Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Hijacked hosts file

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Hijacked hosts file

Unread postby jefftallica » March 12th, 2011, 7:24 am

Hi, I may be doing this wrong but I cannot get that file/path into the white box. I tried to copy and paste c:\docume~1\Jeff\LOCALS~1\Temp\irasl2tp.sys but when I paste it into the white box it takes me straight to the browse window and it can't find that file. Please advise.
jefftallica
Regular Member
 
Posts: 19
Joined: March 8th, 2011, 8:39 pm
Advertisement
Register to Remove

Re: Hijacked hosts file

Unread postby Cypher » March 12th, 2011, 7:50 am

Hi.
In this case just use browse to navigate to the file using the file path as a reference.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 14959
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: Hijacked hosts file

Unread postby jefftallica » March 12th, 2011, 10:23 am

Hi, I tried that already and can't find such a path to that file. I've searched C Drive and can't find a file with that name or even one similar. I searched for a file namedirasl2tp.sys and found nothing. Am I missing something obvious here??
jefftallica
Regular Member
 
Posts: 19
Joined: March 8th, 2011, 8:39 pm

Re: Hijacked hosts file

Unread postby Cypher » March 12th, 2011, 11:47 am

Hi jefftallica.
Those temp files may no longer be there, please continue with the instructions below.

Back Up registry with ERUNT

  • Please download ERUNT and save it to your desktop.
  • Alternate Download
  • Double-click on erunt_setup.exe to install the program
  • Untick the NTREGOPT desktop shortcut option
  • Click No when you get the option to run Erunt at Windows startup.
  • During the installation, tick Launch Erunt.
  • Accept the default options for running a backup.
  • Erunt will then backup your registry.
  • Click OK to finish.
  • If you are unable to back up your Registry with ERUNT ....
    • Let me know.
    • Do not follow any further instructions until I tell you to.

Next.

Download and run OTM

Download OTM.exe by Old Timer and save it to your Desktop.
  • Double-click OTM.exe to run it.
  • Right-click then copy the following code, Do not include the word Code.
    Code: Select all
    :Services
    dtcpip
    irasl2tp
    nwanarp
    pusbd
    shttp
    
    :Reg
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
    "E:\Store&Save\Software\utorrent.exe"=-
    "G:\Store&Save\Software\utorrent.exe"=-
    "C:\Documents and Settings\All Users\Application Data\e6474a\IAe64_2089.exe"=-
    
    :Files
    C:\WINDOWS\tasks\RegCure Program Check.job
    C:\WINDOWS\tasks\RegCure.job
    E:\Store&Save\Software\utorrent.exe
    G:\Store&Save\Software\utorrent.exe
    C:\Documents and Settings\All Users\Application Data\e6474a
    ipconfig /flushdns /c
    
    :Commands
    [EmptyFlash]
    [emptytemp]
    [start explorer]
    [Reboot]
    

    • Return to OTM, right-click then paste the code into the blank box below Image
    • Next click on the large Image button.
    • OTM may ask to reboot the machine. Please do so if asked.
    • Copy everything in the Results window (under the green bar), and paste it in your next reply.

NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Next.

Malwarebytes Anti-Malware

  • Launch the application, Check for Updates >> Perform Quick Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Check all items except items in the C:\System Volume Information folder... and click Remove Selected.
    Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply.
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Next.

Re-run - RSIT (Random's System Information Tool)

You should still have this program on your desktop.
  • Double click on RSIT.exe to run it.
  • Please read the disclaimer... click on Continue.
  • RSIT will start running. When done... ONLY the "C:\RSIT\log.txt"...will be reproduced. (it will be maximized)
  • Please post ONLY the "log.txt", file contents in your next reply.
    (This log can be lengthy, so a separate post may be needed.)

Logs/Information to Post in your Next Reply

  • OTM log.
  • Malwarebytes log.
  • RSIT\log.txt
  • Please give me an update on how your computer is performing.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 14959
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: Hijacked hosts file

Unread postby jefftallica » March 12th, 2011, 4:41 pm

Next one....

