Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hosts file hijacked


  • This topic is locked This topic is locked
14 replies to this topic

#1 ddenise

ddenise

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 24 April 2010 - 04:55 PM

This is a post after a request from my previous post located here: Host Hijacked. I've pasted the dds.txt info below and attached the Attach.txt and ark.txt files as requested.

Thanks much for the help.

SYMPTOMS:
I believe these are the related symptoms:

* When I do a Google search, some results are redirected to other sites.
* I cannot browse to certain websites - update.microsoft.com is one of them. Not sure if this is related but it is happening.

Things that are Suspicious:
I believe these are the related symptoms:

* The crazy "ketzkkzv.ako" file located in my \etc\ directory - it is a copy of my hosts file with a bunch of added lines that point lots of sites all to 74.125.45.100.
* The "ketzkkzv.ako" file is hidden and marked as read only.
* If I am able to delete this file (using some file utilities) a new file is created in seconds with a different, but also crazy name and extention. The contents of this file are the same as were in the previous file I deleted.

What I have done:

* I read in detail the steps defined in "Google being redirected - HOSTS file locked" article and it doesn't seem to be EXACTLY the same issue - my plain hosts file is available and editable and has
Tried to delete the file - Using some of utilities listed there. I was able to get it deleted, but a new file immediately shows up (as I described above).
* I have tried using various utilities to modify that file and it's properties with no success.
* I tried modifying the attributes of the file from the command line in safe mode with no success.

Here's what my C:\WINDOWS\system32\drivers\etc\ looks like (these are the files and extensions in the directory:
ketzkkzv.ako
networks
protocol
hosts


The "ketzkkzv.ako" file has these entries in it, at the end of the file:
74.125.45.100 4-open-davinci.com
74.125.45.100 securitysoftwarepayments.com
74.125.45.100 privatesecuredpayments.com
74.125.45.100 secure.privatesecuredpayments.com
74.125.45.100 getantivirusplusnow.com
74.125.45.100 secure-plus-payments.com
74.125.45.100 www.getantivirusplusnow.com
74.125.45.100 www.secure-plus-payments.com
74.125.45.100 www.getavplusnow.com
74.125.45.100 safebrowsing-cache.google.com
74.125.45.100 urs.microsoft.com
74.125.45.100 www.securesoftwarebill.com
74.125.45.100 secure.paysecuresystem.com
74.125.45.100 paysoftbillsolution.com
74.125.45.100 protected.maxisoftwaremart.com

DDS log:


DDS (Ver_10-03-17.01) - NTFSx86
Run by David at 13:35:35.55 on Sat 04/24/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_05
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.506 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\WINDOWS\System32\GEARSec.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Documents and Settings\David\Programs\x86\RaMaint.exe
C:\Documents and Settings\David\Programs\x86\LogMeIn.exe
C:\Documents and Settings\David\Programs\x86\LMIGuardian.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe
C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
C:\Documents and Settings\David\Programs\x86\LogMeInSystray.exe
C:\WINDOWS\V0510Mon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\David\Programs\x86\LMIGuardian.exe
C:\DOCUME~1\David\LOCALS~1\Temp\clclean.0001
C:\WINDOWS\system32\dlcccoms.exe
C:\Documents and Settings\David\Local Settings\Application Data\Google\Update\1.2.183.23\GoogleCrashHandler.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Mozilla Firefox3\firefox.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Documents and Settings\David\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride =
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {981FE6A8-260C-4930-960F-C3BC82746CB0} - No File
TB: {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
uRun: [SetDefaultMIDI] MIDIDef.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [CTSysVol] c:\program files\creative\sbaudigy\surround mixer\CTSysVol.exe /r
mRun: [MBMon] Rundll32 CTMBHA.DLL,MBMon
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [dlccmon.exe] "c:\program files\dell photo aio printer 924\dlccmon.exe"
mRun: [DLCCCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCCtime.dll,_RunDLLEntry@16
mRun: [Carbonite Backup] c:\program files\carbonite\carbonite backup\CarboniteUI.exe
mRun: [LogMeIn GUI] "c:\documents and settings\david\programs\x86\LogMeInSystray.exe"
mRun: [V0510Mon.exe] c:\windows\V0510Mon.exe
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
Trusted Zone: intuit.com
Trusted Zone: intuit.com\ttlc
Trusted Zone: turbotax.com
DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} - hxxp://www.creative.com/su/ocx/15026/CTSUEng.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {9732FB42-C321-11D1-836F-00A0C993F125} - hxxp://pcpitstop.com/mhLbl.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://www.creative.com/su/ocx/15028/CTPID.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com
Hosts: 127.0.0.2 10sek.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\david\applic~1\mozilla\firefox\profiles\yagq45h0.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - mail.google.com
FF - plugin: c:\documents and settings\david\local settings\application data\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\mozilla firefox3\plugins\npnul32.dll
FF - plugin: c:\program files\mozilla firefox3\plugins\npqtplugin.dll
FF - plugin: c:\program files\mozilla firefox3\plugins\npqtplugin2.dll
FF - plugin: c:\program files\mozilla firefox3\plugins\npqtplugin3.dll
FF - plugin: c:\program files\mozilla firefox3\plugins\npqtplugin4.dll
FF - plugin: c:\program files\mozilla firefox3\plugins\npqtplugin5.dll
FF - plugin: c:\program files\mozilla firefox3\plugins\npqtplugin6.dll
FF - plugin: c:\program files\mozilla firefox3\plugins\npqtplugin7.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - Creative ZENcast v1.02.08);user_pref(general.useragent.extra.zencast, c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 Ramdisk;Ramdisk [ QSoft ];c:\windows\system32\drivers\ramdisk.sys [2009-10-6 8192]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCEVTMGR.EXE [2004-12-13 198256]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSETMGR.EXE [2004-12-13 165488]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\documents and settings\david\programs\x86\rainfo.sys [2008-7-24 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2009-6-30 47640]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-2-21 822424]
R3 radpms;Driver for RADPMS Device;c:\windows\system32\drivers\radpms.sys [2008-7-24 12192]
R3 V0510Dev;Rocketfish Webcam VF0510 Driver;c:\windows\system32\drivers\V0510Vid.sys [2009-9-10 254080]
R3 V0510Vfx;Rocketfish Webcam VF0510 Video VFX Driver;c:\windows\system32\drivers\V0510Vfx.sys [2009-9-10 7424]
S2 DVDRIVER;DVdriver;c:\windows\system32\drivers\dvdriver.sys [2008-6-20 34376]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\CCPWDSVC.EXE [2004-12-13 79472]
S3 vsdatant;vsdatant;\??\c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]
S3 yeddef;YEDDEF driver;c:\windows\system32\drivers\yeddef.sys --> c:\windows\system32\drivers\yeddef.sys [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== Created Last 30 ================

