Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News: RansSIRIA Ransomware Takes Advantage of the Syrian Refugee Crisis

Featured Deal: Get 92% off a Microsoft Azure Mastery Bundle Deal

01 hosts

Started by Rodasm , Aug 26 2009 03:09 PM

This topic is locked

25 replies to this topic

#1 Rodasm

Members
34 posts
OFFLINE

Gender:Male
Location:Norfolk UK
Local time:07:05 PM

Posted 26 August 2009 - 03:09 PM

I inadvertantly let Windows Protection Suite in this morning. Thought I had rid of it, it doesn’t show on any virus scans but I’ve had nothing but probs since.

Starting Hijackthis I get the following
For some reason your system denied access to the hosts file etc
Then
You have a particlarly large ammount of hijacked domains etc

C:\ WINDOWS\SYSTEM32\DRIVERS\ETC
hosts.bak
hosts.ics
hosts.new
Imhosts - SAM file
networks
protocol
services

Cannot get rid of 01 Hosts. Tried everything I can find on the net, no luck.
Tick and flick in hjt but they all come back.

Please go easy, I’m past sellby date and can only understand words of one sylable. No offence, hope you understand
Thanks

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:16:40, on 26/08/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\System32\dmadmin.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\apps\ABoard\ABoard.exe
C:\apps\ABoard\AOSD.exe
C:\Program Files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.virgin.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O1 - Hosts: 74.125.45.100 4-open-davinci.com
O1 - Hosts: 74.125.45.100 securitysoftwarepayments.com
O1 - Hosts: 74.125.45.100 privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 secure-plus-payments.com
O1 - Hosts: 74.125.45.100 www.getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 www.secure-plus-payments.com
O1 - Hosts: 74.125.45.100 www.getavplusnow.com
O1 - Hosts: 74.125.45.100 www.securesoftwarebill.com
O1 - Hosts: 74.125.45.100 secure.paysecuresystem.com
O1 - Hosts: 64.86.17.56 google.ae
O1 - Hosts: 64.86.17.56 google.as
O1 - Hosts: 64.86.17.56 google.at
O1 - Hosts: 64.86.17.56 google.az
O1 - Hosts: 64.86.17.56 google.ba
O1 - Hosts: 64.86.17.56 google.be
O1 - Hosts: 64.86.17.56 google.bg
O1 - Hosts: 64.86.17.56 google.bs
O1 - Hosts: 64.86.17.56 google.ca
O1 - Hosts: 64.86.17.56 google.cd
O1 - Hosts: 64.86.17.56 google.com.gh
O1 - Hosts: 64.86.17.56 google.com.hk
O1 - Hosts: 64.86.17.56 google.com.jm
O1 - Hosts: 64.86.17.56 google.com.mx
O1 - Hosts: 64.86.17.56 google.com.my
O1 - Hosts: 64.86.17.56 google.com.na
O1 - Hosts: 64.86.17.56 google.com.nf
O1 - Hosts: 64.86.17.56 google.com.ng
O1 - Hosts: 64.86.17.56 google.ch
O1 - Hosts: 64.86.17.56 google.com.np
O1 - Hosts: 64.86.17.56 google.com.pr
O1 - Hosts: 64.86.17.56 google.com.qa
O1 - Hosts: 64.86.17.56 google.com.sg
O1 - Hosts: 64.86.17.56 google.com.tj
O1 - Hosts: 64.86.17.56 google.com.tw
O1 - Hosts: 64.86.17.56 google.dj
O1 - Hosts: 64.86.17.56 google.de
O1 - Hosts: 64.86.17.56 google.dk
O1 - Hosts: 64.86.17.56 google.dm
O1 - Hosts: 64.86.17.56 google.ee
O1 - Hosts: 64.86.17.56 google.fi
O1 - Hosts: 64.86.17.56 google.fm
O1 - Hosts: 64.86.17.56 google.fr
O1 - Hosts: 64.86.17.56 google.ge
O1 - Hosts: 64.86.17.56 google.gg