All processes killed
========== SERVICES/DRIVERS ==========
Service dtcpip stopped successfully!
Service dtcpip deleted successfully!
Service irasl2tp stopped successfully!
Service irasl2tp deleted successfully!
Service nwanarp stopped successfully!
Service nwanarp deleted successfully!
Service pusbd stopped successfully!
Service pusbd deleted successfully!
Service shttp stopped successfully!
Service shttp deleted successfully!
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\\E:\Store&Save\Software\utorrent.exe not found.
Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\\G:\Store&Save\Software\utorrent.exe not found.
Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\\C:\Documents and Settings\All Users\Application Data\e6474a\IAe64_2089.exe not found.
========== FILES ==========
File/Folder C:\WINDOWS\tasks\RegCure Program Check.job not found.
File/Folder C:\WINDOWS\tasks\RegCure.job not found.
File/Folder E:\Store&Save\Software\utorrent.exe not found.
File/Folder G:\Store&Save\Software\utorrent.exe not found.
File/Folder C:\Documents and Settings\All Users\Application Data\e6474a not found.
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\Jeff\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Jeff\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Jeff
->Temp folder emptied: 587898 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 99719925 bytes
->Flash cache emptied: 5405 bytes

User: LocalService
->Temp folder emptied: 65748 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: user
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 2151589 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 98.00 mb


OTM by OldTimer - Version 3.1.17.2 log created on 03122011_203304

Files moved on Reboot...
File move failed. C:\WINDOWS\temp\_avast5_\Webshlock.txt scheduled to be moved on reboot.
File C:\WINDOWS\temp\Perflib_Perfdata_674.dat not found!

Registry entries deleted on Reboot...
jefftallica
Regular Member
 
Posts: 19
Joined: March 8th, 2011, 8:39 pm

Re: Hijacked hosts file

Unread postby jefftallica » March 12th, 2011, 4:52 pm

More...looking good so far. System running as well as ever.

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6037

Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

12/03/2011 20:49:56
mbam-log-2011-03-12 (20-49-56).txt

Scan type: Quick scan
Objects scanned: 165044
Time elapsed: 3 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
jefftallica
Regular Member
 
Posts: 19
Joined: March 8th, 2011, 8:39 pm

Re: Hijacked hosts file

Unread postby jefftallica » March 12th, 2011, 4:55 pm

RSIT log......

Logfile of random's system information tool 1.08 (written by random/random)
Run by Jeff at 2011-03-12 20:53:21
Microsoft Windows XP Professional Service Pack 2
System drive C: has 9 GB (6%) free of 153 GB
Total RAM: 1790 MB (71% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 20:53:30, on 12/03/2011
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\lxedcoms.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Lexmark S600 Series\lxedmon.exe
C:\Program Files\Lexmark S600 Series\ezprint.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Jeff\Desktop\RSIT.exe
C:\Program Files\trend micro\Jeff.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Lexmark Printable Web - {D2C5E510-BE6D-42CC-9F61-E4F939078474} - C:\Program Files\Lexmark Printable Web\bho.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [lxedmon.exe] "C:\Program Files\Lexmark S600 Series\lxedmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark S600 Series\ezprint.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 1884176078
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: lxedCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxedserv.exe
O23 - Service: lxed_device - - C:\WINDOWS\system32\lxedcoms.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5746 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-12-18 59032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1017A80C-6F09-4548-A84D-EDD6AC9525F0}]
Lexmark Toolbar - C:\Program Files\Lexmark Toolbar\toolband.dll [2009-05-06 372736]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}]
Groove GFS Browser Helper - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2009-02-12 2217848]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-02-17 408440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D2C5E510-BE6D-42CC-9F61-E4F939078474}]
Lexmark Printable Web - C:\Program Files\Lexmark Printable Web\bho.dll [2008-05-22 180224]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2011-02-09 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2011-02-09 79648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{1017A80C-6F09-4548-A84D-EDD6AC9525F0} - Lexmark Toolbar - C:\Program Files\Lexmark Toolbar\toolband.dll [2009-05-06 372736]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2007-10-04 8491008]
"nwiz"=nwiz.exe /install []
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2007-11-20 16858112]
"GrooveMonitor"=C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [2008-10-25 31072]
"avast5"=C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe [2011-01-13 3396624]
"lxedmon.exe"=C:\Program Files\Lexmark S600 Series\lxedmon.exe [2010-05-17 770728]
"EzPrint"=C:\Program Files\Lexmark S600 Series\ezprint.exe [2010-05-17 148280]
"SunJavaUpdateSched"=C:\Program Files\Common Files\Java\Java Update\jusched.exe [2010-10-29 249064]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2008-09-05 241704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"=C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2009-02-12 2217848]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoResolveTrack"=1
"NoThumbnailCache"=1
"link"=0x00000000
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=1
"NoResolveTrack"=1
"NoDriveAutoRun"=67108863
"NoDriveTypeAutoRun"=323
"NoDrives"=0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe"="C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\Program Files\Eidos Interactive\CM4\cm4.exe"="C:\Program Files\Eidos Interactive\CM4\cm4.exe:*:Disabled:cm4"
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"="C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE"="C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE"="C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Skype\Plugin Manager\skypePM.exe"="C:\Program Files\Skype\Plugin Manager\skypePM.exe:*:Enabled:Skype Extras Manager"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"
"C:\WINDOWS\system32\lxedcoms.exe"="C:\WINDOWS\system32\lxedcoms.exe:*:Enabled:Lexmark Communications System"
"C:\Program Files\Abbyy FineReader 6.0 Sprint\Scan\ScanMan6.exe"="C:\Program Files\Abbyy FineReader 6.0 Sprint\Scan\ScanMan6.exe:*:Enabled:ABBYY FineReader"
"C:\Program Files\Mozilla Firefox\firefox.exe"="C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Mozilla Firefox"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe"="C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Pando Networks\Media Booster\PMB.exe"="C:\Program Files\Pando Networks\Media Booster\PMB.exe:*:Enabled:Pando Media Booster"