2010-04-24 18:33:04 0 ----a-w- c:\documents and settings\david\defogger_reenable
2010-04-21 01:46:30 7537 ----a-w- c:\documents and settings\david\.recently-used.xbel
2010-04-21 01:09:21 0 d-----w- c:\docume~1\david\applic~1\wsInspector
2010-04-21 01:01:27 0 d-----w- c:\program files\Startup Inspector for Windows
2010-04-20 04:45:37 417136 ----a-w- c:\windows\handle.exe
2010-04-20 01:29:55 0 d-----w- c:\docume~1\david\applic~1\Malwarebytes
2010-04-20 01:16:48 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-20 01:16:46 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-04-20 01:16:44 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-20 01:16:44 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-19 22:47:20 0 d-----w- C:\TEMP
2010-04-19 00:59:26 0 d-----w- c:\docume~1\david\applic~1\Safer Networking
2010-04-19 00:57:20 0 d-----w- c:\program files\Safer Networking
2010-04-18 15:09:18 0 d-----w- c:\docume~1\alluse~1\applic~1\avG
2010-04-16 16:40:02 0 d-----w- c:\windows\system32\NtmsData
2010-04-16 01:25:42 1594 ----a-w- c:\windows\VPNUnInstall.MIF
2010-04-16 01:12:53 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-16 01:12:44 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-04-16 01:12:43 0 d-----w- c:\program files\Hitman Pro 3.5
2010-04-15 23:53:01 0 d-sha-r- C:\cmdcons
2010-04-15 23:51:44 77312 ----a-w- c:\windows\MBR.exe
2010-04-15 23:51:44 261632 ----a-w- c:\windows\PEV.exe
2010-04-15 23:51:44 161792 ----a-w- c:\windows\SWREG.exe
2010-04-15 23:19:10 0 d-----w- c:\windows\system32\wbem\Repository
2010-04-15 23:15:39 0 d-----w- c:\program files\Viewpoint

==================== Find3M ====================

2010-04-17 15:52:56 36352 ----a-w- c:\windows\system32\drivers\intelppm.sys
2010-04-17 15:52:56 36352 ----a-w- c:\windows\system32\dllcache\intelppm.sys
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\dllcache\vbscript.dll
2010-02-25 16:54:36 11070976 ----a-w- c:\windows\system32\dllcache\ieframe.dll
2010-02-24 13:11:07 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-24 13:11:07 455680 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2010-02-24 09:54:25 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2010-02-19 23:47:50 3604480 ----a-w- c:\windows\system32\GPhotos.scr
2010-02-17 14:10:28 2189952 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-02-16 14:08:49 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 14:08:49 2146304 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-02-16 13:25:04 2066816 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-02-16 13:25:04 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-16 13:25:04 2024448 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-12 04:33:11 100864 ------w- c:\windows\system32\dllcache\6to4svc.dll
2010-02-11 12:02:15 226880 ------w- c:\windows\system32\dllcache\tcpip6.sys
2009-12-25 15:18:06 2684321 ----a-w- c:\program files\uninstall.exe
2009-03-05 14:51:46 104 -csh--r- c:\windows\system32\D340B8DC64.sys
2009-03-05 14:51:47 5852 -csha-w- c:\windows\system32\KGyGaAvL.sys
2008-09-19 14:32:24 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091920080920\index.dat

============= FINISH: 13:37:23.90 ===============

Attach.txt is attached.
Ark.txt is attached.Attached File  Attach.txt   18.24KB   16 downloads

Attached Files

  • Attached File  Ark.txt   33.66KB   2 downloads

Edited by ddenise, 24 April 2010 - 04:56 PM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:25 PM

Posted 29 April 2010 - 06:45 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 ddenise

ddenise
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 29 April 2010 - 07:24 PM

I have already subscribed and yes, I am here. thanks for the help.

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:25 PM

Posted 30 April 2010 - 02:17 PM

There's a classic hijack here where the hosts file has been edited.


Let's run Combofix to clear the probable cause of the editing.