O1 - Hosts: 64.86.17.56 google.gm
O1 - Hosts: 64.86.17.56 google.gr
O1 - Hosts: 64.86.17.56 google.ht
O1 - Hosts: 64.86.17.56 google.ie
O1 - Hosts: 64.86.17.56 google.im
O1 - Hosts: 64.86.17.56 google.in
O1 - Hosts: 64.86.17.56 google.it
O1 - Hosts: 64.86.17.56 google.ki
O1 - Hosts: 64.86.17.56 google.la
O1 - Hosts: 64.86.17.56 google.li
O1 - Hosts: 64.86.17.56 google.lv
O1 - Hosts: 64.86.17.56 google.ma
O1 - Hosts: 64.86.17.56 google.ms
O1 - Hosts: 64.86.17.56 google.mu
O1 - Hosts: 64.86.17.56 google.mw
O1 - Hosts: 64.86.17.56 google.nl
O1 - Hosts: 64.86.17.56 google.no
O1 - Hosts: 64.86.17.56 google.nr
O1 - Hosts: 64.86.17.56 google.nu
O1 - Hosts: 64.86.17.56 google.pl
O1 - Hosts: 64.86.17.56 google.pn
O1 - Hosts: 64.86.17.56 google.pt
O1 - Hosts: 64.86.17.56 google.ro
O1 - Hosts: 64.86.17.56 google.ru
O1 - Hosts: 64.86.17.56 google.rw
O1 - Hosts: 64.86.17.56 google.sc
O1 - Hosts: 64.86.17.56 google.se
O1 - Hosts: 64.86.17.56 google.sh
O1 - Hosts: 64.86.17.56 google.si
O1 - Hosts: 64.86.17.56 google.sm
O1 - Hosts: 64.86.17.56 google.sn
O1 - Hosts: 64.86.17.56 google.st
O1 - Hosts: 64.86.17.56 google.tl
O1 - Hosts: 64.86.17.56 google.tm
O1 - Hosts: 64.86.17.56 google.tt
O1 - Hosts: 64.86.17.56 google.us
O1 - Hosts: 64.86.17.56 google.vu
O1 - Hosts: 64.86.17.56 google.ws
O1 - Hosts: 64.86.17.56 google.co.ck
O1 - Hosts: 64.86.17.56 google.co.id
O1 - Hosts: 64.86.17.56 google.co.il
O1 - Hosts: 64.86.17.56 google.co.in
O1 - Hosts: 64.86.17.56 google.co.jp
O1 - Hosts: 64.86.17.56 google.co.kr
O1 - Hosts: 64.86.17.56 google.co.ls
O1 - Hosts: 64.86.17.56 google.co.ma
O1 - Hosts: 64.86.17.56 google.co.nz
O1 - Hosts: 64.86.17.56 google.co.tz
O1 - Hosts: 64.86.17.56 google.co.ug
O1 - Hosts: 64.86.17.56 google.co.uk
O1 - Hosts: 64.86.17.56 google.co.za
O1 - Hosts: 64.86.17.56 google.co.zm
O1 - Hosts: 64.86.17.56 google.com
O1 - Hosts: 64.86.17.56 google.com.af
O1 - Hosts: 64.86.17.56 google.com.ag
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ACTIVBOARD] c:\apps\ABoard\ABoard.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [CTCheck] C:\Program Files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - Global Startup: BTTray.lnk = ?
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase1140.cab
O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} (Creative Software AutoUpdate) - http://ccfiles.creative.com/Web/softwareup...101/CTSUEng.cab
O16 - DPF: {E862C832-3A5F-4CEB-BFAA-167B22010A71} (InfosFinder2.InfosFinder) - http://support.packardbell.com/files/activ...nfosFinder2.CAB
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Update Service (gupdate1c990222eb63270) (gupdate1c990222eb63270) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 11325 bytes

BC AdBot (Login to Remove)

BleepingComputer.com
Register to remove ads

#2 SifuMike

malware expert

Staff Emeritus
15,385 posts
OFFLINE

Gender:Male
Location:Vancouver (not BC) WA (Not DC) USA
Local time:05:05 PM

Posted 27 August 2009 - 01:04 PM

Hello Rodasm,

Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

Download Security Check by screen317 from here or here.
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt.
Please post the contents of that document.