======List of files/folders created in the last 1 months======

2011-03-12 20:33:24 ----SHD---- C:\RECYCLER
2011-03-12 02:20:27 ----A---- C:\ComboFix.txt
2011-03-12 02:13:30 ----A---- C:\Boot.bak
2011-03-12 02:13:25 ----RASHD---- C:\cmdcons
2011-03-12 01:46:41 ----A---- C:\WINDOWS\zip.exe
2011-03-12 01:46:41 ----A---- C:\WINDOWS\SWXCACLS.exe
2011-03-12 01:46:41 ----A---- C:\WINDOWS\SWSC.exe
2011-03-12 01:46:41 ----A---- C:\WINDOWS\SWREG.exe
2011-03-12 01:46:41 ----A---- C:\WINDOWS\sed.exe
2011-03-12 01:46:41 ----A---- C:\WINDOWS\PEV.exe
2011-03-12 01:46:41 ----A---- C:\WINDOWS\NIRCMD.exe
2011-03-12 01:46:41 ----A---- C:\WINDOWS\MBR.exe
2011-03-12 01:46:41 ----A---- C:\WINDOWS\grep.exe
2011-03-12 01:45:49 ----D---- C:\Qoobox
2011-03-11 01:22:09 ----D---- C:\rsit
2011-03-11 00:57:21 ----D---- C:\Documents and Settings\Jeff\Application Data\Malwarebytes
2011-03-11 00:57:09 ----A---- C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2011-03-11 00:57:08 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2011-03-11 00:57:05 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2011-03-11 00:57:05 ----A---- C:\WINDOWS\system32\drivers\mbam.sys
2011-03-10 12:30:03 ----D---- C:\_OTM
2011-03-10 12:21:51 ----D---- C:\WINDOWS\ERDNT
2011-03-10 12:19:46 ----D---- C:\Program Files\ERUNT
2011-03-08 23:56:25 ----D---- C:\Program Files\Trend Micro
2011-03-01 18:40:34 ----D---- C:\Program Files\Common Files\Java
2011-03-01 18:40:03 ----A---- C:\WINDOWS\system32\javaws.exe
2011-03-01 18:40:03 ----A---- C:\WINDOWS\system32\javaw.exe
2011-03-01 18:40:03 ----A---- C:\WINDOWS\system32\java.exe
2011-03-01 18:39:17 ----D---- C:\Documents and Settings\All Users\Application Data\McAfee
2011-03-01 17:51:33 ----D---- C:\Program Files\Mozilla Firefox3
2011-02-20 18:39:45 ----A---- C:\WINDOWS\system32\lxedvs.dll
2011-02-20 18:39:42 ----A---- C:\WINDOWS\system32\lxedcoin.dll
2011-02-20 18:39:35 ----A---- C:\WINDOWS\system32\lxk_gf.dll
2011-02-20 18:39:35 ----A---- C:\WINDOWS\system32\lxedgcfg.dll
2011-02-20 18:39:34 ----A---- C:\WINDOWS\system32\lxedcuir.dll
2011-02-20 18:39:33 ----A---- C:\WINDOWS\system32\lxedcui.dll
2011-02-20 18:39:20 ----A---- C:\WINDOWS\system32\wiafbdrv.dll
2011-02-20 18:39:19 ----A---- C:\WINDOWS\system32\drivers\usbscan.sys