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#5 ddenise

ddenise
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 01 May 2010 - 09:13 AM

OK, here is the Cobofix.txt:

ComboFix 10-04-30.01 - David 04/30/2010 19:41:21.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.583 [GMT -5:00]
Running from: c:\documents and settings\David\My Documents\Downloads\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\drivers\intelppm.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-04-01 to 2010-05-01 )))))))))))))))))))))))))))))))
.

2010-04-27 21:44 . 2010-04-27 21:44 -------- d-sh--w- c:\documents and settings\Mary\IECompatCache
2010-04-21 01:09 . 2010-04-21 01:13 -------- d-----w- c:\documents and settings\David\Application Data\wsInspector
2010-04-21 01:01 . 2010-04-21 01:02 -------- d-----w- c:\program files\Startup Inspector for Windows
2010-04-20 05:06 . 2010-04-20 05:06 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-04-20 04:45 . 2008-11-18 18:15 417136 ----a-w- c:\windows\handle.exe
2010-04-20 01:29 . 2010-04-20 01:29 -------- d-----w- c:\documents and settings\David\Application Data\Malwarebytes
2010-04-20 01:16 . 2010-03-30 05:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-20 01:16 . 2010-04-20 01:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-20 01:16 . 2010-04-20 01:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-20 01:16 . 2010-03-30 05:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-19 22:47 . 2010-04-27 22:20 -------- d-----w- C:\TEMP
2010-04-19 21:38 . 2010-04-19 21:38 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-04-19 17:00 . 2010-04-20 02:37 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\mcesgnvhy
2010-04-19 00:59 . 2010-04-19 00:59 -------- d-----w- c:\documents and settings\David\Application Data\Safer Networking
2010-04-19 00:57 . 2010-04-19 00:57 -------- d-----w- c:\program files\Safer Networking
2010-04-19 00:53 . 2010-04-19 00:53 -------- d-----w- c:\documents and settings\David\Local Settings\Application Data\avG
2010-04-18 16:50 . 2010-04-18 16:52 -------- d-----w- c:\documents and settings\Mary\.gimp-2.6
2010-04-18 16:50 . 2010-04-18 16:50 -------- d-----w- c:\documents and settings\Mary\.gegl-0.0
2010-04-18 15:09 . 2010-04-18 15:09 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\avG
2010-04-18 15:09 . 2010-04-18 15:09 -------- d-----w- c:\documents and settings\All Users\Application Data\avG
2010-04-16 16:40 . 2010-04-27 01:39 -------- d-----w- c:\windows\system32\NtmsData
2010-04-16 01:12 . 2010-04-16 01:21 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-16 01:12 . 2010-04-16 01:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-04-16 01:12 . 2010-04-16 01:12 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-04-15 23:19 . 2010-04-15 23:19 -------- d-----w- c:\windows\system32\wbem\Repository
2010-04-15 23:15 . 2010-04-15 23:15 -------- d-----w- c:\program files\Viewpoint
2010-04-15 22:51 . 2010-04-15 22:51 56496 ------w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-15 22:51 . 2010-04-15 22:51 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-04-15 21:43 . 2010-04-15 21:43 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Identities
2010-04-13 22:13 . 2010-04-13 22:13 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-28 00:24 . 2008-07-23 02:08 -------- d-----w- c:\program files\Mozilla Firefox3
2010-04-27 21:58 . 2006-02-21 09:41 -------- d-----w- c:\program files\Google
2010-04-24 22:13 . 2004-08-04 04:59 36352 ----a-w- c:\windows\system32\drivers\intelppm.sys
2010-04-23 21:02 . 2006-03-22 19:39 -------- d-----w- c:\documents and settings\David\Application Data\OpenOffice.org2
2010-04-21 01:46 . 2007-01-27 22:13 -------- d-----w- c:\documents and settings\David\Application Data\gtk-2.0
2010-04-20 22:32 . 2006-06-02 22:41 -------- d-----w- c:\program files\PeerGuardian2
2010-04-20 04:05 . 2006-02-21 09:26 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-20 04:04 . 2006-06-05 01:46 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-20 04:04 . 2006-06-05 01:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-20 03:59 . 2009-08-29 02:12 -------- d-----w- c:\documents and settings\David\Application Data\SUPERAntiSpyware.com
2010-04-20 03:59 . 2009-08-29 02:12 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-16 01:16 . 2006-03-20 00:03 -------- d-----w- c:\program files\Common Files\AnswerWorks 4.0
2010-04-15 18:24 . 2005-08-17 02:58 -------- d-----w- c:\program files\RGB
2010-03-14 19:04 . 2009-12-25 15:12 -------- d-----w- c:\program files\win
2010-03-10 06:15 . 2005-08-16 10:18 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-06 16:22 . 2008-04-29 00:36 -------- d-----w- c:\documents and settings\Mary\Application Data\OpenOffice.org2
