Free Malware Removal Forum

[dinthead]

This is my log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:05:42, on 02/11/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Windows Live\installer\WLSetupSvc.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Documents and Settings\Darren Denton\Local Settings\Temporary Internet Files\Content.IE5\O20FTKVE\WinRAR[1].exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Darren Denton\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O1 - Hosts: 204.16.197.121 http://www.yahoo.com
O1 - Hosts: 204.16.197.121 http://www.google.com
O1 - Hosts: 204.16.197.121 http://www.myspace.com
O1 - Hosts: 204.16.197.121 http://www.youtube.com
O1 - Hosts: 204.16.197.121 http://www.facebook.com
O1 - Hosts: 204.16.197.121 http://www.live.com
O1 - Hosts: 204.16.197.121 http://www.msn.com
O1 - Hosts: 204.16.197.121 http://www.wikipedia.org
O1 - Hosts: 204.16.197.121 http://www.ebay.com
O1 - Hosts: 204.16.197.121 http://www.aol.com
O1 - Hosts: 204.16.197.121 http://www.craigslist.org
O1 - Hosts: 204.16.197.121 http://www.blogger.com
O1 - Hosts: 204.16.197.121 http://www.go.com
O1 - Hosts: 204.16.197.121 http://www.amazon.com
O1 - Hosts: 204.16.197.121 http://www.cnn.com
O1 - Hosts: 204.16.197.121 espn.go.com
O1 - Hosts: 204.16.197.121 http://www.espn.com
O1 - Hosts: 204.16.197.121 http://www.photobucket.com
O1 - Hosts: 204.16.197.121 http://www.microsoft.com
O1 - Hosts: 204.16.197.121 http://www.comcast.net
O1 - Hosts: 204.16.197.121 http://www.imdb.com
O1 - Hosts: 204.16.197.121 http://www.wordpress.com
O1 - Hosts: 204.16.197.121 http://www.nytimes.com
O1 - Hosts: 204.16.197.121 http://www.weather.com
O1 - Hosts: 204.16.197.121 http://www.ask.com
O1 - Hosts: 204.16.197.121 http://www.aim.com
O1 - Hosts: 204.16.197.121 http://www.apple.com
O1 - Hosts: 204.16.197.121 http://www.mapquest.com
O1 - Hosts: 204.16.197.121 http://www.youporn.com
O1 - Hosts: 204.16.197.121 http://www.fastclick.com
O1 - Hosts: 204.16.197.121 http://www.pornhub.com
O1 - Hosts: 204.16.197.121 http://www.rapidshare.com
O1 - Hosts: 204.16.197.121 http://www.pogo.com
O1 - Hosts: 204.16.197.121 http://www.redtube.com
O1 - Hosts: 204.16.197.121 http://www.doubleclick.com
O1 - Hosts: 204.16.197.121 http://www.att.com
O1 - Hosts: 204.16.197.121 http://www.adobe.com
O1 - Hosts: 204.16.197.121 http://www.vnn.com
O1 - Hosts: 204.16.197.121 http://www.sportsline.com
O1 - Hosts: 204.16.197.121 http://www.netflix.com
O1 - Hosts: 204.16.197.121 http://www.dell.com
O1 - Hosts: 204.16.197.121 http://www.google.co.uk
O1 - Hosts: 204.16.197.121 http://www.bbc.co.uk
O1 - Hosts: 204.16.197.121 http://www.ebay.co.uk
O1 - Hosts: 204.16.197.121 http://www.bebo.com
O1 - Hosts: 204.16.197.121 http://www.amazon.co.uk
O1 - Hosts: 204.16.197.121 http://www.sky.com
O1 - Hosts: 204.16.197.121 http://www.virginmedia.com
O1 - Hosts: 204.16.197.121 http://www.aol.co.uk
O1 - Hosts: 204.16.197.121 http://www.hsbc.co.uk
O1 - Hosts: 204.16.197.121 http://www.antispyware.com
O1 - Hosts: 204.16.197.121 http://www.antispy.com
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [explore] C:\WINDOWS\system32\explore.exe
O4 - HKLM\..\RunOnce: [wextract_cleanup0] rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\DOCUME~1\DARREN~1\LOCALS~1\Temp\IXP000.TMP\"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 5633434751
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6440 bytes


Sum1 please help me i am in need of it

edit.
i follow ur little guide thingy and i have the internet pages back where they used to say that i had to pay 40$ to download sumats to get rid of completetala. But the checkbox saying 'hehehehehehehehh' still comes up.
and i have also noticed that whenever i restart my laptop then the internet shows the 40$ pages again

plz help me again
edit/Shaba: Created own topic. Please DON'T post to someone else's topic.

[askey127]

dinthead,
If you would like to receive help here, please proceed as follows:
(You got that crummy infection from downloading Winrar)

Please Note Our Policy on the Use of P2P (Person to Person / Peer to Peer) file sharing programs
It is posted here: http://malwareremoval.com/forum/viewtopic.php?f=11&t=33112
You have the following P-2-P program(s) installed: utorrent
This is how you uninstall it/them:

• Click Start
• Go to Control Panel
• Go to Add/Remove Programs
• Find and click Remove for the following (if present):
  utorrent

NOTE: Take care when answering any questions posed by an uninstaller. Some questions may be worded to deceive you into keeping the program.
-----------------------------------------------------------
IT APPEARS YOU HAVE NO ANTI-VIRUS PROGRAM
Download just one of these free anti-virus programs, update it and run a full scan. Have it fix anything it finds.
Consider this an Emergency until you complete it!