2011-02-20 18:38:36 ----D---- C:\Program Files\Abbyy FineReader 6.0 Sprint
2011-02-20 18:38:20 ----D---- C:\Program Files\Lexmark Tools for Office
2011-02-20 18:38:07 ----A---- C:\WINDOWS\system32\LXEDwupd.exe
2011-02-20 18:38:07 ----A---- C:\WINDOWS\system32\LXEDwupd.dll
2011-02-20 18:37:18 ----D---- C:\Program Files\Lexmark Toolbar
2011-02-20 18:37:13 ----D---- C:\Program Files\Lexmark Fax Solutions
2011-02-20 18:37:10 ----D---- C:\Program Files\Lexmark Printable Web
2011-02-20 18:36:50 ----AH---- C:\WINDOWS\system32\lxedrwrd.ini
2011-02-20 18:36:49 ----D---- C:\Program Files\Lexmark
2011-02-20 18:36:49 ----A---- C:\WINDOWS\system32\NativeCall.dll
2011-02-20 18:36:36 ----A---- C:\WINDOWS\system32\LXEDinst.dll
2011-02-20 18:36:36 ----A---- C:\WINDOWS\system32\LXEDhcp.dll
2011-02-20 18:36:35 ----A---- C:\WINDOWS\system32\lxedusb1.dll
2011-02-20 18:36:35 ----A---- C:\WINDOWS\system32\lxedserv.dll
2011-02-20 18:36:35 ----A---- C:\WINDOWS\system32\lxedpmui.dll
2011-02-20 18:36:35 ----A---- C:\WINDOWS\system32\lxedinpa.dll
2011-02-20 18:36:35 ----A---- C:\WINDOWS\system32\lxediesc.dll
2011-02-20 18:36:34 ----A---- C:\WINDOWS\system32\lxedlmpm.dll
2011-02-20 18:36:34 ----A---- C:\WINDOWS\system32\lxedjswr.dll
2011-02-20 18:36:34 ----A---- C:\WINDOWS\system32\lxedinsr.dll
2011-02-20 18:36:34 ----A---- C:\WINDOWS\system32\lxedinsb.dll
2011-02-20 18:36:33 ----A---- C:\WINDOWS\system32\lxedins.dll
2011-02-20 18:36:33 ----A---- C:\WINDOWS\system32\lxedih.exe
2011-02-20 18:36:33 ----A---- C:\WINDOWS\system32\lxedhbn3.dll
2011-02-20 18:36:33 ----A---- C:\WINDOWS\system32\lxedgrd.dll
2011-02-20 18:36:33 ----A---- C:\WINDOWS\system32\lxedcub.dll
2011-02-20 18:36:32 ----A---- C:\WINDOWS\system32\lxedcur.dll
2011-02-20 18:36:32 ----A---- C:\WINDOWS\system32\lxedcu.dll
2011-02-20 18:36:32 ----A---- C:\WINDOWS\system32\lxedcoms.exe
2011-02-20 18:36:32 ----A---- C:\WINDOWS\system32\lxedcomm.dll
2011-02-20 18:36:32 ----A---- C:\WINDOWS\system32\lxedcomc.dll
2011-02-20 18:36:32 ----A---- C:\WINDOWS\system32\lxedcfg.exe
2011-02-20 18:36:31 ----A---- C:\WINDOWS\system32\LXEDcfg.dll
2011-02-20 18:33:47 ----D---- C:\Program Files\Lexmark S600 Series
2011-02-20 18:33:47 ----A---- C:\WINDOWS\system32\LXEDsmr.dll
2011-02-20 18:33:46 ----A---- C:\WINDOWS\system32\LXEDsm.dll

