Redirect issues

Discussion in 'Computer Security' started by linux992, Apr 26, 2011.

  1. linux992

    linux992 New Member

    Messages:
    205
    Hello I have this redirecting virus or what not on my one XP desktop. I followed what JohnB said in another similar thread but I still have the problem I have inclueded the Rkill, Combofix, and hijackthis logs.
    Rkill log:
    This log file is located at C:\rkill.log.
    Please post this only if requested to by the person helping you.
    Otherwise you can close this log when you wish.
    Rkill was run on 04/25/2011 at 21:09:22.
    Operating System: Microsoft Windows XP
    Processes terminated by Rkill or while it was running:
    C:\WINDOWS\system32\verclsid.exe
    Rkill completed on 04/25/2011 at 21:09:27.

    Combofix log:
    ComboFix 11-04-25.02 - Administrator 04/25/2011 21:15:37.1.1 - x86 NETWORK

    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.767.593 [GMT -5:00]

    Running from: F:\ComboFix.exe
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    c:\documents and settings\All Users\Application Data\.wtav
    c:\documents and settings\User\WINDOWS
    c:\windows\system32\rnaph.dll
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

    -------\Legacy_USERINIT

    ((((((((((((((((((((((((( Files Created from 2011-03-26 to 2011-04-26 )))))))))))))))))))))))))))))))

    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

    2011-03-07 05:33 . 2006-06-01 15:38 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-03-04 06:37 . 2004-08-04 12:00 420864 ----a-w- c:\windows\system32\vbscript.dll
    2011-03-03 13:21 . 2004-08-04 12:00 1857920 ----a-w- c:\windows\system32\win32k.sys
    2011-02-22 23:06 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
    2011-02-22 23:06 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-02-22 23:06 . 2004-08-04 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2011-02-22 11:41 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
    2011-02-17 13:18 . 2004-08-04 12:00 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2011-02-17 13:18 . 2004-08-04 12:00 357888 ----a-w- c:\windows\system32\drivers\srv.sys
    2011-02-17 12:32 . 2009-04-15 22:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
    2011-02-15 12:56 . 2004-08-04 12:00 290432 ----a-w- c:\windows\system32\atmfd.dll
    2011-02-09 13:53 . 2004-08-04 12:00 270848 ----a-w- c:\windows\system32\sbe.dll
    2011-02-09 13:53 . 2004-08-04 12:00 186880 ----a-w- c:\windows\system32\encdec.dll
    2011-02-08 13:33 . 2004-08-04 12:00 978944 ----a-w- c:\windows\system32\mfc42.dll
    2011-02-08 13:33 . 2004-08-04 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
    2011-02-02 07:58 . 2006-06-01 15:36 2067456 ----a-w- c:\windows\system32\mstscax.dll
    2011-01-27 11:57 . 2006-06-01 15:36 677888 ----a-w- c:\windows\system32\mstsc.exe


    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

    *Note* empty entries & legit default entries are not shown

    REGEDIT4

    .

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "RunNarrator"="Narrator.exe" [2008-04-14 53760]
    "tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @="Service"
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WDDMStatus.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WDDMStatus.lnk
    backup=c:\windows\pss\WDDMStatus.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WDSmartWare.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WDSmartWare.lnk
    backup=c:\windows\pss\WDSmartWare.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^wkcalrem.LNK]
    path=c:\documents and settings\User\Start Menu\Programs\Startup\wkcalrem.LNK
    backup=c:\windows\pss\wkcalrem.LNKStartup