**********************

Note: If you already have Malwarebytes' Anti-Malware, then update, run it, then do a "Perform Full Scan"
Please download Malwarebytes' Anti-Malware from one of these places:
http://download.cnet.com/Malwarebytes-Anti...&tag=button
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html
http://www.besttechie.net/mbam/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Full Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire MBAM report (even if it does not find anything) in your next reply along with a fresh HijackThis log.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Rodasm

Topic Starter

Members
34 posts
OFFLINE

Gender:Male
Location:Norfolk UK
Local time:07:05 PM

Posted 28 August 2009 - 04:31 PM

Hi SifuMike'
I have run malwarebytes and nothing found,
I ran Housecall, live onecare, avg, Perhaps I shouldn't have but nothing found
Tried HijackThis hosts files manager. It said "the hosts file is locked for reading and cannot be edited" Hosts file in sys 32 does not show read only
Here's the Security Check if I aint b*****ed it all up

Results of screen317's Security Check version 0.98.9
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
AVG Free 8.5
Windows Live OneCare safety scanner
Windows Live OneCare safety scanner

Antivirus up to date!
``````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
HijackThis 2.0.2
CCleaner (remove only)
Java™ 6 Update 15
Adobe Flash Player 10
Adobe Reader 9
``````````````````````````````
Process Check:
objlist.exe by Laurent
AVG avgwdsvc.exe
AVG avgtray.exe
AVG avgrsx.exe
AVG avgnsx.exe
AVG avgemc.exe

Trend Micro HijackThis HijackThis.exe

``````````````````````````````
DNS Vulnerability Check:
Request Timed Out (Wireless Internet connection/Disconnected Internet/Proxy?)

`````````End of Log```````````

#4 SifuMike

malware expert

Staff Emeritus
15,385 posts
OFFLINE

Gender:Male
Location:Vancouver (not BC) WA (Not DC) USA
Local time:05:05 PM

Posted 28 August 2009 - 04:45 PM

Hi Rodasm,

Download SDFix and save it to your Desktop.

Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
Finally copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

-- If this error message is displayed when running SDFix: "The command prompt has been disabled by your administrator. Press any key to continue..."
Please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\swreg IMPORT %systemdrive%\SDFix\apps\Enable_Command_Prompt.reg
Press Ok and then run SDFix again.

-- If the Command Prompt window flashes on then off again on XP or Win 2000, please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\FixPath.exe /Q
Reboot and then run SDFix again.

-- If SDFix still does not run, check the %comspec% variable. Right-click My Computer > click Properties > Advanced > Environment Variables and check that the ComSpec variable points to cmd.exe.
%SystemRoot%\system32\cmd.exe

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 Rodasm

Topic Starter

Members
34 posts
OFFLINE

Gender:Male
Location:Norfolk UK
Local time:07:05 PM

Posted 29 August 2009 - 05:11 AM

Hi SifuMike, hope this is what you wanted. Glad that someone can make sense of all this.
Still getting messages as below when starting HiJack scan
“For some reason your system denied access to the hosts file” etc
“You have a particlarly large ammount of hijacked domains” etc

Copy of Malware log run on 26th
Malwarebytes' Anti-Malware 1.40
Database version: 2697
Windows 5.1.2600 Service Pack 3

26/08/2009 12:25:46
mbam-log-2009-08-26 (12-25-46).txt

Scan type: Quick Scan
Objects scanned: 99568
Time elapsed: 9 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Registry Helper (Rogue.RegistryHelper) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\wsnpoem (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
(No malicious items detected)

SDFix: Version 1.240
Run by Ron on 28/08/2009 at 23:13

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Restoring Default Security Values
Restoring Default Hosts File

Rebooting

Checking Files :

No Trojan Files Found

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-28 23:24:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\000a3a62f34c]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000a3a62f34c]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\000a3a62f34c]