======List of files/folders modified in the last 1 months======

2011-03-12 20:53:23 ----D---- C:\WINDOWS\Prefetch
2011-03-12 20:52:53 ----D---- C:\WINDOWS\Temp
2011-03-12 20:38:14 ----D---- C:\Program Files\Common Files\Akamai
2011-03-12 20:37:11 ----D---- C:\Program Files\Microsoft Silverlight
2011-03-12 20:33:36 ----A---- C:\WINDOWS\SchedLgU.Txt
2011-03-12 09:11:01 ----SHD---- C:\WINDOWS\Installer
2011-03-12 02:34:00 ----D---- C:\WINDOWS\system32\CatRoot2
2011-03-12 02:19:47 ----SD---- C:\WINDOWS\Tasks
2011-03-12 02:18:52 ----D---- C:\WINDOWS
2011-03-12 02:18:52 ----A---- C:\WINDOWS\system.ini
2011-03-12 02:18:42 ----D---- C:\WINDOWS\system32\drivers\etc
2011-03-12 02:16:46 ----D---- C:\WINDOWS\system32\drivers
2011-03-12 02:16:46 ----D---- C:\WINDOWS\system32
2011-03-12 02:16:46 ----D---- C:\WINDOWS\AppPatch
2011-03-12 02:16:42 ----D---- C:\Program Files\Common Files
2011-03-12 02:13:30 ----RASH---- C:\boot.ini
2011-03-11 01:16:33 ----HDC---- C:\WINDOWS\$NtUninstallKB953838$
2011-03-11 00:57:05 ----RD---- C:\Program Files
2011-03-10 12:32:43 ----SHD---- C:\System Volume Information
2011-03-10 12:32:43 ----D---- C:\WINDOWS\system32\Restore
2011-03-10 01:33:58 ----A---- C:\WINDOWS\system32\MRT.exe
2011-03-10 01:33:53 ----D---- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2011-03-08 23:56:25 ----SD---- C:\Documents and Settings\Jeff\Application Data\Microsoft
2011-03-05 01:33:40 ----D---- C:\Program Files\Mozilla Firefox
2011-03-04 23:11:32 ----A---- C:\WINDOWS\NeroDigital.ini
2011-03-01 18:39:59 ----D---- C:\Program Files\Java
2011-02-20 19:17:24 ----HD---- C:\WINDOWS\inf
2011-02-20 18:39:30 ----RSHD---- C:\WINDOWS\system32\dllcache
2011-02-20 18:39:25 ----D---- C:\WINDOWS\twain_32
2011-02-13 15:22:59 ----D---- C:\Documents and Settings\Jeff\Application Data\Skype
2011-02-13 14:08:35 ----D---- C:\Documents and Settings\Jeff\Application Data\skypePM