    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SecurDisc
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]
    2010-04-17 17:53 524632 ----a-w- c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
    2009-08-13 20:51 177440 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AtariBanner]
    2001-05-22 23:17 49152 -c--a-w- c:\program files\Infogrames\Atari Anniversary Edition\Volume 2\Banner.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CreativeMouse ]
    2004-06-27 20:54 503808 ----a-w- c:\program files\Mouse Driver\MouseDrv.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
    2003-12-22 13:38 241664 -c--a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2009-09-21 21:36 305440 ----a-w- c:\program files\iTunes\iTunesHelper.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
    2008-08-22 19:13 2363392 -c--a-w- c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2009-09-05 06:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiSUSBRG]
    2002-07-12 10:15 106496 ----a-w- c:\windows\SiSUSBrg.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
    2004-07-27 09:01 68096 ----a-w- c:\windows\SOUNDMAN.EXE
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2010-05-14 16:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UVS10 Preload]
    2006-08-09 13:27 36864 ----a-w- c:\program files\Ulead Systems\Ulead VideoStudio SE\uvPL.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "Apple Mobile Device"=2 (0x2)
    "WDSmartWareBackgroundService"=2 (0x2)
    "WDDMService"=2 (0x2)
    "UleadBurningHelper"=2 (0x2)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Documents and Settings\\User\\My Documents\\Lyman's folder\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\NetMeeting\\conf.exe"=
    "c:\\WINDOWS\\system32\\rtcshare.exe"=
    "c:\\Documents and Settings\\User\\My Documents\\Lyman's folder\\Gaim\\gaim.exe"=
    "c:\\Program Files\\LimeWire\\LimeWire.exe"=
    "c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
    "c:\\Documents and Settings\\User\\Local Settings\\Application Data\\Abacast\\Abaclient.exe"=
    "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

    .

    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [1/22/2009 12:57 PM 64160]
    R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [1/18/2009 4:34 PM 1029456]
    S3 KLSIENET;Driver for USB Ethernet Adapter;c:\windows\system32\drivers\usb101et.sys [1/31/2007 4:22 PM 32384]
    S3 mvb35316;mvb35316; [x]
    S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [12/24/2009 10:32 PM 11520]
    S4 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [8/17/2009 11:52 AM 98304]
    S4 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [6/16/2009 10:58 AM 20480]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
    2008-08-22 19:11 451872 ----a-w- c:\program files\CommonFiles\LightScribe\LSRunOnce.exe
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-02-07 c:\windows\Tasks\Ad-Aware Update (Weekly).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-04-17 17:53]

    ------- Supplementary Scan -------
    mSearchURL = hxxp://www.google.com/
    FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\xbrtymau.default\
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: Java Quick Starter: [email protected] - c:\program files\Java\jre6\lib\deploy\jqs\ff

    .

    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-Locked - (no file)
    MSConfigStartUp-AVG_TRAY - c:\program files\AVG\AVG10\avgtray.exe

    .

    .

    .

    **************************************************************************

    .

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-04-25 21:22
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully

    hidden files: 0

    .

    **************************************************************************

    .

    --------------------- LOCKED REGISTRY KEYS ---------------------

    .

    [HKEY_USERS\S-1-5-21-1659004503-1965331169-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]

    @Denied: (2) (Administrator)

    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,42,31,18,7a,20,41,31,4d,9d,8a,44,\

    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,42,31,18,7a,20,41,31,4d,9d,8a,44,\

    .

    --------------------- DLLs Loaded Under Running Processes ---------------------

    .

    - - - - - - - > 'winlogon.exe'(348)
    c:\windows\system32\Ati2evxx.dll
    c:\windows\system32\l3codeca.acm
    c:\windows\system32\sirenacm.dll
    c:\windows\system32\ac3acm.acm
    c:\windows\system32\lameACM.acm
    c:\windows\system32\IEFRAME.dll
    c:\progra~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm
    c:\progra~1\COMMON~1\ULEADS~1\MPEG\MPEGacm.acm
    c:\progra~1\COMMON~1\ULEADS~1\MPEG\ulmp3acm.acm

    .

    - - - - - - - > 'explorer.exe'(1644)

    c:\windows\system32\WININET.dll

    .

    ------------------------ Other Running Processes ------------------------

    .

    c:\windows\system32\wbem\unsecapp.exe

    .