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"="C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe:*:Disabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\UBISOFT\\Splinter Cell Pandora Tomorrow\\pandora.exe"="C:\\Program Files\\UBISOFT\\Splinter Cell Pandora Tomorrow\\pandora.exe:*:Disabled:PANDORA"
"C:\\Program Files\\UBISOFT\\Splinter Cell Pandora Tomorrow\\logo_ubi.exe"="C:\\Program Files\\UBISOFT\\Splinter Cell Pandora Tomorrow\\logo_ubi.exe:*:Disabled:SPLINTER CELL PANDORA"
"C:\\Program Files\\Kontiki\\KService.exe"="C:\\Program Files\\Kontiki\\KService.exe:*:Enabled:Delivery Manager Service"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"%ProgramFiles%\\UBISOFT\\Splinter Cell Pandora Tomorrow\\logo_ubi.exe"="%ProgramFiles%\\UBISOFT\\Splinter Cell Pandora Tomorrow\\logo_ubi.exe:*:Enabled:SPLINTER CELL PANDORA"
"%ProgramFiles%\\UBISOFT\\Splinter Cell Pandora Tomorrow\\pandora.exe"="%ProgramFiles%\\UBISOFT\\Splinter Cell Pandora Tomorrow\\pandora.exe:*:Enabled:PANDORA"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Spotify\\spotify.exe"="C:\\Program Files\\Spotify\\spotify.exe:*:Enabled:Spotify"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
"C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"="C:\\Program Files\\AVG\\AVG8\\avgnsx.exe:*:Enabled:avgnsx.exe"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Disabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :

Files with Hidden Attributes :

Tue 14 Jun 2005 208 A.SHR --- "C:\BOOT.BAK"
Mon 14 Apr 2008 1,695,232 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Sun 9 Mar 2008 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Fri 22 Dec 2006 14,050,304 ...H. --- "C:\Documents and Settings\Ron\My Documents\~WRL0002.tmp"
Thu 6 Aug 2009 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Wed 26 Aug 2009 35,840 ...H. --- "C:\Documents and Settings\Ron\My Documents\Comp and other\~WRL1497.tmp"
Wed 26 Aug 2009 39,936 ...H. --- "C:\Documents and Settings\Ron\My Documents\Comp and other\~WRL3257.tmp"
Wed 26 Aug 2009 1,075,200 ...H. --- "C:\Documents and Settings\Ron\My Documents\Comp and other\~WRL3837.tmp"
Wed 26 Aug 2009 41,984 ...H. --- "C:\Documents and Settings\Ron\My Documents\Comp and other\~WRL3957.tmp"
Wed 26 Aug 2009 6,948 A.SHR --- "C:\WINDOWS\system32\drivers\etc\hosts.bak"
Sun 9 Mar 2008 400 A.SH. --- "C:\Documents and Settings\Ron\My Documents\My Music\License Backup\drmv2key.bak"
Thu 19 Oct 2006 201 A..H. --- "C:\Documents and Settings\Ron\My Documents\Unzipped\DVINBOT.709\CCONTROL.SYS"
Fri 28 Aug 2009 5,690 A.SH. --- "C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\SBE1.tmp"

