:\Documents and Settings\Becca Rohn\Cookies\becca_rohn@microsoftwindows.112.2o7[1].txt
C:\Documents and Settings\Becca Rohn\Cookies\becca_rohn@viacom.adbureau[2].txt
C:\Documents and Settings\Becca Rohn\Cookies\becca_rohn@eyewonder[2].txt
C:\Documents and Settings\Becca Rohn\Cookies\becca_rohn@pgcom.adbureau[2].txt
C:\Documents and Settings\Becca Rohn\Cookies\becca_rohn@advertising[1].txt
C:\Documents and Settings\Becca Rohn\Cookies\becca_rohn@rocku.adbureau[2].txt
C:\Documents and Settings\Becca Rohn\Cookies\becca_rohn@htmlgear.tripod[2].txt
C:\Documents and Settings\Becca Rohn\Cookies\becca_rohn@partner2profit[1].txt
C:\Documents and Settings\Becca Rohn\Cookies\becca_rohn@doubleclick[2].txt
C:\Documents and Settings\Becca Rohn\Cookies\becca_rohn@ads.vlaze[1].txt
C:\Documents and Settings\Becca Rohn\Cookies\becca_rohn@247realmedia[1].txt
C:\Documents and Settings\Becca Rohn\Cookies\becca_rohn@ads.gmodules[2].txt
C:\Documents and Settings\Becca Rohn\Cookies\becca_rohn@mywebsearch[2].txt
C:\Documents and Settings\Becca Rohn\Cookies\becca_rohn@specificmedia[1].txt
C:\Documents and Settings\Becca Rohn\Cookies\becca_rohn@lstat.youku[2].txt
C:\Documents and Settings\Becca Rohn\Cookies\becca_rohn@ads.hightimes[1].txt
C:\Documents and Settings\Becca Rohn\Cookies\becca_rohn@collective-media[2].txt
C:\Documents and Settings\Becca Rohn\Cookies\becca_rohn@ads.diet[1].txt
C:\Documents and Settings\Becca Rohn\Cookies\becca_rohn@track.cbs[1].txt
C:\Documents and Settings\Becca Rohn\Cookies\becca_rohn@tracking.vindicosuite[1].txt
C:\Documents and Settings\Becca Rohn\Cookies\becca_rohn@socialmedia[2].txt
C:\Documents and Settings\Becca Rohn\Cookies\becca_rohn@ads.veoh[1].txt
C:\Documents and Settings\Becca Rohn\Cookies\becca_rohn@www.accountonline[1].txt
C:\Documents and Settings\Becca Rohn\Cookies\becca_rohn@stat.youku[1].txt
C:\Documents and Settings\Becca Rohn\Cookies\becca_rohn@media6degrees[2].txt
C:\Documents and Settings\Becca Rohn\Cookies\becca_rohn@network.realmedia[1].txt
C:\Documents and Settings\Becca Rohn\Cookies\becca_rohn@richmedia.yahoo[1].txt
C:\Documents and Settings\Becca Rohn\Cookies\becca_rohn@fastclick[2].txt
C:\Documents and Settings\Becca Rohn\Cookies\becca_rohn@realmedia[2].txt
C:\Documents and Settings\Becca Rohn\Cookies\becca_rohn@lotsofads.smilingtraffic[1].txt
C:\Documents and Settings\Becca Rohn\Cookies\becca_rohn@www.berkeleycountyschools[2].txt
C:\Documents and Settings\Becca Rohn\Cookies\becca_rohn@berkeleycountyschools[1].txt
C:\Documents and Settings\Becca Rohn\Cookies\becca_rohn@track.bestbuy[2].txt
C:\Documents and Settings\Becca Rohn\Cookies\becca_rohn@5.go.globaladsales[1].txt
C:\Documents and Settings\Becca Rohn\Cookies\becca_rohn@audit.median[1].txt
C:\Documents and Settings\Becca Rohn\Cookies\becca_rohn@media.mtvnservices[1].txt
C:\Documents and Settings\Becca Rohn\Cookies\becca_rohn@sixapart.adbureau[1].txt
C:\Documents and Settings\Becca Rohn\Cookies\becca_rohn@adnetserver[1].txt
C:\Documents and Settings\Becca Rohn\Cookies\becca_rohn@burstbeacon[2].txt
C:\Documents and Settings\Becca Rohn\Cookies\becca_rohn@cgm.adbureau[1].txt
C:\Documents and Settings\Becca Rohn\Cookies\becca_rohn@eb.adbureau[2].txt
C:\Documents and Settings\Becca Rohn\Cookies\becca_rohn@myroitracking[1].txt
C:\Documents and Settings\Becca Rohn\Cookies\becca_rohn@neoedge.adbureau[1].txt
C:\Documents and Settings\Becca Rohn\Cookies\becca_rohn@nextag[2].txt
C:\Documents and Settings\Becca Rohn\Cookies\becca_rohn@qnsr[1].txt