    **************************************************************************

    .

    Completion time: 2011-04-25 21:34:33 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-04-26 02:34

    .

    Pre-Run: 46,227,062,784 bytes free
    Post-Run: 46,483,513,344 bytes free

    .

    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisHijackthis logk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

    .

    - - End Of File - - 7A984D88E1EAAB66A18BFC33A816FBF9

    Hijackthis log
    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 9:49:25 PM, on 4/25/2011
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    C:\Program Files\hijackthis\Trend Micro\HiJackThis\HiJackThis.exe



    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:25413
    O1 - Hosts: 74.125.45.100 4-open-davinci.com
    O1 - Hosts: 74.125.45.100 securitysoftwarepayments.com
    O1 - Hosts: 74.125.45.100 privatesecuredpayments.com
    O1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.com
    O1 - Hosts: 74.125.45.100 getantivirusplusnow.com
    O1 - Hosts: 74.125.45.100 secure-plus-payments.com
    O1 - Hosts: 74.125.45.100 www.getantivirusplusnow.com
    O1 - Hosts: 74.125.45.100 www.secure-plus-payments.com
    O1 - Hosts: 74.125.45.100 www.getavplusnow.com
    O1 - Hosts: 74.125.45.100 safebrowsing-cache.google.com
    O1 - Hosts: 74.125.45.100 urs.microsoft.com
    O1 - Hosts: 74.125.45.100 www.securesoftwarebill.com
    O1 - Hosts: 74.125.45.100 secure.paysecuresystem.com
    O1 - Hosts: 74.125.45.100 paysoftbillsolution.com
    O1 - Hosts: 74.125.45.100 protected.maxisoftwaremart.com
    O1 - Hosts: 65.98.95.68 www.google.com
    O1 - Hosts: 65.98.95.68 google.com
    O1 - Hosts: 65.98.95.68 google.com.au
    O1 - Hosts: 65.98.95.68 www.google.com.au
    O1 - Hosts: 65.98.95.68 google.be
    O1 - Hosts: 65.98.95.68 www.google.be
    O1 - Hosts: 65.98.95.68 google.com.br
    O1 - Hosts: 65.98.95.68 www.google.com.br
    O1 - Hosts: 65.98.95.68 google.ca
    O1 - Hosts: 65.98.95.68 www.google.ca
    O1 - Hosts: 65.98.95.68 google.ch
    O1 - Hosts: 65.98.95.68 www.google.ch
    O1 - Hosts: 65.98.95.68 google.de
    O1 - Hosts: 65.98.95.68 www.google.de
    O1 - Hosts: 65.98.95.68 google.dk
    O1 - Hosts: 65.98.95.68 www.google.dk
    O1 - Hosts: 65.98.95.68 google.fr
    O1 - Hosts: 65.98.95.68 www.google.fr
    O1 - Hosts: 65.98.95.68 google.ie
    O1 - Hosts: 65.98.95.68 www.google.ie
    O1 - Hosts: 65.98.95.68 google.it
    O1 - Hosts: 65.98.95.68 www.google.it
    O1 - Hosts: 65.98.95.68 google.co.jp
    O1 - Hosts: 65.98.95.68 www.google.co.jp
    O1 - Hosts: 65.98.95.68 google.nl
    O1 - Hosts: 65.98.95.68 www.google.nl
    O1 - Hosts: 65.98.95.68 google.no
    O1 - Hosts: 65.98.95.68 www.google.no
    O1 - Hosts: 65.98.95.68 google.co.nz
    O1 - Hosts: 65.98.95.68 www.google.co.nz
    O1 - Hosts: 65.98.95.68 google.pl
    O1 - Hosts: 65.98.95.68 www.google.pl
    O1 - Hosts: 65.98.95.68 google.se
    O1 - Hosts: 65.98.95.68 www.google.se
    O1 - Hosts: 65.98.95.68 google.co.uk
    O1 - Hosts: 65.98.95.68 www.google.co.uk
    O1 - Hosts: 65.98.95.68 google.co.za
    O1 - Hosts: 65.98.95.68 www.google.co.za
    O1 - Hosts: 65.98.95.68 www.google-analytics.com
    O1 - Hosts: 65.98.95.68 www.bing.com
    O1 - Hosts: 65.98.95.68 search.yahoo.com
    O1 - Hosts: 65.98.95.68 www.search.yahoo.com
    O1 - Hosts: 65.98.95.68 uk.search.yahoo.com
    O1 - Hosts: 65.98.95.68 ca.search.yahoo.com
    O1 - Hosts: 65.98.95.68 de.search.yahoo.com
    O1 - Hosts: 65.98.95.68 fr.search.yahoo.com
    O1 - Hosts: 65.98.95.68 au.search.yahoo.com
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: HP Smart Web Printing 1.0 - {AE84A6AA-A333-4B92-B276-C11E2212E4FE} - C:\Program Files\HP\Smart Web Printing\SmartWebPrinting.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: (no name) - {8B79EE88-E62D-4AA8-B530-CC357BA112B7} - (no file)
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
    O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-_UNO/GAME_UNO1.cab
    O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab
    O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://servicehonda.com/TSWeb/msrdp.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.162.65,93.188.161.205
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe



    --

    End of file - 8321 bytes
     
    Last edited: Apr 27, 2011
  2. voyagerfan99

    voyagerfan99 The Chicken Master Staff Member

    Messages:
    19,826
    Your host file is infected. That's why you're getting redirected. I'm not going to give you a solution though because I'm not trained to do so. However I will watch this thread to see John's response.
     
  3. johnb35

    johnb35 Administrator Staff Member

    Messages:
    33,320
    Yes, your hosts file is infected but you haven't ran malwarebytes yet so lets go ahead and run it and afterwards post a fresh hijackthis log.

    Please download Malwarebytes' Anti-Malware from here or here and save it to your desktop.
    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to
      • Update Malwarebytes' Anti-Malware
      • and Launch Malwarebytes' Anti-Malware
    • then click Finish.
    • If an update is found, it will download and install the latest version. Please keep updating until it says you have the latest version.
    • Once the program has loaded, select Perform quick scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • A log will be saved automatically which you can access by clicking on the Logs tab within Malwarebytes' Anti-Malware

    If for some reason Malwarebytes will not install or run please download and run Rkill.scr, Rkill.exe, or Rkill.com but DO NOT reboot the system and then try installing or running Malwarebytes. If Rkill (which is a black box) appears and then disappears right away or you get a message saying rkill is infected, keep trying to run rkill until it over powers the infection and temporarily kills it. Once a log appears on the screen, you can try running malwarebytes or downloading other programs.
     
  4. linux992

    linux992 New Member

    Messages:
    205
    Alright I went ahead and scanned it with mbam and it didn't find anything. I did it in regular mode I ran rkill 1st to make sure nothing was running then I restarted in safe and scanned without running rkill and it still said no infections were found. I just updated mbam before I scanned tonight.
     
  5. johnb35

    johnb35 Administrator Staff Member

    Messages:
    33,320
    Ok, lets see if hijackthis can fix your hosts entries. We may have to do it manually.

    Rerun hijackthis and place checks next to the following entries.

    O1 - Hosts: 74.125.45.100 4-open-davinci.com
    O1 - Hosts: 74.125.45.100 securitysoftwarepayments.com
    O1 - Hosts: 74.125.45.100 privatesecuredpayments.com
    O1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.com
    O1 - Hosts: 74.125.45.100 getantivirusplusnow.com
    O1 - Hosts: 74.125.45.100 secure-plus-payments.com
    O1 - Hosts: 74.125.45.100 www.getantivirusplusnow.com
    O1 - Hosts: 74.125.45.100 www.secure-plus-payments.com
    O1 - Hosts: 74.125.45.100 www.getavplusnow.com
    O1 - Hosts: 74.125.45.100 safebrowsing-cache.google.com
    O1 - Hosts: 74.125.45.100 urs.microsoft.com
    O1 - Hosts: 74.125.45.100 www.securesoftwarebill.com
    O1 - Hosts: 74.125.45.100 secure.paysecuresystem.com
    O1 - Hosts: 74.125.45.100 paysoftbillsolution.com
    O1 - Hosts: 74.125.45.100 protected.maxisoftwaremart.com
    O1 - Hosts: 65.98.95.68 www.google.com
    O1 - Hosts: 65.98.95.68 google.com
    O1 - Hosts: 65.98.95.68 google.com.au
    O1 - Hosts: 65.98.95.68 www.google.com.au
    O1 - Hosts: 65.98.95.68 google.be
    O1 - Hosts: 65.98.95.68 www.google.be
    O1 - Hosts: 65.98.95.68 google.com.br
    O1 - Hosts: 65.98.95.68 www.google.com.br
    O1 - Hosts: 65.98.95.68 google.ca
    O1 - Hosts: 65.98.95.68 www.google.ca
    O1 - Hosts: 65.98.95.68 google.ch
    O1 - Hosts: 65.98.95.68 www.google.ch
    O1 - Hosts: 65.98.95.68 google.de
    O1 - Hosts: 65.98.95.68 www.google.de
    O1 - Hosts: 65.98.95.68 google.dk
    O1 - Hosts: 65.98.95.68 www.google.dk
    O1 - Hosts: 65.98.95.68 google.fr
    O1 - Hosts: 65.98.95.68 www.google.fr
    O1 - Hosts: 65.98.95.68 google.ie
    O1 - Hosts: 65.98.95.68 www.google.ie
    O1 - Hosts: 65.98.95.68 google.it
    O1 - Hosts: 65.98.95.68 www.google.it
    O1 - Hosts: 65.98.95.68 google.co.jp
    O1 - Hosts: 65.98.95.68 www.google.co.jp
    O1 - Hosts: 65.98.95.68 google.nl
    O1 - Hosts: 65.98.95.68 www.google.nl
    O1 - Hosts: 65.98.95.68 google.no
    O1 - Hosts: 65.98.95.68 www.google.no
    O1 - Hosts: 65.98.95.68 google.co.nz
    O1 - Hosts: 65.98.95.68 www.google.co.nz
    O1 - Hosts: 65.98.95.68 google.pl
    O1 - Hosts: 65.98.95.68 www.google.pl
    O1 - Hosts: 65.98.95.68 google.se
    O1 - Hosts: 65.98.95.68 www.google.se
    O1 - Hosts: 65.98.95.68 google.co.uk
    O1 - Hosts: 65.98.95.68 www.google.co.uk
    O1 - Hosts: 65.98.95.68 google.co.za
    O1 - Hosts: 65.98.95.68 www.google.co.za
    O1 - Hosts: 65.98.95.68 www.google-analytics.com
    O1 - Hosts: 65.98.95.68 www.bing.com
    O1 - Hosts: 65.98.95.68 search.yahoo.com
    O1 - Hosts: 65.98.95.68 www.search.yahoo.com
    O1 - Hosts: 65.98.95.68 uk.search.yahoo.com
    O1 - Hosts: 65.98.95.68 ca.search.yahoo.com
    O1 - Hosts: 65.98.95.68 de.search.yahoo.com
    O1 - Hosts: 65.98.95.68 fr.search.yahoo.com
    O1 - Hosts: 65.98.95.68 au.search.yahoo.com
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O3 - Toolbar: (no name) - {8B79EE88-E62D-4AA8-B530-CC357BA112B7} - (no file)
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.162.65,93.188.161.205

    Then click on fix checked. Reboot your system and rerun a hijackthis scan and post the new log.

    i also need you to post an uninstall list using hijackthis, you are running old software that needs to be removed.

    Open hijackthis. cllick on open misc tools section, click on open uninstall manager, click on save list and save it. Then copy and paste that log back here.
     
  6. linux992

    linux992 New Member

    Messages:
    205
    Alright I did what you said here are the log files you requested.
    Logfile of Trend Micro HijackThis v2.0.4

    Scan saved at 9:56:30 PM, on 4/26/2011

    Platform: Windows XP SP3 (WinNT 5.01.2600)

    MSIE: Internet Explorer v8.00 (8.00.6001.18702)

    Boot mode: Normal
    Running processes:

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\WINDOWS\system32\MsiExec.exe
    C:\Program Files\hijackthis\Trend Micro\HiJackThis\HiJackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:25413
    O1 - Hosts: 74.125.45.100 4-open-davinci.com
    O1 - Hosts: 74.125.45.100 securitysoftwarepayments.com
    O1 - Hosts: 74.125.45.100 privatesecuredpayments.com
    O1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.com
    O1 - Hosts: 74.125.45.100 getantivirusplusnow.com
    O1 - Hosts: 74.125.45.100 secure-plus-payments.com
    O1 - Hosts: 74.125.45.100 www.getantivirusplusnow.com
    O1 - Hosts: 74.125.45.100 www.secure-plus-payments.com
    O1 - Hosts: 74.125.45.100 www.getavplusnow.com
    O1 - Hosts: 74.125.45.100 safebrowsing-cache.google.com
    O1 - Hosts: 74.125.45.100 urs.microsoft.com
    O1 - Hosts: 74.125.45.100 www.securesoftwarebill.com
    O1 - Hosts: 74.125.45.100 secure.paysecuresystem.com
    O1 - Hosts: 74.125.45.100 paysoftbillsolution.com
    O1 - Hosts: 74.125.45.100 protected.maxisoftwaremart.com
    O1 - Hosts: 65.98.95.68 www.google.com
    O1 - Hosts: 65.98.95.68 google.com
    O1 - Hosts: 65.98.95.68 google.com.au
    O1 - Hosts: 65.98.95.68 www.google.com.au
    O1 - Hosts: 65.98.95.68 google.be
    O1 - Hosts: 65.98.95.68 www.google.be
    O1 - Hosts: 65.98.95.68 google.com.br
    O1 - Hosts: 65.98.95.68 www.google.com.br
    O1 - Hosts: 65.98.95.68 google.ca
    O1 - Hosts: 65.98.95.68 www.google.ca
    O1 - Hosts: 65.98.95.68 google.ch
    O1 - Hosts: 65.98.95.68 www.google.ch
    O1 - Hosts: 65.98.95.68 google.de
    O1 - Hosts: 65.98.95.68 www.google.de
    O1 - Hosts: 65.98.95.68 google.dk
    O1 - Hosts: 65.98.95.68 www.google.dk
    O1 - Hosts: 65.98.95.68 google.fr
    O1 - Hosts: 65.98.95.68 www.google.fr
    O1 - Hosts: 65.98.95.68 google.ie
    O1 - Hosts: 65.98.95.68 www.google.ie
    O1 - Hosts: 65.98.95.68 google.it
    O1 - Hosts: 65.98.95.68 www.google.it
    O1 - Hosts: 65.98.95.68 google.co.jp
    O1 - Hosts: 65.98.95.68 www.google.co.jp
    O1 - Hosts: 65.98.95.68 google.nl
    O1 - Hosts: 65.98.95.68 www.google.nl
    O1 - Hosts: 65.98.95.68 google.no
    O1 - Hosts: 65.98.95.68 www.google.no
    O1 - Hosts: 65.98.95.68 google.co.nz
    O1 - Hosts: 65.98.95.68 www.google.co.nz
    O1 - Hosts: 65.98.95.68 google.pl
    O1 - Hosts: 65.98.95.68 www.google.pl
    O1 - Hosts: 65.98.95.68 google.se
    O1 - Hosts: 65.98.95.68 www.google.se
    O1 - Hosts: 65.98.95.68 google.co.uk
    O1 - Hosts: 65.98.95.68 www.google.co.uk
    O1 - Hosts: 65.98.95.68 google.co.za
    O1 - Hosts: 65.98.95.68 www.google.co.za
    O1 - Hosts: 65.98.95.68 www.google-analytics.com
    O1 - Hosts: 65.98.95.68 www.bing.com
    O1 - Hosts: 65.98.95.68 search.yahoo.com
    O1 - Hosts: 65.98.95.68 www.search.yahoo.com
    O1 - Hosts: 65.98.95.68 uk.search.yahoo.com
    O1 - Hosts: 65.98.95.68 ca.search.yahoo.com
    O1 - Hosts: 65.98.95.68 de.search.yahoo.com
    O1 - Hosts: 65.98.95.68 fr.search.yahoo.com
    O1 - Hosts: 65.98.95.68 au.search.yahoo.com
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: HP Smart Web Printing 1.0 - {AE84A6AA-A333-4B92-B276-C11E2212E4FE} - C:\Program Files\HP\Smart Web Printing\SmartWebPrinting.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
    O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-_UNO/GAME_UNO1.cab
    O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab
    O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://servicehonda.com/TSWeb/msrdp.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    --
    End of file - 7570 bytes

    Uninstall list
    Ad-Aware
    Ad-Aware
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 7.1.0
    Adobe Shockwave Player 11.5
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    Atari Anniversary Edition
    ATI - Software Uninstall Utility
    ATI Display Driver
    Card Games
    CCleaner
    Cisco Connect
    Deer's Revenge
    Deer's Revenge XP Sp2 Fix
    Dirt Track Racing - Sprint Cars
    DivX Content Uploader
    DivX Web Player
    DVD Flick
    Hard Truck 18 Wheels of Steel
    HiJackThis
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB961118)
    HP Customer Participation Program 8.0
    HP Deskjet 8.0 Software
    HP Image Zone 3.5
    HP Imaging Device Functions 8.0
    HP Photosmart Essential
    HP PSC & OfficeJet 3.5
    HP Smart Web Printing 1.0
    HP Solution Center 8.0
    HP Update
    HPSSupply
    Hunting Unlimited
    iPod for Windows 2006-03-23
    iTunes
    J2SE Runtime Environment 5.0 Update 11
    Java(TM) 6 Update 2
    Java(TM) 6 Update 23
    Java(TM) 6 Update 3
    Java(TM) 6 Update 5
    Java(TM) 6 Update 7
    Junk Mail filter update
    K-Lite Codec Pack 4.2.5 (Full)
    LG USB Drivers
    LightScribe System Software 1.14.25.1
    LightScribeTemplateLabeler
    LimeWire 5.5.8
    Logitech Gaming Software
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2416447)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 3.5 SP1
    Microsoft Access 2000 SR-1
    Microsoft Choice Guard
    Microsoft Excel 2000 SR-1
    Microsoft FrontPage 2000 SR-1
    Microsoft PowerPoint 2000 SR-1
    Microsoft Silverlight
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Word 2000 SR-1
    Microsoft Works
    MobileMe Control Panel
    Mouse Driver
    Mozilla Firefox (3.6.6)
    MSVCRT
    MSXML 4.0 SP2 (KB927978)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 6 Service Pack 2 (KB973686)
    neroxml
    QuickLink Mobile
    QuickTime
    RaidApplication
    Realtek AC'97 Audio
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Windows Internet Explorer 8 (KB2416400)
    Security Update for Windows Internet Explorer 8 (KB2482017)
    Security Update for Windows Internet Explorer 8 (KB2497640)
    Security Update for Windows Internet Explorer 8 (KB2510531)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2296199)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2412687)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2436673)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB2476687)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2479628)
    Security Update for Windows XP (KB2479943)
    Security Update for Windows XP (KB2481109)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2485376)
    Security Update for Windows XP (KB2485663)
    Security Update for Windows XP (KB2503658)
    Security Update for Windows XP (KB2506212)
    Security Update for Windows XP (KB2506223)
    Security Update for Windows XP (KB2507618)
    Security Update for Windows XP (KB2508272)
    Security Update for Windows XP (KB2508429)
    Security Update for Windows XP (KB2509553)
    Security Update for Windows XP (KB2511455)
    Security Update for Windows XP (KB2524375)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953155)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982665)
    Segoe UI
    SiS 900 PCI Fast Ethernet Adapter Driver
    SpywareBlaster 4.3
    Ulead VideoStudio SE
    Ultra MPEG-4 Converter 4.2.1021
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB961503)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971029)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    Visual C++ 2008 x86 Runtime - (v9.0.30729)
    Visual C++ 2008 x86 Runtime - v9.0.30729.01
    WD SmartWare
    Windows Backup Utility
    Windows Live Call
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Essentials
    Windows Live Mail
    Windows Live Messenger
    Windows Live OneCare safety scanner
    Windows Live Sign-in Assistant
    Windows Live Upload Tool
    Windows Media Connect
    Windows Media Format Runtime
    Windows Media Player 10
    Windows XP Service Pack 3
     
    Last edited: Apr 27, 2011
  7. johnb35

    johnb35 Administrator Staff Member

    Messages:
    33,320
    Please uninstall the following entries in add/remove programs.


    J2SE Runtime Environment 5.0 Update 11
    Java(TM) 6 Update 2
    Java(TM) 6 Update 23
    Java(TM) 6 Update 3
    Java(TM) 6 Update 5
    Java(TM) 6 Update 7
    Adobe Reader 7.1.0


    Then go here to download the latest version of java.

    http://www.java.com/en/download/index.jsp

    Please follow the directions on this page to reset your hosts file.

    http://support.microsoft.com/kb/972034

    You can run the automatic fix or you can do it manually. After running it please post a fresh hijackthis log.
     
  8. linux992

    linux992 New Member

    Messages:
    205
    Alright I did that here is the hijack this log file. Now since I uninstalled AVG to run combo fix which antivirus would you recommend me putting back on the computer?

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 10:43:24 PM, on 4/26/2011
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\WINDOWS\system32\WgaTray.exe
    C:\WINDOWS\system32\MsiExec.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\hijackthis\Trend Micro\HiJackThis\HiJackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:25413
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: HP Smart Web Printing 1.0 - {AE84A6AA-A333-4B92-B276-C11E2212E4FE} - C:\Program Files\HP\Smart Web Printing\SmartWebPrinting.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
    O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-_UNO/GAME_UNO1.cab
    O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab
    O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://servicehonda.com/TSWeb/msrdp.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

    End of file - 4981 bytes
     
    Last edited: Apr 27, 2011
  9. johnb35

    johnb35 Administrator Staff Member

    Messages:
    33,320
    good job. its all clear now. How's the system running now?
     
  10. linux992

    linux992 New Member

    Messages:
    205
    Thank you very much! Its running better no redirecting. In installed avast free, people have said good things about it on this site. Its an older computer so it's kinda slow. I'm hoping to upgrade the ram its only got 768 mb :(
     
    Last edited: Apr 27, 2011
  11. johnb35

    johnb35 Administrator Staff Member

    Messages:
    33,320
    Yes, I was gonna suggest either Avast or Microsoft Security Essentials since you didnt have an antivirus program installed. If you didn't pay for the adaware program then I would uninstall that and just use malwarebytes as your on demand scanner.
     
  12. linux992

    linux992 New Member

    Messages:
    205
    Alright thank you for your help. I got avast free.
     

Share This Page