Finished!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:32:17, on 28/08/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\dmadmin.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\dllhost.exe
C:\apps\ABoard\ABoard.exe
C:\WINDOWS\system32\rundll32.exe
C:\apps\ABoard\AOSD.exe
C:\Program Files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.virgin.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts: 74.125.45.100 4-open-davinci.com
O1 - Hosts: 74.125.45.100 securitysoftwarepayments.com
O1 - Hosts: 74.125.45.100 privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 secure-plus-payments.com
O1 - Hosts: 74.125.45.100 www.getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 www.secure-plus-payments.com
O1 - Hosts: 74.125.45.100 www.getavplusnow.com
O1 - Hosts: 74.125.45.100 www.securesoftwarebill.com
O1 - Hosts: 74.125.45.100 secure.paysecuresystem.com
O1 - Hosts: 64.86.17.56 google.ae
O1 - Hosts: 64.86.17.56 google.as
O1 - Hosts: 64.86.17.56 google.at
O1 - Hosts: 64.86.17.56 google.az
O1 - Hosts: 64.86.17.56 google.ba
O1 - Hosts: 64.86.17.56 google.be
O1 - Hosts: 64.86.17.56 google.bg
O1 - Hosts: 64.86.17.56 google.bs
O1 - Hosts: 64.86.17.56 google.ca
O1 - Hosts: 64.86.17.56 google.cd
O1 - Hosts: 64.86.17.56 google.com.gh
O1 - Hosts: 64.86.17.56 google.com.hk
O1 - Hosts: 64.86.17.56 google.com.jm
O1 - Hosts: 64.86.17.56 google.com.mx
O1 - Hosts: 64.86.17.56 google.com.my
O1 - Hosts: 64.86.17.56 google.com.na
O1 - Hosts: 64.86.17.56 google.com.nf
O1 - Hosts: 64.86.17.56 google.com.ng
O1 - Hosts: 64.86.17.56 google.ch
O1 - Hosts: 64.86.17.56 google.com.np
O1 - Hosts: 64.86.17.56 google.com.pr
O1 - Hosts: 64.86.17.56 google.com.qa
O1 - Hosts: 64.86.17.56 google.com.sg
O1 - Hosts: 64.86.17.56 google.com.tj
O1 - Hosts: 64.86.17.56 google.com.tw
O1 - Hosts: 64.86.17.56 google.dj
O1 - Hosts: 64.86.17.56 google.de
O1 - Hosts: 64.86.17.56 google.dk
O1 - Hosts: 64.86.17.56 google.dm
O1 - Hosts: 64.86.17.56 google.ee
O1 - Hosts: 64.86.17.56 google.fi
O1 - Hosts: 64.86.17.56 google.fm
O1 - Hosts: 64.86.17.56 google.fr
O1 - Hosts: 64.86.17.56 google.ge
O1 - Hosts: 64.86.17.56 google.gg
O1 - Hosts: 64.86.17.56 google.gm
O1 - Hosts: 64.86.17.56 google.gr
O1 - Hosts: 64.86.17.56 google.ht
O1 - Hosts: 64.86.17.56 google.ie
O1 - Hosts: 64.86.17.56 google.im
O1 - Hosts: 64.86.17.56 google.in
O1 - Hosts: 64.86.17.56 google.it
O1 - Hosts: 64.86.17.56 google.ki
O1 - Hosts: 64.86.17.56 google.la
O1 - Hosts: 64.86.17.56 google.li
O1 - Hosts: 64.86.17.56 google.lv
O1 - Hosts: 64.86.17.56 google.ma
O1 - Hosts: 64.86.17.56 google.ms
O1 - Hosts: 64.86.17.56 google.mu
O1 - Hosts: 64.86.17.56 google.mw
O1 - Hosts: 64.86.17.56 google.nl
O1 - Hosts: 64.86.17.56 google.no
O1 - Hosts: 64.86.17.56 google.nr
O1 - Hosts: 64.86.17.56 google.nu
O1 - Hosts: 64.86.17.56 google.pl
O1 - Hosts: 64.86.17.56 google.pn
O1 - Hosts: 64.86.17.56 google.pt
O1 - Hosts: 64.86.17.56 google.ro
O1 - Hosts: 64.86.17.56 google.ru
O1 - Hosts: 64.86.17.56 google.rw
O1 - Hosts: 64.86.17.56 google.sc
O1 - Hosts: 64.86.17.56 google.se
O1 - Hosts: 64.86.17.56 google.sh
O1 - Hosts: 64.86.17.56 google.si
O1 - Hosts: 64.86.17.56 google.sm
O1 - Hosts: 64.86.17.56 google.sn
O1 - Hosts: 64.86.17.56 google.st
O1 - Hosts: 64.86.17.56 google.tl
O1 - Hosts: 64.86.17.56 google.tm
O1 - Hosts: 64.86.17.56 google.tt
O1 - Hosts: 64.86.17.56 google.us
O1 - Hosts: 64.86.17.56 google.vu
O1 - Hosts: 64.86.17.56 google.ws
O1 - Hosts: 64.86.17.56 google.co.ck
O1 - Hosts: 64.86.17.56 google.co.id
O1 - Hosts: 64.86.17.56 google.co.il
O1 - Hosts: 64.86.17.56 google.co.in
O1 - Hosts: 64.86.17.56 google.co.jp
O1 - Hosts: 64.86.17.56 google.co.kr
O1 - Hosts: 64.86.17.56 google.co.ls
O1 - Hosts: 64.86.17.56 google.co.ma
O1 - Hosts: 64.86.17.56 google.co.nz
O1 - Hosts: 64.86.17.56 google.co.tz
O1 - Hosts: 64.86.17.56 google.co.ug
O1 - Hosts: 64.86.17.56 google.co.uk
O1 - Hosts: 64.86.17.56 google.co.za
O1 - Hosts: 64.86.17.56 google.co.zm
O1 - Hosts: 64.86.17.56 google.com
O1 - Hosts: 64.86.17.56 google.com.af
O1 - Hosts: 64.86.17.56 google.com.ag
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [ACTIVBOARD] c:\apps\ABoard\ABoard.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [CTCheck] C:\Program Files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - Global Startup: BTTray.lnk = ?
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase1140.cab
O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} (Creative Software AutoUpdate) - http://ccfiles.creative.com/Web/softwareup...101/CTSUEng.cab
O16 - DPF: {E862C832-3A5F-4CEB-BFAA-167B22010A71} (InfosFinder2.InfosFinder) - http://support.packardbell.com/files/activ...nfosFinder2.CAB
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Update Service (gupdate1c990222eb63270) (gupdate1c990222eb63270) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 11648 bytes

#6 SifuMike

malware expert

Staff Emeritus
15,385 posts
OFFLINE

Gender:Male
Location:Vancouver (not BC) WA (Not DC) USA
Local time:05:05 PM

Posted 29 August 2009 - 09:52 AM

Hi Rodasm,

All right....so next thing to do is this :

Download and scan with Spybot S&D
http://www.safer-networking.org/en/download/index.html

1. Install Spybot. Be sure to UNCHECK TeaTimer when presented with the option to install.
2. Run Spybot, go to the Menu Bar at the top choose Mode and make certain that "Default mode" has a check mark beside it.
3. Click the button "Search for Updates".
4. If any updates are found, install them by placing a checkmark next to each one and clicking "Download Updates".If you encounter any error messages while downloading the updates, manually download them from here.
5. Click on "Immunize". When it detects what has or has not been blocked, block all remaining items by clicking the green plus sign next to immunize at the top.
6. Click the button "Check for Problems".
7. When Spybot is complete, it will be showing RED entries, bold BLACK entries and GREEN entries in the window.
8. Make certain there is a check mark beside all of the RED entries ONLY.
9. Choose "Fix Selected Problems" and allow Spybot to fix the RED entries.
10. REBOOT to complete the scan and clear memory.

Then, as always, have a scan with HijackThis to see if those pests are gone

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 Rodasm

Topic Starter

Members
34 posts
OFFLINE

Gender:Male
Location:Norfolk UK
Local time:07:05 PM

Posted 29 August 2009 - 10:29 AM

hi SifuMike
I know I shouldn't mess about but I can't help being nosy.

I haven't changed anything, just looked

I opened C drive tools clicked "show hidden files and folders"

unticked "Hide extensions for known file types"

unticked "Hide protected operating system files"

There is a system file - hosts - created 10 Sep 2004 - modified 26 Sep 2009, the day it all went wrong. It shows all the 01hosts

The file is marked read only, cannot change this as "access is denied"

Gone back to C drive tools and reset default settings.

Don't know if this means anything to you.

Will carry out your latest suggestion

thanks

#8 SifuMike

malware expert

Staff Emeritus
15,385 posts
OFFLINE

Gender:Male
Location:Vancouver (not BC) WA (Not DC) USA
Local time:05:05 PM

Posted 29 August 2009 - 11:02 AM

Just means that something is blocking access to Hosts file.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 Rodasm

Topic Starter

Members
34 posts
OFFLINE

Gender:Male
Location:Norfolk UK
Local time:07:05 PM

Posted 29 August 2009 - 11:25 AM

I'm running Spybot but when I click Immunize I get message "immunisation incomplete...there are 11176 items still unprotected"
Should I continue nevertheless?
Turned off Zone Alarm but still getting message

#10 SifuMike

malware expert

Staff Emeritus
15,385 posts
OFFLINE

Gender:Male
Location:Vancouver (not BC) WA (Not DC) USA
Local time:05:05 PM

Posted 29 August 2009 - 11:49 AM

but when I click Immunize I get message "immunisation incomplete...there are 11176 items still unprotected

Let it complete. If it Immunization does not work the first time then do the imminization again.

It must complete to be effective.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 Rodasm

Topic Starter

Members
34 posts
OFFLINE

Gender:Male
Location:Norfolk UK
Local time:07:05 PM

Posted 29 August 2009 - 11:58 AM

Thanks SifuMike
It did complete after va few tries. Now running

#12 SifuMike

malware expert

Staff Emeritus
15,385 posts
OFFLINE

Gender:Male
Location:Vancouver (not BC) WA (Not DC) USA
Local time:05:05 PM

Posted 29 August 2009 - 12:03 PM

Hi Rodasm,

After it completes the Immunizaiton, run Spybot to remove malware,
then reboot your computer and post a fresh Hijackthis log.