2010-02-25 09:16 . 2009-12-10 03:16 251520 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-02-25 06:24 . 2005-08-16 10:18 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2006-02-21 09:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-19 23:47 . 2010-02-19 23:47 3604480 ----a-w- c:\windows\system32\GPhotos.scr
2010-02-16 14:08 . 2005-08-16 10:18 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-04 04:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-15 17:54 . 2010-02-15 17:54 6 ----a-w- c:\windows\Fonts\wfonts.key
2010-02-12 04:33 . 2005-08-16 10:18 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2005-08-16 10:18 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2009-12-25 15:18 . 2009-12-25 15:13 2684321 ----a-w- c:\program files\uninstall.exe
2006-11-11 23:16 . 2006-07-20 22:33 135680 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2007-02-13 18:16 . 2007-04-08 17:55 8784 ----a-w- c:\program files\mozilla firefox\plugins\ractrlkeyhook.dll
2007-02-13 18:22 . 2007-04-08 17:55 245408 ----a-w- c:\program files\mozilla firefox\plugins\unicows.dll
2009-03-05 14:51 . 2006-02-24 03:48 104 -csh--r- c:\windows\system32\D340B8DC64.sys
2009-03-05 14:51 . 2006-07-23 13:33 5852 -csha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-04-16_00.33.51 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-05-01 00:41 . 2010-05-01 00:41 16384 c:\windows\Temp\Perflib_Perfdata_7dc.dat
- 2005-08-16 10:18 . 2010-04-15 23:25 71732 c:\windows\system32\perfc009.dat
+ 2005-08-16 10:18 . 2010-04-16 00:37 71732 c:\windows\system32\perfc009.dat
+ 2006-11-08 03:03 . 2010-02-25 06:24 55296 c:\windows\system32\msfeedsbs.dll
- 2006-11-08 03:03 . 2009-12-21 19:14 55296 c:\windows\system32\msfeedsbs.dll
+ 2005-08-16 10:18 . 2010-02-25 06:24 25600 c:\windows\system32\jsproxy.dll
- 2005-08-16 10:18 . 2009-12-21 19:14 25600 c:\windows\system32\jsproxy.dll
+ 2009-06-11 22:54 . 2010-02-25 06:24 12800 c:\windows\system32\dllcache\xpshims.dll
- 2009-06-11 22:54 . 2009-12-21 19:14 12800 c:\windows\system32\dllcache\xpshims.dll
- 2007-05-09 03:32 . 2009-12-21 19:14 55296 c:\windows\system32\dllcache\msfeedsbs.dll
+ 2007-05-09 03:32 . 2010-02-25 06:24 55296 c:\windows\system32\dllcache\msfeedsbs.dll
+ 2006-05-10 05:25 . 2010-02-25 06:24 25600 c:\windows\system32\dllcache\jsproxy.dll
- 2006-05-10 05:25 . 2009-12-21 19:14 25600 c:\windows\system32\dllcache\jsproxy.dll
+ 2004-08-04 04:59 . 2010-04-24 22:13 36352 c:\windows\system32\dllcache\intelppm.sys
+ 2010-01-13 14:01 . 2010-01-13 14:01 86016 c:\windows\system32\dllcache\cabview.dll
+ 2005-08-16 10:18 . 2010-01-13 14:01 86016 c:\windows\system32\cabview.dll
+ 2001-05-22 06:00 . 2001-05-22 06:00 22016 c:\windows\system32\borlndmm.dll
+ 2010-04-16 01:45 . 2009-12-21 19:14 12800 c:\windows\ie8updates\KB980182-IE8\xpshims.dll
+ 2010-04-16 01:45 . 2009-12-21 19:14 55296 c:\windows\ie8updates\KB980182-IE8\msfeedsbs.dll
+ 2010-04-16 01:45 . 2009-12-21 19:14 25600 c:\windows\ie8updates\KB980182-IE8\jsproxy.dll
+ 2010-04-16 01:45 . 2009-05-26 11:40 26488 c:\windows\$hf_mig$\KB980182-IE8\update\spcustom.dll
+ 2010-04-16 01:45 . 2009-05-26 11:40 17272 c:\windows\$hf_mig$\KB980182-IE8\spmsg.dll
+ 2010-04-16 01:43 . 2010-02-25 06:19 12800 c:\windows\$hf_mig$\KB980182-IE8\SP3QFE\xpshims.dll
+ 2010-04-16 01:43 . 2010-02-25 06:19 55296 c:\windows\$hf_mig$\KB980182-IE8\SP3QFE\msfeedsbs.dll
+ 2010-04-16 01:43 . 2010-02-25 06:19 25600 c:\windows\$hf_mig$\KB980182-IE8\SP3QFE\jsproxy.dll
+ 2004-07-10 23:55 . 2004-07-10 23:55 252416 c:\windows\system32\wsiShared.dll
+ 2005-08-16 10:18 . 2009-12-24 06:59 177664 c:\windows\system32\wintrust.dll
+ 2005-08-16 10:18 . 2010-04-16 00:37 442466 c:\windows\system32\perfh009.dat
- 2005-08-16 10:18 . 2010-04-15 23:25 442466 c:\windows\system32\perfh009.dat
+ 2005-08-16 10:18 . 2010-02-25 06:24 206848 c:\windows\system32\occache.dll
- 2005-08-16 10:18 . 2009-12-21 19:14 206848 c:\windows\system32\occache.dll
+ 2005-08-16 10:18 . 2010-02-25 06:24 611840 c:\windows\system32\mstime.dll
- 2005-08-16 10:18 . 2009-03-08 09:32 611840 c:\windows\system32\mstime.dll
+ 2006-11-08 03:03 . 2010-02-25 06:24 594432 c:\windows\system32\msfeeds.dll
- 2006-11-08 03:03 . 2009-12-21 19:14 594432 c:\windows\system32\msfeeds.dll
- 2005-08-16 10:18 . 2009-12-21 19:14 184320 c:\windows\system32\iepeers.dll
+ 2005-08-16 10:18 . 2010-02-25 06:24 184320 c:\windows\system32\iepeers.dll
+ 2005-08-16 10:18 . 2010-02-25 06:24 387584 c:\windows\system32\iedkcs32.dll
- 2005-08-16 10:18 . 2009-12-21 19:14 387584 c:\windows\system32\iedkcs32.dll
- 2005-08-16 10:18 . 2009-12-21 13:19 173056 c:\windows\system32\ie4uinit.exe
+ 2005-08-16 10:18 . 2010-02-24 09:54 173056 c:\windows\system32\ie4uinit.exe
+ 2005-08-16 10:27 . 2010-04-20 04:27 204920 c:\windows\system32\FNTCACHE.DAT
+ 2009-12-24 06:59 . 2009-12-24 06:59 177664 c:\windows\system32\dllcache\wintrust.dll
- 2006-05-10 05:25 . 2009-12-21 19:14 916480 c:\windows\system32\dllcache\wininet.dll
+ 2006-05-10 05:25 . 2010-02-25 06:24 916480 c:\windows\system32\dllcache\wininet.dll
- 2008-05-09 10:53 . 2009-03-08 09:33 420352 c:\windows\system32\dllcache\vbscript.dll
+ 2008-05-09 10:53 . 2010-03-10 06:15 420352 c:\windows\system32\dllcache\vbscript.dll
+ 2008-06-20 11:08 . 2010-02-11 12:02 226880 c:\windows\system32\dllcache\tcpip6.sys
- 2006-10-17 18:04 . 2009-12-21 19:14 206848 c:\windows\system32\dllcache\occache.dll
+ 2006-10-17 18:04 . 2010-02-25 06:24 206848 c:\windows\system32\dllcache\occache.dll
+ 2006-05-10 05:25 . 2010-02-25 06:24 611840 c:\windows\system32\dllcache\mstime.dll
- 2006-05-10 05:25 . 2009-03-08 09:32 611840 c:\windows\system32\dllcache\mstime.dll
+ 2007-05-09 03:32 . 2010-02-25 06:24 594432 c:\windows\system32\dllcache\msfeeds.dll
- 2007-05-09 03:32 . 2009-12-21 19:14 594432 c:\windows\system32\dllcache\msfeeds.dll
+ 2008-11-11 23:00 . 2010-02-24 13:11 455680 c:\windows\system32\dllcache\mrxsmb.sys
+ 2009-06-11 22:54 . 2010-02-25 06:24 247808 c:\windows\system32\dllcache\ieproxy.dll
- 2006-05-10 05:25 . 2009-12-21 19:14 184320 c:\windows\system32\dllcache\iepeers.dll
+ 2006-05-10 05:25 . 2010-02-25 06:24 184320 c:\windows\system32\dllcache\iepeers.dll
+ 2006-11-07 09:27 . 2010-02-25 06:24 387584 c:\windows\system32\dllcache\iedkcs32.dll
- 2006-11-07 09:27 . 2009-12-21 19:14 387584 c:\windows\system32\dllcache\iedkcs32.dll
- 2006-11-07 09:26 . 2009-12-21 13:19 173056 c:\windows\system32\dllcache\ie4uinit.exe
+ 2006-11-07 09:26 . 2010-02-24 09:54 173056 c:\windows\system32\dllcache\ie4uinit.exe
+ 2010-02-12 04:33 . 2010-02-12 04:33 100864 c:\windows\system32\dllcache\6to4svc.dll
+ 2010-04-16 01:45 . 2009-03-08 09:33 420352 c:\windows\ie8updates\KB981332-IE8\vbscript.dll
+ 2010-04-16 01:45 . 2009-05-26 11:40 382840 c:\windows\ie8updates\KB981332-IE8\spuninst\updspapi.dll
+ 2010-04-16 01:45 . 2009-05-26 11:40 231288 c:\windows\ie8updates\KB981332-IE8\spuninst\spuninst.exe
+ 2010-04-16 01:45 . 2009-12-21 19:14 916480 c:\windows\ie8updates\KB980182-IE8\wininet.dll
+ 2010-04-16 01:45 . 2009-05-26 11:40 382840 c:\windows\ie8updates\KB980182-IE8\spuninst\updspapi.dll
+ 2010-04-16 01:45 . 2009-05-26 11:40 231288 c:\windows\ie8updates\KB980182-IE8\spuninst\spuninst.exe
+ 2010-04-16 01:45 . 2009-12-21 19:14 206848 c:\windows\ie8updates\KB980182-IE8\occache.dll
+ 2010-04-16 01:45 . 2009-03-08 09:32 611840 c:\windows\ie8updates\KB980182-IE8\mstime.dll
+ 2010-04-16 01:45 . 2009-12-21 19:14 594432 c:\windows\ie8updates\KB980182-IE8\msfeeds.dll
+ 2010-04-16 01:45 . 2009-12-21 19:14 246272 c:\windows\ie8updates\KB980182-IE8\ieproxy.dll
+ 2010-04-16 01:45 . 2009-12-21 19:14 184320 c:\windows\ie8updates\KB980182-IE8\iepeers.dll
+ 2010-04-16 01:45 . 2009-12-21 19:14 387584 c:\windows\ie8updates\KB980182-IE8\iedkcs32.dll
+ 2010-04-16 01:45 . 2009-12-21 13:19 173056 c:\windows\ie8updates\KB980182-IE8\ie4uinit.exe
+ 2008-11-11 23:00 . 2010-02-24 13:11 455680 c:\windows\Driver Cache\i386\mrxsmb.sys
+ 2010-04-16 01:45 . 2009-05-26 11:40 382840 c:\windows\$hf_mig$\KB980182-IE8\update\updspapi.dll
+ 2010-04-16 01:45 . 2009-05-26 11:40 755576 c:\windows\$hf_mig$\KB980182-IE8\update\update.exe
+ 2010-04-16 01:45 . 2009-05-26 11:40 231288 c:\windows\$hf_mig$\KB980182-IE8\spuninst.exe
+ 2010-04-16 01:43 . 2010-02-25 06:19 919040 c:\windows\$hf_mig$\KB980182-IE8\SP3QFE\wininet.dll
+ 2010-04-16 01:43 . 2010-02-25 06:19 206848 c:\windows\$hf_mig$\KB980182-IE8\SP3QFE\occache.dll
+ 2010-04-16 01:43 . 2010-02-25 06:19 611840 c:\windows\$hf_mig$\KB980182-IE8\SP3QFE\mstime.dll
+ 2010-04-16 01:43 . 2010-02-25 06:19 594432 c:\windows\$hf_mig$\KB980182-IE8\SP3QFE\msfeeds.dll
+ 2010-04-16 01:43 . 2010-02-25 06:19 247808 c:\windows\$hf_mig$\KB980182-IE8\SP3QFE\ieproxy.dll
+ 2010-04-16 01:43 . 2010-02-25 06:19 184320 c:\windows\$hf_mig$\KB980182-IE8\SP3QFE\iepeers.dll
+ 2010-04-16 01:43 . 2010-02-25 06:19 387584 c:\windows\$hf_mig$\KB980182-IE8\SP3QFE\iedkcs32.dll
+ 2010-04-16 01:43 . 2010-02-24 09:34 173056 c:\windows\$hf_mig$\KB980182-IE8\SP3QFE\ie4uinit.exe
+ 2005-08-16 10:18 . 2010-02-25 06:24 1209344 c:\windows\system32\urlmon.dll
+ 2005-08-16 10:18 . 2010-02-25 06:24 5944832 c:\windows\system32\mshtml.dll
- 2006-10-17 17:57 . 2009-12-21 19:14 1985536 c:\windows\system32\iertutil.dll
+ 2006-10-17 17:57 . 2010-02-25 06:24 1985536 c:\windows\system32\iertutil.dll
+ 2006-05-10 05:25 . 2010-02-25 06:24 1209344 c:\windows\system32\dllcache\urlmon.dll
+ 2008-10-16 07:12 . 2010-02-17 14:10 2189952 c:\windows\system32\dllcache\ntoskrnl.exe
+ 2008-10-16 07:12 . 2010-02-16 13:25 2024448 c:\windows\system32\dllcache\ntkrpamp.exe
+ 2008-10-16 07:12 . 2010-02-16 13:25 2066816 c:\windows\system32\dllcache\ntkrnlpa.exe
+ 2008-10-16 07:12 . 2010-02-16 14:08 2146304 c:\windows\system32\dllcache\ntkrnlmp.exe
+ 2006-05-19 15:06 . 2010-02-25 06:24 5944832 c:\windows\system32\dllcache\mshtml.dll
- 2007-05-09 03:32 . 2009-12-21 19:14 1985536 c:\windows\system32\dllcache\iertutil.dll
+ 2007-05-09 03:32 . 2010-02-25 06:24 1985536 c:\windows\system32\dllcache\iertutil.dll
+ 2010-04-16 01:45 . 2009-12-21 19:14 1208832 c:\windows\ie8updates\KB980182-IE8\urlmon.dll
+ 2010-04-16 01:45 . 2009-12-21 19:14 5942784 c:\windows\ie8updates\KB980182-IE8\mshtml.dll
+ 2010-04-16 01:45 . 2009-12-21 19:14 1985536 c:\windows\ie8updates\KB980182-IE8\iertutil.dll
+ 2008-10-16 07:12 . 2010-02-17 14:10 2189952 c:\windows\Driver Cache\i386\ntoskrnl.exe
+ 2008-10-16 07:12 . 2010-02-16 13:25 2024448 c:\windows\Driver Cache\i386\ntkrpamp.exe
+ 2008-10-16 07:12 . 2010-02-16 13:25 2066816 c:\windows\Driver Cache\i386\ntkrnlpa.exe
+ 2008-10-16 07:12 . 2010-02-16 14:08 2146304 c:\windows\Driver Cache\i386\ntkrnlmp.exe
+ 2010-04-16 01:43 . 2010-02-25 06:19 1209856 c:\windows\$hf_mig$\KB980182-IE8\SP3QFE\urlmon.dll
+ 2010-04-16 01:43 . 2010-02-25 06:19 5946880 c:\windows\$hf_mig$\KB980182-IE8\SP3QFE\mshtml.dll
+ 2010-04-16 01:43 . 2010-02-25 06:19 1986048 c:\windows\$hf_mig$\KB980182-IE8\SP3QFE\iertutil.dll
+ 2006-02-24 03:37 . 2010-04-06 17:52 31971272 c:\windows\system32\MRT.exe
+ 2006-11-08 03:03 . 2010-02-25 16:54 11070976 c:\windows\system32\ieframe.dll
+ 2007-05-09 03:32 . 2010-02-25 16:54 11070976 c:\windows\system32\dllcache\ieframe.dll
+ 2010-04-16 01:45 . 2009-12-21 19:14 11070464 c:\windows\ie8updates\KB980182-IE8\ieframe.dll
+ 2010-04-16 01:43 . 2010-02-25 06:19 11073024 c:\windows\$hf_mig$\KB980182-IE8\SP3QFE\ieframe.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@="{95A27763-F62A-4114-9072-E81D87DE3B68}"
[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2009-04-29 22:19 583312 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2009-04-29 22:19 583312 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2009-04-29 22:19 583312 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 24576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 339968]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 139264]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-09-15 57344]
"MBMon"="CTMBHA.DLL" [2005-05-19 1345520]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-03-23 58992]
"dlccmon.exe"="c:\program files\Dell Photo AIO Printer 924\dlccmon.exe" [2005-10-21 430080]
"DLCCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2005-09-14 73728]
"Carbonite Backup"="c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2009-04-29 669840]
"LogMeIn GUI"="c:\documents and settings\David\Programs\x86\LogMeInSystray.exe" [2008-07-24 63048]
"V0510Mon.exe"="c:\windows\V0510Mon.exe" [2007-12-07 32768]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2009-10-03 12:15 87352 ----a-w- c:\windows\system32\LMIinit.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ehTray"=c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dlcccoms.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dlccPSWX.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Curse\\CurseClient.exe"=
"c:\\Documents and Settings\\David\\My Documents\\Program Files\\World of Warcraft\\Wow.exe"=
"c:\\Documents and Settings\\David\\My Documents\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Macromedia\\Dreamweaver MX\\Dreamweaver.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\David\\My Documents\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\GIMP-2.0\\lib\\gimp\\2.0\\plug-ins\\script-fu.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:TCP Port 135
"5000:TCP"= 5000:TCP:TCP Port 5000
"5001:TCP"= 5001:TCP:TCP Port 5001
"5002:TCP"= 5002:TCP:TCP Port 5002
"5003:TCP"= 5003:TCP:TCP Port 5003
"5004:TCP"= 5004:TCP:TCP Port 5004
"5005:TCP"= 5005:TCP:TCP Port 5005
"5006:TCP"= 5006:TCP:TCP Port 5006
"5007:TCP"= 5007:TCP:TCP Port 5007
"5008:TCP"= 5008:TCP:TCP Port 5008
"5009:TCP"= 5009:TCP:TCP Port 5009
"5010:TCP"= 5010:TCP:TCP Port 5010
"5011:TCP"= 5011:TCP:TCP Port 5011
"5012:TCP"= 5012:TCP:TCP Port 5012
"5013:TCP"= 5013:TCP:TCP Port 5013
"5014:TCP"= 5014:TCP:TCP Port 5014
"5015:TCP"= 5015:TCP:TCP Port 5015
"5016:TCP"= 5016:TCP:TCP Port 5016
"5017:TCP"= 5017:TCP:TCP Port 5017
"5018:TCP"= 5018:TCP:TCP Port 5018
"5019:TCP"= 5019:TCP:TCP Port 5019
"5020:TCP"= 5020:TCP:TCP Port 5020
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"1119:TCP"= 1119:TCP:warcraft port
"3724:TCP"= 3724:TCP:warcraft port
"6112:TCP"= 6112:TCP:Warcraft Patcher

R0 Ramdisk;Ramdisk [ QSoft ];c:\windows\system32\drivers\ramdisk.sys [10/6/2009 1:47 PM 8192]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\documents and settings\David\Programs\x86\rainfo.sys [7/24/2008 6:46 PM 12856]
R3 radpms;Driver for RADPMS Device;c:\windows\system32\drivers\radpms.sys [7/24/2008 6:45 PM 12192]
R3 V0510Dev;Rocketfish Webcam VF0510 Driver;c:\windows\system32\drivers\V0510Vid.sys [9/10/2009 5:00 PM 254080]
R3 V0510Vfx;Rocketfish Webcam VF0510 Video VFX Driver;c:\windows\system32\drivers\V0510Vfx.sys [9/10/2009 5:00 PM 7424]
S2 DVDRIVER;DVdriver;c:\windows\system32\drivers\dvdriver.sys [6/20/2008 10:51 PM 34376]
S3 yeddef;YEDDEF driver;c:\windows\system32\Drivers\yeddef.sys --> c:\windows\system32\Drivers\yeddef.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2010-04-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-04-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1574864579-1790160026-419449890-1005Core.job
- c:\documents and settings\David\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-01-18 15:02]

2010-04-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1574864579-1790160026-419449890-1005UA.job
- c:\documents and settings\David\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-01-18 15:02]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
Trusted Zone: intuit.com
Trusted Zone: intuit.com\ttlc
Trusted Zone: turbotax.com
FF - ProfilePath - c:\documents and settings\David\Application Data\Mozilla\Firefox\Profiles\yagq45h0.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - mail.google.com
FF - plugin: c:\documents and settings\David\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox3\plugins\npnul32.dll
FF - plugin: c:\program files\Mozilla Firefox3\plugins\npqtplugin.dll
FF - plugin: c:\program files\Mozilla Firefox3\plugins\npqtplugin2.dll
FF - plugin: c:\program files\Mozilla Firefox3\plugins\npqtplugin3.dll
FF - plugin: c:\program files\Mozilla Firefox3\plugins\npqtplugin4.dll
FF - plugin: c:\program files\Mozilla Firefox3\plugins\npqtplugin5.dll
FF - plugin: c:\program files\Mozilla Firefox3\plugins\npqtplugin6.dll
FF - plugin: c:\program files\Mozilla Firefox3\plugins\npqtplugin7.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - Creative ZENcast v1.02.08);user_pref(general.useragent.extra.zencast, c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

AddRemove-TightVNC_is1 - c:\documents and settings\David\Programs\TightVNC\unins000.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-30 19:47
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(784)
c:\windows\system32\LMIinit.dll
.
Completion time: 2010-04-30 19:50:41
ComboFix-quarantined-files.txt 2010-05-01 00:50
ComboFix2.txt 2010-04-16 00:39

Pre-Run: 13,673,271,296 bytes free
Post-Run: 13,721,669,632 bytes free

- - End Of File - - D97B4CAAAE71F0053E90D592578CDD81


#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:25 PM

Posted 01 May 2010 - 11:41 AM

There was a rootkit which Combofix has removed

Please download HostsXpert 4.3
  • Extract (unzip) HostsXpert.zip to a permanent folder on your hard drive such as C:\HostsXpert
  • Double-click HostsXpert.exe to run the program.
  • Click "Restore MS Hosts File".
  • Click OK at the confirmation box.
  • Click "Make Read Only".
  • Click the X to exit the program.
-- Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

Please let me know if the redirects have now gone.
Posted Image
m0le is a proud member of UNITE

#7 ddenise

ddenise
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 01 May 2010 - 12:51 PM

Restored the hosts file.
Restarted comp just for measure.

Tested google links - things look like they are working fine but I still have that crazy file in my \etc\ directory. See the attached image.

I tried to paste the contents of that file, but it is too long. I have attached it.

I still cannot delete or modify that file.

Attached Files


Edited by m0le, 01 May 2010 - 03:23 PM.


#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:25 PM

Posted 01 May 2010 - 03:27 PM

We need to execute an OTM script
  1. Please download OTM by OldTimer and save it to your desktop.
  2. Double click the icon on your desktop.
  3. Paste the following code under the area. Do not include the word "Code".
    CODE
    :Files
    C:\WINDOWS\system32\drivers\etc\ketzkkzv.ako
  4. Push the large button.
  5. OTM may ask to reboot the machine. Please do so if asked.
  6. Copy/Paste the contents under the line here in your next reply.
  7. If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
Post the OTM log.
Posted Image
m0le is a proud member of UNITE

#9 ddenise

ddenise
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 01 May 2010 - 04:30 PM

I get this message:

Error: Unable to interpret <C:\WINDOWS\system32\drivers\etc\ketzkkzv.ako> in the current context!

OTM by OldTimer - Version 3.1.11.0 log created on 05012010_161932


#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:25 PM

Posted 01 May 2010 - 04:41 PM

Yes, I thought that might happen.

Okay, let's remove the hosts file that's there.

We need to execute an OTM script
  1. Please download OTM by OldTimer and save it to your desktop.
  2. Double click the icon on your desktop.
  3. Paste the following code under the area. Do not include the word "Code".
    CODE
    :Processes
    explorer.exe

    :Files
    C:\Windows\System32\DRIVERS\ETC\hosts
  4. Push the large button.
  5. OTM may ask to reboot the machine. Please do so if asked.
  6. Copy/Paste the contents under the line here in your next reply.
  7. If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
Post the OTM log.

When that's been moved successfully then run HostsXpert again.

Finally, let me know if that .ako file has been removed.
Posted Image
m0le is a proud member of UNITE

#11 ddenise

ddenise
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 01 May 2010 - 05:54 PM

hosts file removed ok:
========== PROCESSES ==========
Process explorer.exe killed successfully!
========== FILES ==========
C:\Windows\System32\DRIVERS\ETC\hosts moved successfully.

OTM by OldTimer - Version 3.1.11.0 log created on 05012010_174921

Running HostsExpert ran with no errors. rebooting to see how things are.




#12 ddenise

ddenise
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 01 May 2010 - 09:42 PM

I think you must have meant:

:Processes
explorer.exe

:Files
C:\Windows\System32\DRIVERS\ETC\ketzkkzv.ako

I ran this and that file looks to be gone, no other file was created to replace it.

will post after another reboot to confirm.



#13 ddenise

ddenise
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 05 May 2010 - 09:00 AM

Hi,

After checking for a few days (call me skeptical...) it looks that everything is cleared up. That crazy file is gone and no more redirects. I can also now access windows updates.


THANKS MUCH for the help!

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:25 PM

Posted 05 May 2010 - 01:56 PM

QUOTE
(call me skeptical...)


You're skeptical - but that's the name of the game in malwareland laugh.gif


You're clean. Good stuff! thumbup2.gif

Let's do some clearing up

Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.

Now you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

------------------------------------------------------------------------------------------------------------------------

Here's some advice on how you can keep your PC clean


Update your AntiVirus Software

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.


Install an AntiSpyware Program

A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period.

Installing this or another recommended program will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.


Finally, here's a treasure trove of antivirus, antimalware and antispyware resources


That's it ddenise, happy surfing!

Cheers.

m0le

Posted Image
m0le is a proud member of UNITE

#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:25 PM

Posted 10 May 2010 - 03:09 PM

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. smile.gif

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users