C:\Documents and Settings\Becca Rohn\Cookies\becca_rohn@www.burstbeacon[2].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@specificclick[1].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@specificmedia[2].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@ads.bootcampmedia[1].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@cdn4.specificclick[1].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@enhance[1].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@247realmedia[2].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@www.findstuff[2].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@ad.yieldmanager[2].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@insightexpressai[2].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@statcounter[1].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@bizrate[1].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@bridge2.admarketplace[1].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@bridge1.admarketplace[1].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@media6degrees[1].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@invitemedia[1].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@d.mediaforceads[1].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@trafficmp[1].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@dc.tremormedia[1].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@admarketplace[1].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@snip.www.findstuff[1].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@admarketplace[2].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@ad.zanox[1].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@adfarm1.adition[2].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@content.yieldmanager[2].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@overture[2].txt
C:\Documents and Settings\Rick Rohn\Cookies\rick_rohn@zedo[1].txt
C:\Documents and Settings\Stacie Rohn\Cookies\stacie_rohn@bs.serving-sys[1].txt
C:\Documents and Settings\Stacie Rohn\Cookies\stacie_rohn@richmedia.yahoo[2].txt
C:\Documents and Settings\Stacie Rohn\Cookies\stacie_rohn@serving-sys[2].txt
C:\Documents and Settings\Stacie Rohn\Cookies\stacie_rohn@edge.ru4[1].txt
C:\Documents and Settings\Stacie Rohn\Cookies\stacie_rohn@realmedia[1].txt
C:\Documents and Settings\Stacie Rohn\Cookies\stacie_rohn@fastclick[1].txt
C:\Documents and Settings\Stacie Rohn\Cookies\stacie_rohn@ads.newsforce[1].txt
C:\Documents and Settings\Stacie Rohn\Cookies\stacie_rohn@kontera[2].txt
C:\Documents and Settings\Stacie Rohn\Cookies\stacie_rohn@media.adrevolver[1].txt
C:\Documents and Settings\Stacie Rohn\Cookies\stacie_rohn@specificmedia[2].txt
C:\Documents and Settings\Stacie Rohn\Cookies\stacie_rohn@specificclick[1].txt
C:\Documents and Settings\Stacie Rohn\Cookies\stacie_rohn@collective-media[1].txt
C:\Documents and Settings\Stacie Rohn\Cookies\stacie_rohn@viacom.adbureau[1].txt
C:\Documents and Settings\Stacie Rohn\Cookies\stacie_rohn@microsoftwindows.112.2o7[1].txt
C:\Documents and Settings\Stacie Rohn\Cookies\stacie_rohn@www.burstnet[2].txt
C:\Documents and Settings\Stacie Rohn\Cookies\stacie_rohn@mediaplex[2].txt
C:\Documents and Settings\Stacie Rohn\Cookies\stacie_rohn@content.yieldmanager[1].txt
C:\Documents and Settings\Stacie Rohn\Cookies\stacie_rohn@questionmarket[2].txt
C:\Documents and Settings\Stacie Rohn\Cookies\stacie_rohn@kanoodle[1].txt
C:\Documents and Settings\Stacie Rohn\Cookies\stacie_rohn@socialmedia[2].txt
C:\Documents and Settings\Stacie Rohn\Cookies\stacie_rohn@focalex[2].txt
C:\Documents and Settings\Stacie Rohn\Cookies\stacie_rohn@ads.imarketservices[1].txt
C:\Documents and Settings\Stacie Rohn\Cookies\stacie_rohn@doubleclick[1].txt
C:\Documents and Settings\Stacie Rohn\Cookies\stacie_rohn@s.clickability[2].txt
C:\Documents and Settings\Stacie Rohn\Cookies\stacie_rohn@atdmt[1].txt
C:\Documents and Settings\Stacie Rohn\Cookies\stacie_rohn@clickbooth[1].txt
C:\Documents and Settings\Stacie Rohn\Cookies\stacie_rohn@interclick[1].txt
C:\Documents and Settings\Stacie Rohn\Cookies\stacie_rohn@ad.yieldmanager[2].txt
C:\Documents and Settings\Stacie Rohn\Cookies\stacie_rohn@ads.widgetbucks[1].txt
C:\Documents and Settings\Stacie Rohn\Cookies\stacie_rohn@ads.herald-mail[1].txt
C:\Documents and Settings\Stacie Rohn\Cookies\stacie_rohn@adinterax[2].txt
C:\Documents and Settings\Stacie Rohn\Cookies\stacie_rohn@pn1.adserver.yahoo[1].txt
C:\Documents and Settings\Stacie Rohn\Cookies\stacie_rohn@statcounter[1].txt