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R0 agp440;Intel AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agp440.sys [2004-08-03 42368]
R0 amdagp;AMD AGP Bus Filter Driver; C:\WINDOWS\system32\DRIVERS\amdagp.sys [2004-08-03 43008]
R0 PxHelp20;PxHelp20; C:\WINDOWS\System32\Drivers\PxHelp20.sys [2009-09-25 43528]
R0 sisagp;SIS AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\sisagp.sys [2004-08-03 41088]
R0 viaagp;VIA AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\viaagp.sys [2004-08-03 42240]
R1 Aavmker4;avast! Asynchronous Virus Monitor; C:\WINDOWS\system32\drivers\Aavmker4.sys [2011-01-13 29392]
R1 aswRdr;aswRdr; C:\WINDOWS\system32\drivers\aswRdr.sys [2011-01-13 23632]
R1 aswSP;aswSP; C:\WINDOWS\system32\drivers\aswSP.sys [2011-01-13 294608]
R1 aswTdi;avast! Network Shield Support; C:\WINDOWS\system32\drivers\aswTdi.sys [2011-01-13 47440]
R1 InCDPass;InCDPass; C:\WINDOWS\System32\DRIVERS\InCDPass.sys [2004-02-27 27440]
R1 incdrm;InCD EasyWrite Reader; C:\WINDOWS\system32\drivers\incdrm.sys [2003-12-30 28080]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2004-08-04 36096]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2004-08-03 14848]
R2 aswFsBlk;aswFsBlk; C:\WINDOWS\system32\drivers\aswFsBlk.sys [2011-01-13 17744]
R2 aswMon2;avast! Standard Shield Support; C:\WINDOWS\system32\drivers\aswMon2.sys [2011-01-13 100176]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2005-01-07 138752]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2007-11-20 4627456]
R3 LVPr2Mon;LVPr2Mon Driver; C:\WINDOWS\system32\Drivers\LVPr2Mon.sys [2008-12-16 25624]
R3 LVRS;Logitech RightSound Filter Driver; C:\WINDOWS\system32\DRIVERS\lvrs.sys [2008-12-17 768024]
R3 LVUSBSta;Logitech USB Monitor Filter; C:\WINDOWS\system32\drivers\LVUSBSta.sys [2008-12-17 41752]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2007-10-04 6854464]
R3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:\WINDOWS\system32\DRIVERS\NVENETFD.sys [2007-09-20 53632]
R3 nvnetbus;NVIDIA Network Bus Enumerator; C:\WINDOWS\system32\DRIVERS\nvnetbus.sys [2007-09-20 22016]
R3 pepifilter;Volume Adapter; C:\WINDOWS\system32\DRIVERS\lv302af.sys [2008-12-17 13848]
R3 PID_PEPI;Logitech QuickCam IM(PID_PEPI); C:\WINDOWS\system32\DRIVERS\LV302V32.SYS [2008-12-17 2686104]
R3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2004-08-03 59264]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-03 31616]
R4 InCDfs;InCD File System; C:\WINDOWS\system32\drivers\InCDfs.sys [2004-02-27 94320]
S0 adpu320;adpu320; C:\WINDOWS\system32\DRIVERS\adpu320.sys [2004-02-17 132608]
S1 P3;Intel PentiumIII Processor Driver; C:\WINDOWS\system32\DRIVERS\p3.sys [2004-08-04 42496]
S3 catchme;catchme; \??\C:\DOCUME~1\Jeff\LOCALS~1\Temp\catchme.sys []
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2004-08-03 17024]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2004-08-03 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2004-08-03 85376]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2004-08-03 10880]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2004-08-03 11136]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2004-08-03 15360]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
S3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-04 20480]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2004-08-03 19328]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 agpCPQ;Compaq AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agpCPQ.sys [2004-08-03 44928]
S4 alim1541;ALI AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\alim1541.sys [2004-08-03 42752]
S4 cbidf;cbidf; C:\WINDOWS\system32\DRIVERS\cbidf2k.sys [2001-08-17 13952]
S4 iaStor;Intel RAID Controller; C:\WINDOWS\system32\DRIVERS\iaStor.sys [2007-07-12 305176]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Akamai;Akamai NetSession Interface; C:\WINDOWS\System32\svchost.exe [2004-08-04 14336]
R2 avast! Antivirus;avast! Antivirus; C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [2011-01-13 40384]
R2 InCDsrv;InCD Helper; C:\Program Files\Ahead\InCD\InCDsrv.exe [2004-02-27 847984]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2011-02-02 153376]
R2 LVPrcSrv;Process Monitor; C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe [2008-12-16 150040]
R2 lxed_device;lxed_device; C:\WINDOWS\system32\lxedcoms.exe [2010-04-14 598696]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2007-10-04 155716]
S2 lxedCATSCustConnectService;lxedCATSCustConnectService; C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxedserv.exe [2010-04-14 193192]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service; C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe [2008-10-25 65888]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2008-11-04 441712]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------
jefftallica
Regular Member
 
Posts: 19
Joined: March 8th, 2011, 8:39 pm

Re: Hijacked hosts file

Unread postby Cypher » March 13th, 2011, 6:42 am

Hi jefftallica.
Your logs look good now but we need to run another scan to check for leftovers.
You have an outdated version of Adobe Reader so lets update that to.

Update Adobe Reader

  • You should Download and Install the newest version of Adobe Reader for reading pdf files.
  • Older versions may have vulnerabilities that malware can use to infect your system.
  • Go Here to download and install Adobe Reader X (10.0.1).
  • Note: remember to Uncheck Free McAfee® Security Scan Plus (optional)

Next.

Please download ATF Cleaner to your desktop.

  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Next.

Disable Avast
  • Right click on the avast! icon in system tray (looks like this: Image) and choose (Avast shield control)
  • Chose disable permanently.
  • Note: Don't forget to re-enable it after the below scan.

Next.