• Avast Home Edition from here : http://www.avast.com/eng/down_home.html
• AntiVir Free from here : http://www.free-av.com/

----------------------------------------------------------------------------------
Run MalwareBytes' Anti-Malware
Please download the Installer and save to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to both Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• If necessary, start Malwarebytes Anti-Malware again.
• Once the program has loaded, select Perform Quick Scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. Please save it to a convenient location, and post the contents in your reply.
• The log can also be found here if you need it : Start, All Programs, Malwarebytes' Anti-Malware, Logs
  The logs are named by date stamp

-----------------------------------------------------------
Remove log items with HighjackThis. Start HijackThis.
Click Do System Scan Only. When the Scan is complete, Check the following entries:
(Some of these lines may be missing)
O1 - Hosts: 204.16.197.121 http://www.yahoo.com
O1 - Hosts: 204.16.197.121 http://www.google.com
O1 - Hosts: 204.16.197.121 http://www.myspace.com
O1 - Hosts: 204.16.197.121 http://www.youtube.com
O1 - Hosts: 204.16.197.121 http://www.facebook.com
O1 - Hosts: 204.16.197.121 http://www.live.com
O1 - Hosts: 204.16.197.121 http://www.msn.com
O1 - Hosts: 204.16.197.121 http://www.wikipedia.org
O1 - Hosts: 204.16.197.121 http://www.ebay.com
O1 - Hosts: 204.16.197.121 http://www.aol.com
O1 - Hosts: 204.16.197.121 http://www.craigslist.org
O1 - Hosts: 204.16.197.121 http://www.blogger.com
O1 - Hosts: 204.16.197.121 http://www.go.com
O1 - Hosts: 204.16.197.121 http://www.amazon.com
O1 - Hosts: 204.16.197.121 http://www.cnn.com
O1 - Hosts: 204.16.197.121 espn.go.com
O1 - Hosts: 204.16.197.121 http://www.espn.com
O1 - Hosts: 204.16.197.121 http://www.photobucket.com
O1 - Hosts: 204.16.197.121 http://www.microsoft.com
O1 - Hosts: 204.16.197.121 http://www.comcast.net
O1 - Hosts: 204.16.197.121 http://www.imdb.com
O1 - Hosts: 204.16.197.121 http://www.wordpress.com
O1 - Hosts: 204.16.197.121 http://www.nytimes.com
O1 - Hosts: 204.16.197.121 http://www.weather.com
O1 - Hosts: 204.16.197.121 http://www.ask.com
O1 - Hosts: 204.16.197.121 http://www.aim.com
O1 - Hosts: 204.16.197.121 http://www.apple.com
O1 - Hosts: 204.16.197.121 http://www.mapquest.com
O1 - Hosts: 204.16.197.121 http://www.youporn.com
O1 - Hosts: 204.16.197.121 http://www.fastclick.com
O1 - Hosts: 204.16.197.121 http://www.pornhub.com
O1 - Hosts: 204.16.197.121 http://www.rapidshare.com
O1 - Hosts: 204.16.197.121 http://www.pogo.com
O1 - Hosts: 204.16.197.121 http://www.redtube.com
O1 - Hosts: 204.16.197.121 http://www.doubleclick.com
O1 - Hosts: 204.16.197.121 http://www.att.com
O1 - Hosts: 204.16.197.121 http://www.adobe.com
O1 - Hosts: 204.16.197.121 http://www.vnn.com
O1 - Hosts: 204.16.197.121 http://www.sportsline.com
O1 - Hosts: 204.16.197.121 http://www.netflix.com
O1 - Hosts: 204.16.197.121 http://www.dell.com
O1 - Hosts: 204.16.197.121 http://www.google.co.uk
O1 - Hosts: 204.16.197.121 http://www.bbc.co.uk
O1 - Hosts: 204.16.197.121 http://www.ebay.co.uk
O1 - Hosts: 204.16.197.121 http://www.bebo.com
O1 - Hosts: 204.16.197.121 http://www.amazon.co.uk
O1 - Hosts: 204.16.197.121 http://www.sky.com
O1 - Hosts: 204.16.197.121 http://www.virginmedia.com
O1 - Hosts: 204.16.197.121 http://www.aol.co.uk
O1 - Hosts: 204.16.197.121 http://www.hsbc.co.uk
O1 - Hosts: 204.16.197.121 http://www.antispyware.com
O1 - Hosts: 204.16.197.121 http://www.antispy.com
Make sure Every other window except HJT is closed (No other tabs showing in the bottom tray), and Click Fix Checked
Click the "X" in the upper right corner of the HiJackThis window to close it.

Please post the log from malwarebytes-AntiMalware and a fresh HiJackThis log.
askey127

[NonSuch]

Due to lack of response, this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.