C:\Documents and Settings\Stacie Rohn\Cookies\stacie_rohn@iacas.adbureau[2].txt
C:\Documents and Settings\Stacie Rohn\Cookies\stacie_rohn@track.bestbuy[1].txt
C:\Documents and Settings\Stacie Rohn\Cookies\stacie_rohn@tribalfusion[2].txt
C:\Documents and Settings\Stacie Rohn\Cookies\stacie_rohn@adbureau[1].txt
C:\Documents and Settings\Stacie Rohn\Cookies\stacie_rohn@adserv.brandaffinity[2].txt
C:\Documents and Settings\Stacie Rohn\Cookies\stacie_rohn@berkeleycountyschools[1].txt
C:\Documents and Settings\Stacie Rohn\Cookies\stacie_rohn@chitika[1].txt
C:\Documents and Settings\Stacie Rohn\Cookies\stacie_rohn@tacoda[2].txt
C:\Documents and Settings\Stacie Rohn\Cookies\stacie_rohn@www.accountonline[1].txt
C:\Documents and Settings\Stacie Rohn\Cookies\stacie_rohn@ads.ovguide[1].txt
C:\Documents and Settings\Stacie Rohn\Cookies\stacie_rohn@zedo[2].txt
C:\Documents and Settings\Stacie Rohn\Cookies\stacie_rohn@a1.interclick[2].txt
C:\Documents and Settings\Stacie Rohn\Cookies\stacie_rohn@adopt.euroclick[1].txt
C:\Documents and Settings\Stacie Rohn\Cookies\stacie_rohn@adrevolver[2].txt
C:\Documents and Settings\Stacie Rohn\Cookies\stacie_rohn@ads.cnn[1].txt
C:\Documents and Settings\Stacie Rohn\Cookies\stacie_rohn@ads.nexstardigital[1].txt
C:\Documents and Settings\Stacie Rohn\Cookies\stacie_rohn@ads.pgatour[1].txt
C:\Documents and Settings\Stacie Rohn\Cookies\stacie_rohn@adserver.adtechus[1].txt
C:\Documents and Settings\Stacie Rohn\Cookies\stacie_rohn@advertising[2].txt
C:\Documents and Settings\Stacie Rohn\Cookies\stacie_rohn@apmebf[1].txt
C:\Documents and Settings\Stacie Rohn\Cookies\stacie_rohn@app.insightgrit[1].txt
C:\Documents and Settings\Stacie Rohn\Cookies\stacie_rohn@at.atwola[2].txt
C:\Documents and Settings\Stacie Rohn\Cookies\stacie_rohn@burstnet[1].txt
C:\Documents and Settings\Stacie Rohn\Cookies\stacie_rohn@cgm.adbureau[2].txt
C:\Documents and Settings\Stacie Rohn\Cookies\stacie_rohn@citi.bridgetrack[1].txt
C:\Documents and Settings\Stacie Rohn\Cookies\stacie_rohn@insightexpressai[2].txt
C:\Documents and Settings\Stacie Rohn\Cookies\stacie_rohn@media6degrees[1].txt
C:\Documents and Settings\Stacie Rohn\Cookies\stacie_rohn@partner2profit[2].txt
C:\Documents and Settings\Stacie Rohn\Cookies\stacie_rohn@revenue[2].txt
C:\Documents and Settings\Stacie Rohn\Cookies\stacie_rohn@revsci[2].txt
C:\Documents and Settings\Stacie Rohn\Cookies\stacie_rohn@rocku.adbureau[2].txt
C:\Documents and Settings\Stacie Rohn\Cookies\stacie_rohn@server.iad.liveperson[1].txt
C:\Documents and Settings\Stacie Rohn\Cookies\stacie_rohn@server.iad.liveperson[3].txt
C:\Documents and Settings\Stacie Rohn\Cookies\stacie_rohn@www.berkeleycountyschools[2].txt
C:\Documents and Settings\Stacie Rohn\Cookies\stacie_rohn@www.ecoretrack[1].txt
C:\Documents and Settings\Stacie Rohn\Cookies\stacie_rohn@www.googleadservices[2].txt
C:\WINDOWS\TEMP\Cookies\stacie_rohn@media6degrees[2].txt
C:\WINDOWS\TEMP\Cookies\stacie_rohn@overture[1].txt
C:\WINDOWS\TEMP\Cookies\stacie_rohn@media.adrevolver[1].txt
C:\WINDOWS\TEMP\Cookies\stacie_rohn@specificmedia[1].txt
C:\WINDOWS\TEMP\Cookies\stacie_rohn@mediaplex[1].txt
C:\WINDOWS\TEMP\Cookies\stacie_rohn@ad.yieldmanager[1].txt
C:\WINDOWS\TEMP\Cookies\stacie_rohn@interclick[2].txt
C:\WINDOWS\TEMP\Cookies\stacie_rohn@atdmt[2].txt
C:\WINDOWS\TEMP\Cookies\stacie_rohn@dynamic.media.adrevolver[1].txt
C:\WINDOWS\TEMP\Cookies\stacie_rohn@2o7[2].txt
C:\WINDOWS\TEMP\Cookies\stacie_rohn@a1.interclick[1].txt
C:\WINDOWS\TEMP\Cookies\stacie_rohn@adrevolver[2].txt
C:\WINDOWS\TEMP\Cookies\stacie_rohn@adserver.adtechus[1].txt
C:\WINDOWS\TEMP\Cookies\stacie_rohn@advertising[1].txt
C:\WINDOWS\TEMP\Cookies\stacie_rohn@apmebf[1].txt
C:\WINDOWS\TEMP\Cookies\stacie_rohn@cache.trafficmp[1].txt
C:\WINDOWS\TEMP\Cookies\stacie_rohn@doubleclick[1].txt
C:\WINDOWS\TEMP\Cookies\stacie_rohn@e-2dj6wfk4ugdzklp.stats.esomniture[2].txt
C:\WINDOWS\TEMP\Cookies\stacie_rohn@specificclick[2].txt
C:\WINDOWS\TEMP\Cookies\stacie_rohn@trafficmp[1].txt