ESET online scannner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Hold down Control then click on the following link to open a new window to ESET online scannner
  • Then click on: Image
    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
  • Select the option YES, I accept the Terms of Use then click on: Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.


Logs/Information to Post in your Next Reply

  • ESET log.
  • Please give me an update on how your computer is performing.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 14959
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: Hijacked hosts file

Unread postby jefftallica » March 13th, 2011, 2:24 pm

Next log. Having trouble with browser after installing Adobe Reader. Some parts function normally and other do not load up fully.

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6425
# api_version=3.0.2
# EOSSerial=0d5b55a4a5093143b4cf45801b5ae25d
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-03-13 04:06:46
# local_time=2011-03-13 04:06:46 (+0000, GMT Standard Time)
# country="United Kingdom"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 68216 68216 0 0
# compatibility_mode=768 16777215 100 0 17385304 17385304 0 0
# compatibility_mode=8192 67108863 100 0 4729 4729 0 0
# scanned=74575
# found=8
# cleaned=0
# scan_time=4580
C:\Documents and Settings\Jeff\Desktop\xhd\Store&Save\Software\MSN Messenger\msimg32.dll Win32/Toolbar.MyWebSearch application (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Jeff\Desktop\xhd\Store&Save\Software\Nero 7 Premium Reloaded 7.10.1.0_eng (+keygen)\Keygen.exe Win32/Keygen.AJ application (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Jeff\Desktop\xhd\Store&Save\Software\Nero 7.5.9.0A Complete Package & Keygen\Nero-7.5.9.0A_eng.exe Win32/Toolbar.AskSBar application (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Jeff\My Documents\Downloads\registryeasy_lite.exe a variant of Win32/Adware.RegistryEasy application (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\e6474a\782.mof.vir Win32/RogueAV.A trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{96B3C7FC-998C-4A30-BBC6-0A87EC69C48F}\RP2\A0000386.mof Win32/RogueAV.A trojan (unable to clean) 00000000000000000000000000000000 I
C:\WINDOWS\system32\drivers\etc\hosts.new Win32/Qhost trojan (unable to clean) 00000000000000000000000000000000 I
C:\_OTM\MovedFiles\03102011_123003\C_WINDOWS\system32\drivers\etc\hosts Win32/Qhost trojan (unable to clean) 00000000000000000000000000000000 I
jefftallica
Regular Member
 
Posts: 19
Joined: March 8th, 2011, 8:39 pm

Re: Hijacked hosts file

Unread postby Cypher » March 13th, 2011, 2:28 pm

Hi.

Run CKScanner

  • Please download CKScanner from Here
  • Important: - Save it to your desktop.
  • Double-click CKScanner.exe and click Search For Files.
  • After a very short time, when the cursor hourglass disappears, click Save List To File.
  • A message box will verify the file saved.
  • Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 14959
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: Hijacked hosts file