Edited by SifuMike, 29 August 2009 - 12:04 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 Rodasm

Topic Starter

Members
34 posts
OFFLINE

Gender:Male
Location:Norfolk UK
Local time:07:05 PM

Posted 29 August 2009 - 12:48 PM

Hello SifuMike

Spybot found RegistryHelper HKLM\software\diskcleaner

Removed and rebooted

Sorry about this

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:39:46, on 29/08/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\dmadmin.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\apps\ABoard\ABoard.exe
C:\WINDOWS\system32\rundll32.exe
C:\apps\ABoard\AOSD.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.virgin.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program

Files\AVG\AVG8\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts: 74.125.45.100 4-open-davinci.com
O1 - Hosts: 74.125.45.100 securitysoftwarepayments.com
O1 - Hosts: 74.125.45.100 privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 secure-plus-payments.com
O1 - Hosts: 74.125.45.100 www.getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 www.secure-plus-payments.com
O1 - Hosts: 74.125.45.100 www.getavplusnow.com
O1 - Hosts: 74.125.45.100 www.securesoftwarebill.com
O1 - Hosts: 74.125.45.100 secure.paysecuresystem.com
O1 - Hosts: 64.86.17.56 google.ae
O1 - Hosts: 64.86.17.56 google.as
O1 - Hosts: 64.86.17.56 google.at
O1 - Hosts: 64.86.17.56 google.az
O1 - Hosts: 64.86.17.56 google.ba
O1 - Hosts: 64.86.17.56 google.be
O1 - Hosts: 64.86.17.56 google.bg
O1 - Hosts: 64.86.17.56 google.bs
O1 - Hosts: 64.86.17.56 google.ca
O1 - Hosts: 64.86.17.56 google.cd
O1 - Hosts: 64.86.17.56 google.com.gh
O1 - Hosts: 64.86.17.56 google.com.hk
O1 - Hosts: 64.86.17.56 google.com.jm
O1 - Hosts: 64.86.17.56 google.com.mx
O1 - Hosts: 64.86.17.56 google.com.my
O1 - Hosts: 64.86.17.56 google.com.na
O1 - Hosts: 64.86.17.56 google.com.nf
O1 - Hosts: 64.86.17.56 google.com.ng
O1 - Hosts: 64.86.17.56 google.ch
O1 - Hosts: 64.86.17.56 google.com.np
O1 - Hosts: 64.86.17.56 google.com.pr
O1 - Hosts: 64.86.17.56 google.com.qa
O1 - Hosts: 64.86.17.56 google.com.sg
O1 - Hosts: 64.86.17.56 google.com.tj
O1 - Hosts: 64.86.17.56 google.com.tw
O1 - Hosts: 64.86.17.56 google.dj
O1 - Hosts: 64.86.17.56 google.de
O1 - Hosts: 64.86.17.56 google.dk
O1 - Hosts: 64.86.17.56 google.dm
O1 - Hosts: 64.86.17.56 google.ee
O1 - Hosts: 64.86.17.56 google.fi
O1 - Hosts: 64.86.17.56 google.fm
O1 - Hosts: 64.86.17.56 google.fr
O1 - Hosts: 64.86.17.56 google.ge
O1 - Hosts: 64.86.17.56 google.gg
O1 - Hosts: 64.86.17.56 google.gm
O1 - Hosts: 64.86.17.56 google.gr
O1 - Hosts: 64.86.17.56 google.ht
O1 - Hosts: 64.86.17.56 google.ie
O1 - Hosts: 64.86.17.56 google.im
O1 - Hosts: 64.86.17.56 google.in
O1 - Hosts: 64.86.17.56 google.it
O1 - Hosts: 64.86.17.56 google.ki
O1 - Hosts: 64.86.17.56 google.la
O1 - Hosts: 64.86.17.56 google.li
O1 - Hosts: 64.86.17.56 google.lv
O1 - Hosts: 64.86.17.56 google.ma
O1 - Hosts: 64.86.17.56 google.ms
O1 - Hosts: 64.86.17.56 google.mu
O1 - Hosts: 64.86.17.56 google.mw
O1 - Hosts: 64.86.17.56 google.nl
O1 - Hosts: 64.86.17.56 google.no
O1 - Hosts: 64.86.17.56 google.nr
O1 - Hosts: 64.86.17.56 google.nu
O1 - Hosts: 64.86.17.56 google.pl
O1 - Hosts: 64.86.17.56 google.pn
O1 - Hosts: 64.86.17.56 google.pt
O1 - Hosts: 64.86.17.56 google.ro
O1 - Hosts: 64.86.17.56 google.ru
O1 - Hosts: 64.86.17.56 google.rw
O1 - Hosts: 64.86.17.56 google.sc
O1 - Hosts: 64.86.17.56 google.se
O1 - Hosts: 64.86.17.56 google.sh
O1 - Hosts: 64.86.17.56 google.si
O1 - Hosts: 64.86.17.56 google.sm
O1 - Hosts: 64.86.17.56 google.sn
O1 - Hosts: 64.86.17.56 google.st
O1 - Hosts: 64.86.17.56 google.tl
O1 - Hosts: 64.86.17.56 google.tm
O1 - Hosts: 64.86.17.56 google.tt
O1 - Hosts: 64.86.17.56 google.us
O1 - Hosts: 64.86.17.56 google.vu
O1 - Hosts: 64.86.17.56 google.ws
O1 - Hosts: 64.86.17.56 google.co.ck
O1 - Hosts: 64.86.17.56 google.co.id
O1 - Hosts: 64.86.17.56 google.co.il
O1 - Hosts: 64.86.17.56 google.co.in
O1 - Hosts: 64.86.17.56 google.co.jp
O1 - Hosts: 64.86.17.56 google.co.kr
O1 - Hosts: 64.86.17.56 google.co.ls
O1 - Hosts: 64.86.17.56 google.co.ma
O1 - Hosts: 64.86.17.56 google.co.nz
O1 - Hosts: 64.86.17.56 google.co.tz
O1 - Hosts: 64.86.17.56 google.co.ug
O1 - Hosts: 64.86.17.56 google.co.uk
O1 - Hosts: 64.86.17.56 google.co.za
O1 - Hosts: 64.86.17.56 google.co.zm
O1 - Hosts: 64.86.17.56 google.com
O1 - Hosts: 64.86.17.56 google.com.af
O1 - Hosts: 64.86.17.56 google.com.ag
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common

Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program

Files\AVG\AVG8\avgssie.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program

Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [ACTIVBOARD] c:\apps\ABoard\ABoard.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [CTCheck] C:\Program Files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - Global Startup: BTTray.lnk = ?
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth

Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth

Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) -

http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) -

http://cdn.scan.onecare.live.com/resource/...lscbase1140.cab
O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} (Creative Software AutoUpdate) -

http://ccfiles.creative.com/Web/softwareup...101/CTSUEng.cab
O16 - DPF: {E862C832-3A5F-4CEB-BFAA-167B22010A71} (InfosFinder2.InfosFinder) -

http://support.packardbell.com/files/activ...nfosFinder2.CAB
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Update Service (gupdate1c990222eb63270) (gupdate1c990222eb63270) - Google Inc. - C:\Program

Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

(file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 11681 bytes

#14 Rodasm

Topic Starter

Members
34 posts
OFFLINE

Gender:Male
Location:Norfolk UK
Local time:07:05 PM

Posted 29 August 2009 - 01:57 PM

Hi SifuMike
I'm totally lacking in finesse, my favourite tool for all probs is a big hammer or a kick lol
I was wondering if there is a way the blocked hosts file I referred, to can be blasted out of the water and a new hosts systems file put in its place which can be edited.
Don't worry about telling me I'm nuts if that's what you think

#15 SifuMike

malware expert

Staff Emeritus
15,385 posts
OFFLINE

Gender:Male
Location:Vancouver (not BC) WA (Not DC) USA
Local time:05:05 PM

Posted 29 August 2009 - 02:13 PM

Hi Rodasm,

Don't worry about telling me I'm nuts if that's what you think

It wont work, we have seen this infection before.

Please make sure that Word Wrap is turned OFF in Notepad before you copy and paste the HijackThis log here.

Take a look at the log you just posted. It's an eye killer :thumbup2:

Please post a fresh Hijackthis log.

Edited by SifuMike, 29 August 2009 - 02:44 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.