Rogue.Agent/Gen
C:\Documents and Settings\All Users\Application Data\2224C41

Rogue.Agent/Gen-Multi[W]
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\2224C41\WI2224.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP506\A0044163.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP506\A0044164.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP506\A0044165.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP506\A0044166.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP506\A0045173.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP506\A0045174.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP506\A0045175.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP506\A0045176.LNK

Trojan.Agent/Gen-Nullo[Short]
C:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP506\A0045177.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP506\A0045178.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP506\A0045179.DLL
M:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP506\A0045181.EXE
M:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP506\A0045182.EXE
M:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP506\A0045183.EXE

#12 EngravEER

EngravEER

    Member

  • Full Member
  • Pip
  • 55 posts

Posted 15 December 2009 - 08:17 PM

Joker:

BitDefender made me output the scan info as an HTML file. I thought that was somewhat strange so perhaps I did something wrong. Saved it as an HTML file, opened it in my browser and copied and pasted the contents to a text file as follows...



BitDefender Online Scanner


Scan report generated at: Tue, Dec 15, 2009 - 11:48:46


Scan path: C:\;D:\;G:\;H:\;I:\;J:\;K:\;L:\;M:\;N:\;O:\;



Statistics

Time


00:56:12

Files


352816

Folders


11098

Boot Sectors


0

Archives


5471

Packed Files


17964







Results

Identified Viruses


4

Infected Files


4

Suspect Files


0

Warnings


0

Disinfected


0

Deleted Files


4







Engines Info

Virus Definitions


4731111

Engine build


AVCORE v2.1 Windows/i386 11.0.0.26 (Oct 20 2009)

Scan plugins


17

Archive plugins


44

Unpack plugins


8

E-mail plugins


6

System plugins


4







Scan Settings

First Action


Disinfect

Second Action


Delete

Heuristics


Yes

Enable Warnings


Yes

Scanned Extensions


*;

Exclude Extensions




Scan Emails


Yes

Scan Archives


Yes

Scan Packed


Yes

Scan Files


Yes

Scan Boot


Yes








Scanned File


Status

C:\Documents and Settings\Rick Rohn\Application Data\Sun\Java\Deployment\cache\6.0\32\1ad04aa0-6f3fc2d8=>myf/y/AppletX.class


Infected with: Trojan.Generic.IS.614610

C:\Documents and Settings\Rick Rohn\Application Data\Sun\Java\Deployment\cache\6.0\32\1ad04aa0-6f3fc2d8=>myf/y/AppletX.class


Deleted

C:\Documents and Settings\Rick Rohn\Application Data\Sun\Java\Deployment\cache\6.0\32\1ad04aa0-6f3fc2d8


Updated

C:\Documents and Settings\Rick Rohn\Application Data\Sun\Java\Deployment\cache\6.0\32\1ad04aa0-6f3fc2d8=>myf/y/LoaderX.class


Infected with: Trojan.Generic.IS.617631

C:\Documents and Settings\Rick Rohn\Application Data\Sun\Java\Deployment\cache\6.0\32\1ad04aa0-6f3fc2d8=>myf/y/LoaderX.class


Deleted

C:\Documents and Settings\Rick Rohn\Application Data\Sun\Java\Deployment\cache\6.0\32\1ad04aa0-6f3fc2d8


Updated

C:\Documents and Settings\Rick Rohn\Application Data\Sun\Java\Deployment\cache\6.0\32\1ad04aa0-6f3fc2d8=>myf/y/PayloadX.class


Infected with: Trojan.Generic.IS.616012

C:\Documents and Settings\Rick Rohn\Application Data\Sun\Java\Deployment\cache\6.0\32\1ad04aa0-6f3fc2d8=>myf/y/PayloadX.class


Deleted

C:\Documents and Settings\Rick Rohn\Application Data\Sun\Java\Deployment\cache\6.0\32\1ad04aa0-6f3fc2d8


Updated

C:\WINDOWS\CouponPrinter.ocx


Detected with: Adware.Generic.53752

C:\WINDOWS\CouponPrinter.ocx


Deleted

#13 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 14,325 posts

Posted 15 December 2009 - 08:51 PM

It looks like everything went fine. :D

Reconfigure Windows to show hidden files:
Click Start. Open My Computer.
Select the Tools menu and click Folder Options. Select the View Tab.
Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the "Hide protected operating system files (recommended)" option.
Uncheck the "Hide file extensions for known file types" option.
Click Yes to confirm. Click OK.

Using Windows Explorer, delete the following folders if still there:
C:\Documents and Settings\All Users\Application Data\WIEASIOFLDNAG
C:\Documents and Settings\All Users\Application Data\2224C41

Now you need to hide the files you un-hid earlier:
Click Start. Open My Computer.
Select the Tools menu and click Folder Options. Select the View Tab.
Under the Hidden files and folders heading unselect "Show hidden files and folders".
Check the "Hide protected operating system files (recommended)" option.
Click Yes to confirm. Click OK.

BitDefender made me output the scan info as an HTML file. I thought that was somewhat strange so perhaps I did something wrong.

You didn't make an error, it creates the log as an HTML folder for formatting, but it pastes just fine. I see it found and deleted some malware in your Java cache, and deleted an adware related file.

Your scan showed one of more viruses in your Sun Java Runtime Environment (JRE) cache. Delete those by clearing the JRE cache.
To clear the Java Runtime Environment (JRE) cache:
  • Click Start > Control Panel.
  • Double-click the Java icon in the control panel.
    -The Java Control Panel appears.
  • Click Settings under Temporary Internet Files.
    -The Temporary Files Settings dialog box appears.
  • Click Delete Files.
    -The Delete Temporary Files dialog box appears.
    -There are two options on this window to clear the cache.
    • Applications and Applets
    • Trace and Log File.
  • Click OK on Delete Temporary Files window.
    -Note: This deletes all the Downloaded Applications and Applets from the cache.
  • Click OK on Temporary Files Settings window.
  • Close the Java Control Panel
How is the system running now, are you still being redirected?

Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005


#14 EngravEER

EngravEER

    Member

  • Full Member
  • Pip
  • 55 posts

Posted 15 December 2009 - 10:54 PM

Joker:

C:\Documents and Settings\All Users\Application Data\WIEASIOFLDNAG was still there. Contained one file which "appeared" to be a Microsoft Office Configuration file... it was dated from 12/6/09 however. Axed it and the folder. There was no sign of C:\Documents and Settings\All Users\Application Data\2224C41.

Java Runtime Environment (JRE) cache cleared per your instructions.

Everything seems back to normal browser-wise. Entering "google" now takes you to the main Google home page... no more redirects to the Google Netherlands site. Wife can also now get into her gmail account without problems.

Whatever "it" was appears to have done a job on my Avira AntiVirus though. Killed the Avira desktop icon on the Avira AntiVirus Control Center. I can still open the Control Center. However, when I go to do a program update I get the message, "The following error occurred when trying to start the update: Scheduler not loaded." Also, the AntiVir Guard says "Service Stopped" and I can't get it going again in the sys tray. It could perhaps be conflicting with the SUPERAntiSpyware Free Edition that we installed and whose icon I now see down in my sys tray. Of course, it seems Avira let-in whatever it was so perhaps it's time to dump ole Avira for that new, good-looking SUPER blond who just moved-in downstairs LOL!

As we're obviously close to putting the wraps on this, any other thoughts, suggestions, etc. going forward? Oh, and I know we have to do a "clean-up" on some of the tools we used throughout the process. Will wait to hear back. Thanks!!

#15 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 14,325 posts

Posted 15 December 2009 - 11:29 PM

Everything seems back to normal browser-wise.

Excellent!

SUPERAntiSpyware wold not be a replacement for Avira. It's along the lines of MBAM or Windows Defender as an anti-malware utility.

For the problems with Avira, I reinstall it.
  • Be certain you have a copy of the current installer
  • I would uninstall SUPERAntiSpyware (you can reinstall it later if you want).
  • Be certian you have a current copy of the Avira AntiVir Personal installer.
  • Disconnect from the Internet by pulling the connection cable.
  • Uninstall Avira AntiVir Personal - Free Antivirus from Control Panel's Add or Remove Programs.
  • Reboot.
  • Reinstall Avira and restart if requested.
  • Reconnect to the Internet and update the program.
If you were to try another antivirus program rather than Avira, I'd try Avast!.

To help keep malware off your system:
  • Keep Windows updated at Windows Update or Microsoft Update.
  • Keep your other applications updated, there are vulnerabilities that rely on exploits through other programs like Java, Microsoft Office, Adobe Reader, Flash, and others.
  • Run a program like Secunia Software Inspector Scan to see what programs need to be updated.
  • Be careful with flash drives, as they can spread infections. See this post on USB/flash drive safety.
  • Stay away from P2P software; even with a clean P2P program, their networks are often riddled with malware.
  • Don't click on attachments or links in e-mail, and read your e-mail in text-only mode for the highest safety.
  • Don't click on links received in instant message programs.
  • In place of Internet Explorer, browse with Firefox with the NoScript and AdBlock Plus add-ons.
  • A HOSTS file will prevent Internet Explorer from communicating with sites known to be associated with adware or spyware. A good regularly updated HOST file is MVPS HOSTS File, available at http://www.mvps.org/...2002/hosts.htm.
  • A free non-resident utility to prevent the installation of ActiveX-based malware is JavaCool's SpywareBlaster. For real-time protection, there is SpywareGuard. Both are available at http://www.javacools.../products.html.
  • I recommend reading Tony Klein's article So How did I get Infected in the First Place? at http://www.spywarein...showtopic=60955
Does your problem appear resolved?

Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005


#16 EngravEER

EngravEER

    Member

  • Full Member
  • Pip
  • 55 posts

Posted 16 December 2009 - 01:53 AM

Joker:

I'll uninstall SUPERAntiSpyware, re-install Avira Personal and then re-install SUPERAntiSpyware. Figure I'll have Avira running continuously in the background and then just try to scan my system regularly with both MalwareBytes and SUPERAntiSpyware. Hopefully that will go a long way in keeping the Gremlins at bay.

I appreciate -- and will heed -- your other suggestions for keeping the Gremlins at bay as well :thumbup:

Problem appears solved and we should be good-to-go! Let's consider this case closed and relegated to the archives.

I have just made a Paypal donation of $50.00 to recognize and thank you for all of your help. Wish I could do more (because the good work you folks do here is certainly worth much more), but the Holidays and the two ladies in my household are taking care of any and all excess funding :D

Thank you again for all of your help!!

EngravEER

#17 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 14,325 posts

Posted 16 December 2009 - 06:30 AM

We thank you every much for the extremely generous donation. Donations like that allow us to keep up the fight against malware and continue to provide assistance to those that need it.

Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005


#18 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 14,325 posts

Posted 19 December 2009 - 10:45 PM

Glad we could help. :)

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button