Unread postby jefftallica » March 13th, 2011, 2:36 pm

CKScanner - Additional Security Risks - These are not necessarily bad
c:\documents and settings\jeff\desktop\xhd\store&save\software\apollo divx to dvd creator v3.5.0\crack\arn.nfo
c:\documents and settings\jeff\desktop\xhd\store&save\software\easy.cd.and.dvd.cover.creator.v4.05.cracked-induct\easy.cd.and.dvd.cover.creator.v4.05.cracked-induct.rar
c:\documents and settings\jeff\desktop\xhd\store&save\software\easy.cd.and.dvd.cover.creator.v4.05.cracked-induct\easy.cd.and.dvd.cover.creator.v4.05.cracked-induct\ezcdsetup.exe
c:\documents and settings\jeff\desktop\xhd\store&save\software\easy.cd.and.dvd.cover.creator.v4.05.cracked-induct\easy.cd.and.dvd.cover.creator.v4.05.cracked-induct\induct.nfo
c:\documents and settings\jeff\desktop\xhd\store&save\software\easy.cd.and.dvd.cover.creator.v4.05.cracked-induct\easy.cd.and.dvd.cover.creator.v4.05.cracked-induct\crack\easy cd cover creator.exe
c:\documents and settings\jeff\desktop\xhd\store&save\software\nero 7 premium reloaded 7.10.1.0_eng (+keygen)\keygen.exe
c:\documents and settings\jeff\desktop\xhd\store&save\software\nero 7 premium reloaded 7.10.1.0_eng (+keygen)\nero-7.10.1.0_eng_trial_wch.exe
c:\documents and settings\jeff\desktop\xhd\store&save\software\nero 7 premium reloaded 7.10.1.0_eng (+keygen)\nero-7.10.1.0_eng_trial_wch.exe.part
c:\documents and settings\jeff\desktop\xhd\store&save\software\nero 7 premium reloaded 7.10.1.0_eng (+keygen)\torrent downloaded from demonoid.com.txt
c:\documents and settings\jeff\desktop\xhd\store&save\software\nero 7.5.9.0a complete package & keygen\installation.txt
c:\documents and settings\jeff\desktop\xhd\store&save\software\nero 7.5.9.0a complete package & keygen\nero 7.5.9.0a ultra keygen.zip
c:\documents and settings\jeff\desktop\xhd\store&save\software\nero 7.5.9.0a complete package & keygen\nero ultra 7.5.9.0a (k).exe
c:\documents and settings\jeff\desktop\xhd\store&save\software\nero 7.5.9.0a complete package & keygen\nero-7.5.9.0a_eng.exe
c:\documents and settings\jeff\desktop\xhd\store&save\software\nero 7.5.9.0a complete package & keygen\nerosdk-1.08.zip
c:\documents and settings\jeff\desktop\xhd\store&save\software\nero 7.5.9.0a complete package & keygen\nerosipps-2.1.6.27.exe
c:\documents and settings\jeff\desktop\xhd\store&save\software\nero 7.5.9.0a complete package & keygen\nero_photoshow_express_4_us_row.exe
c:\documents and settings\jeff\desktop\xhd\store&save\software\nero 7.5.9.0a complete package & keygen\nv4content.exe
c:\program files\ahead\nero photoshow\data\app\simplestar\data\shared\music\jazz\noonisthecrackofdawn_image.swf
c:\program files\ahead\nero photoshow\data\app\simplestar\data\shared\music\jazz\noon_is_the_crack_of_dawn.swf
scanner sequence 3.HK.11
----- EOF -----
jefftallica
Regular Member
 
Posts: 19
Joined: March 8th, 2011, 8:39 pm

Re: Hijacked hosts file

Unread postby Cypher » March 13th, 2011, 2:39 pm

Hi.

Cracked/Keygen related software detected!!!

While going through your logs I found out that you have downloaded various keygen/cracked software and that you are actively using it.
Our forum policy Here says we will not help people who use cracked or pirated software.
You likely got infected by using cracked software or visiting crack sites.
Hence, i would like you to remove all the crack/keygen applications that are present on your system, then run CKScanner again and post the new log.

NOTE: If you give me advice that the software/Keygens have been removed & I find it has not (the tools we use can & will detect it) then I will have no choice but to have this thread closed.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 14959
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: Hijacked hosts file

Unread postby jefftallica » March 13th, 2011, 2:49 pm

Sorry. Please tell me what is cracked. I see Nero in the list as well as easy cd and apollodivx, I have paid for Nero and so don't know which programs/parts of programs need removing. I will remove all of the software you request. I need to know what has to be removed as I don't wish to accidentally leave anything that should not be there.

Thanks.
jefftallica
Regular Member
 
Posts: 19
Joined: March 8th, 2011, 8:39 pm

Re: Hijacked hosts file

Unread postby Cypher » March 13th, 2011, 3:06 pm

Hi.
I have paid for Nero and so don't know which programs/parts of programs need removing.

The log shows clearly that your version of nero 7 premium is cracked so i would like you to remove it.
c:\documents and settings\jeff\desktop\xhd\store&save\software\nero 7 premium reloaded 7.10.1.0_eng (+keygen)\torrent downloaded from demonoid.com.txt

I also need you to remove easy.cd.and.dvd.cover.creator and apollo divx to dvd creator.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 14959
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: Hijacked hosts file

Unread postby jefftallica » March 13th, 2011, 4:14 pm

I hope that's everything deleted. If I have missed anything please let me know and I will delete it straight away.


CKScanner - Additional Security Risks - These are not necessarily bad
scanner sequence 3.MN.11
----- EOF -----
jefftallica
Regular Member
 
Posts: 19
Joined: March 8th, 2011, 8:39 pm
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 51 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware