removal of malware from the hosts file

[nightcrawler]

Hi, a few weeks ago we found that we were unable to access certain sites in particularly anything related to google and youtube and that the pc had slowed down considerably especially on startup, i ran a scan using malwarebytes and it came up empty it was only after running a scan with spybot that it found malware under the headings 'microsoft windows redirected hosts' and 'fraud windows protection suite' but it was unable to remove this as it could not access the hosts file. If anyone has any suggestions on how to fix this it would be greatly appreciated, thankyou. This is what the hosts file looks like,

 

 

# Copyright © 1993-1999 Microsoft Corp.

#

# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.

#

# This file contains the mappings of IP addresses to host names. Each

# entry should be kept on an individual line. The IP address should

# be placed in the first column followed by the corresponding host name.

# The IP address and the host name should be separated by at least one

# space.

#

# Additionally, comments (such as these) may be inserted on individual

# lines or following the machine name denoted by a '#' symbol.

#

# For example:

#

# 102.54.94.97 rhino.acme.com # source server

# 38.25.63.10 x.acme.com # x client host

 

127.0.0.1 localhost

127.0.0.1 http://www.covenworldwide.org

74.125.45.100 4-open-davinci.com

74.125.45.100 securitysoftwarepayments.com

74.125.45.100 privatesecuredpayments.com

74.125.45.100 secure.privatesecuredpayments.com

74.125.45.100 getantivirusplusnow.com

74.125.45.100 secure-plus-payments.com

74.125.45.100 http://www.getantivirusplusnow.com

74.125.45.100 http://www.secure-plus-payments.com

74.125.45.100 http://www.getavplusnow.com

74.125.45.100 safebrowsing-cache.google.com

74.125.45.100 urs.microsoft.com

74.125.45.100 http://www.securesoftwarebill.com

74.125.45.100 secure.paysecuresystem.com

74.125.45.100 paysoftbillsolution.com

74.125.45.100 protected.maxisoftwaremart.com

64.46.38.209 http://www.google.com

64.46.38.209 google.com

64.46.38.209 google.com.au

64.46.38.209 http://www.google.com.au

64.46.38.209 google.be

64.46.38.209 http://www.google.be

64.46.38.209 google.com.br

64.46.38.209 http://www.google.com.br

64.46.38.209 google.ca

64.46.38.209 http://www.google.ca

64.46.38.209 google.ch

64.46.38.209 http://www.google.ch

64.46.38.209 google.de

64.46.38.209 http://www.google.de

64.46.38.209 google.dk

64.46.38.209 http://www.google.dk

64.46.38.209 google.fr

64.46.38.209 http://www.google.fr

64.46.38.209 google.ie

64.46.38.209 http://www.google.ie

64.46.38.209 google.it

64.46.38.209 http://www.google.it

64.46.38.209 google.co.jp

64.46.38.209 http://www.google.co.jp

64.46.38.209 google.nl

64.46.38.209 http://www.google.nl

64.46.38.209 google.no

64.46.38.209 http://www.google.no

64.46.38.209 google.co.nz

64.46.38.209 http://www.google.co.nz

64.46.38.209 google.pl

64.46.38.209 http://www.google.pl

64.46.38.209 google.se

64.46.38.209 http://www.google.se

64.46.38.209 google.co.uk

64.46.38.209 http://www.google.co.uk

64.46.38.209 google.co.za

64.46.38.209 http://www.google.co.za

64.46.38.209 http://www.google-analytics.com

64.46.38.209 http://www.bing.com

64.46.38.209 search.yahoo.com

64.46.38.209 http://www.search.yahoo.com

64.46.38.209 uk.search.yahoo.com

64.46.38.209 ca.search.yahoo.com

64.46.38.209 de.search.yahoo.com

64.46.38.209 fr.search.yahoo.com

64.46.38.209 au.search.yahoo.com

64.46.38.209 http://www.youtube.com

[KenB]

Hi and welcome to ExTS

 

If this is your Hosts file it is little wonder you are having problems.

Chances are there are other underlying problems too.

 

One of our Security Experts should be along soon to advise.

 

If you don't hear from them within 24 hours either send me a PM or simply add a second post to this thread to remind me.

[nightcrawler]

okay, thankyou.

[Starbuck]

Hi nightcrawler

 

If anyone has any suggestions on how to fix this it would be greatly appreciated,

Resetting this hosts file is an easy task, but we should look into why this has happened.

Not much use in fixing it if it just gets reverted back.

 

Please follow these steps and we'll get things sorted in no time.

 

Step 1

Please update MBAM and run another scan:

Let's make sure you have the new version.

 

Start MBAM

Click on the Update tab

 

http://img.photobucket.com/albums/v708/starbuck50/new/mbamnew.png

 

Click Check for Updates

 

The latest Database Version is: 7756

 

If it says that MBAM needs to close to update it... let it close and then restart.

Make sure it downloads the latest definitions after installing the new version.

 

Then click the Scan button.

 

Don't forget:

• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  
• Click OK to close the message box and continue with the removal process.
  
• Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  
• Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

 

 

Step 2

• Download OTL to your desktop.
  right click on the link and select 'Save Link/Target As'.
   
  if you have problems, try this download link:
  OTL
  
• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  
• When the window appears, underneath Output at the top change it to Minimal Output.
  
• Check the boxes beside LOP Check and Purity Check

.

 

.

http://img.photobucket.com/albums/v708/starbuck50/new/Otllatest.png

Now copy the lines in bold below.
 
netsvcs
msconfig
%SYSTEMDRIVE%\*.*
%systemroot%\system32\Spool\prtprocs\w32x86\*.dll
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\system32\*.exe /lockedfiles
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\*
%USERPROFILE%\..|smtmp;true;true;true /FP
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
CREATERESTOREPOINT
 
 

• right click in the Custom Scans/Fixes window (under the blue bar) and choose Paste.
   
  http://img.photobucket.com/albums/v708/starbuck50/new%20forum/scan-fix.png
  .
  
• Click the Run Scan button.
   
  http://img.photobucket.com/albums/v708/starbuck50/runscan.png
   
  
• Do not change any settings unless otherwise told to do so. The scan wont take long.
  
• When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them with your next reply.

 

 

In your next reply, please submit:

new MBAM report

both reports from OTL

 

 

Thanks.

[nightcrawler]

Hi Starbuck, thanks for the info, i'll try what you have suggested and get back to you with the results later today or tomorrow.

 

Thanks.

[Starbuck]

Ok, no problem.

[nightcrawler]

sorry for the delay but here are the results of the malwarebytes scan, also as this is the missus' pc could you tell me what the other software does that i have to download (OTL) thanks.

Malwarebytes' Anti-Malware 1.51.2.1300

http://www.malwarebytes.org

 

Database version: 7790

 

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

 

24/09/2011 18:58:54

mbam-log-2011-09-24 (18-58-54).txt

 

Scan type: Full scan (C:\|D:\|)

Objects scanned: 220707

Time elapsed: 1 hour(s), 20 minute(s), 11 second(s)

 

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

 

Memory Processes Infected:

(No malicious items detected)

 

Memory Modules Infected:

(No malicious items detected)

 

Registry Keys Infected:

(No malicious items detected)

 

Registry Values Infected:

(No malicious items detected)

 

Registry Data Items Infected:

(No malicious items detected)

 

Folders Infected:

(No malicious items detected)

 

Files Infected:

(No malicious items detected)

[Starbuck]

Hi nightcrawler

 

Thanks for the MBAM report, that shows clear.

 

could you tell me what the other software does that i have to download (OTL) thanks.

Yes of course.

OTL won't remove anything at the scan stage.

But it scans the system and gives us a report and tells us what OS, Ram, Hard drives etc are installed.

It also tells us what files have been added to the system recently and a whole load of other things.

We can then use it to run a fix to delete or reset a lot of registry entries and also reset the Hosts file.

You can look at some of the other threads in the Malware Removal forum to see what OTL does and what it can do.

If you want more detailed info on OTL, take a look here:

http://www.smokey-services.eu/forums/index.php/topic,68251.0.html

[nightcrawler]

Hi, Sorry about the delay, i've been really ill over the last week so i'm going to take a further look at the info on otl you gave and then i should be able to get back to you with the scan results.

[Starbuck]

Sorry about the delay, i've been really ill over the last week

That's not a problem.

Hope you are feeling better now.

 

Like i said, resetting the hosts file is very easy and can be done without OTL.

But OTL will maybe tell us why this happened and if it's likely to get set back if we reset it.

Once i have the OTL report i'll have a better idea of what caused this and can use the report to set up a fix for the system.

[nightcrawler]

Hi, i am about to run the otl scan (finally!!) but i can't find the text that you need to copy and paste into otl before the scan is started, is this no longer necessary?

[nightcrawler]

Also otl just opened up the scan page when i clicked run program without appearing to download it to my desktop, is this normal as well?

[nightcrawler]

I ran the otl scan and this is the first report

 

OTL logfile created on: 13/10/2011 15:43:18 - Run 1

OTL by OldTimer - Version 3.2.29.1 Folder = C:\Documents and Settings\user\My Documents\Downloads

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

 

511.33 Mb Total Physical Memory | 200.73 Mb Available Physical Memory | 39.26% Memory free

1.64 Gb Paging File | 1.12 Gb Available in Paging File | 68.44% Paging File free

Paging file location(s): C:\pagefile.sys 1200 1536 [binary data]

 

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 37.25 Gb Total Space | 22.50 Gb Free Space | 60.39% Space Free | Partition Type: NTFS

 

Computer Name: USER-CC143CCFDF | User Name: user | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: Current user

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

 

========== Processes (SafeList) ==========

 

PRC - C:\Documents and Settings\user\My Documents\Downloads\OTL (4).exe (OldTimer Tools)

PRC - C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe (Google Inc.)

PRC - C:\Program Files\AVG\AVG10\avgtray.exe (AVG Technologies CZ, s.r.o.)

PRC - C:\Program Files\AVG\AVG10\avgnsx.exe (AVG Technologies CZ, s.r.o.)

PRC - C:\Documents and Settings\user\Local Settings\Application Data\Google\Update\1.3.21.69\GoogleCrashHandler.exe (Google Inc.)

PRC - C:\Program Files\AVG\AVG10\avgrsx.exe (AVG Technologies CZ, s.r.o.)

PRC - C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe (AVG Technologies CZ, s.r.o.)

PRC - C:\Program Files\AVG\AVG10\avgchsvx.exe (AVG Technologies CZ, s.r.o.)

PRC - C:\Program Files\AVG\AVG10\avgcsrvx.exe (AVG Technologies CZ, s.r.o.)

PRC - C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSMonitor.exe ()

PRC - C:\Program Files\AVG\AVG10\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)

PRC - C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)

PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)

 

 

========== Modules (No Company Name) ==========

 

MOD - C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\14.0.835.202\ppgooglenaclpluginchrome.dll ()

MOD - C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\14.0.835.202\pdf.dll ()

MOD - C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\14.0.835.202\Locales\en-GB.dll ()

MOD - C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\14.0.835.202\avutil-51.dll ()

MOD - C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\14.0.835.202\avformat-53.dll ()

MOD - C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\14.0.835.202\avcodec-53.dll ()

MOD - C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\14.0.835.202\gcswf32.dll ()

MOD - C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSMonitor.exe ()

 

 

========== Win32 Services (SafeList) ==========

 

SRV - (HidServ) -- File not found

SRV - (AVGIDSAgent) -- C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe (AVG Technologies CZ, s.r.o.)

SRV - (AVG Security Toolbar Service) -- C:\Program Files\AVG\AVG10\Toolbar\ToolbarBroker.exe ()

SRV - (avgwd) -- C:\Program Files\AVG\AVG10\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)

 

 

========== Driver Services (SafeList) ==========

 

DRV - (AVGIDSDriver) -- C:\WINDOWS\system32\drivers\AVGIDSDriver.sys (AVG Technologies CZ, s.r.o. )

DRV - (Avgtdix) -- C:\WINDOWS\system32\drivers\avgtdix.sys (AVG Technologies CZ, s.r.o.)

DRV - (Avgrkx86) -- C:\WINDOWS\system32\DRIVERS\avgrkx86.sys (AVG Technologies CZ, s.r.o.)

DRV - (Avgmfx86) -- C:\WINDOWS\system32\drivers\avgmfx86.sys (AVG Technologies CZ, s.r.o.)

DRV - (AVGIDSEH) -- C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys (AVG Technologies CZ, s.r.o. )

DRV - (AVGIDSShim) -- C:\WINDOWS\system32\drivers\AVGIDSShim.sys (AVG Technologies CZ, s.r.o. )

DRV - (AVGIDSFilter) -- C:\WINDOWS\system32\drivers\AVGIDSFilter.sys (AVG Technologies CZ, s.r.o. )

DRV - (Avgldx86) -- C:\WINDOWS\system32\drivers\avgldx86.sys (AVG Technologies CZ, s.r.o.)

DRV - (STAC97) Audio Driver (WDM) -- C:\WINDOWS\system32\drivers\stac97.sys (SigmaTel, Inc.)

DRV - (BCMModem) -- C:\WINDOWS\system32\drivers\BCMSM.sys (Broadcom Corporation)

DRV - (ati2mtag) -- C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.)

DRV - (bcm4sbxp) -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys (Broadcom Corporation)

 

 

========== Standard Registry (SafeList) ==========

 

 

========== Internet Explorer ==========

 

 

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/

IE - HKCU\..\URLSearchHook: - No CLSID value found

IE - HKCU\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll ()

IE - HKCU\..\URLSearchHook: {ada2ac0d-15c6-4611-ba5d-5b0a8b52fd6d} - C:\Program Files\Nectar Search Toolbar\Helper.dll ()

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:25569

 

========== FireFox ==========

 

FF - prefs.js..browser.startup.homepage: "http://uk.yahoo.com/"

FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:10.0.0.1178

FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0

FF - prefs.js..network.proxy.http: "127.0.0.1"

FF - prefs.js..network.proxy.http_port: 25569

FF - prefs.js..network.proxy.type: 0

 

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()

FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)

FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.69\npGoogleUpdate3.dll (Google Inc.)

FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.69\npGoogleUpdate3.dll (Google Inc.)

FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Documents and Settings\user\Local Settings\Application Data\Google\Update\1.3.21.69\npGoogleUpdate3.dll (Google Inc.)

FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Documents and Settings\user\Local Settings\Application Data\Google\Update\1.3.21.69\npGoogleUpdate3.dll (Google Inc.)

 

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\avg@igeared: C:\Program Files\AVG\AVG10\Toolbar\Firefox\avg@igeared [2011/05/12 17:59:58 | 000,000,000 | ---D | M]

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{1E73965B-8B48-48be-9C8D-68B920ABC1C4}: C:\Program Files\AVG\AVG10\Firefox4\ [2011/09/15 14:04:46 | 000,000,000 | ---D | M]

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 6.0.2\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/09/09 22:45:54 | 000,000,000 | ---D | M]

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 6.0.2\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/08/27 13:14:47 | 000,000,000 | ---D | M]

 

[2011/02/19 01:40:57 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\user\Application Data\Mozilla\Extensions

[2011/02/21 14:10:22 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\55mhbkg5.default\extensions

[2011/02/19 01:46:26 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\55mhbkg5.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}

[2011/08/27 13:14:46 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions

[2011/03/02 21:49:41 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}

[2011/08/27 13:00:03 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}

[2011/08/27 12:51:40 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}(2)

[2010/05/11 23:41:46 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF

[2011/09/03 07:18:14 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll

[2011/05/04 04:52:23 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll

[2011/09/03 01:25:08 | 000,001,538 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazon-en-GB.xml

[2011/09/03 01:13:56 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml

[2011/09/03 01:25:08 | 000,000,947 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\chambers-en-GB.xml

[2011/09/03 01:25:08 | 000,001,180 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-en-GB.xml

[2011/09/03 01:25:08 | 000,001,135 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-en-GB.xml

 

========== Chrome ==========

 

CHR - default_search_provider: Yahoo! UK & Ireland (Enabled)

CHR - default_search_provider: search_url = http://uk.search.yahoo.com/search?ei={inputEncoding}&fr=crmas&p={searchTerms}

CHR - default_search_provider: suggest_url = http://uk-sayt.ff.search.yahoo.com/gossip-uk-sayt?output=fxjson&command={searchTerms}

CHR - plugin: Shockwave Flash (Enabled) = C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\14.0.835.202\gcswf32.dll

CHR - plugin: Shockwave Flash (Enabled) = C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll

CHR - plugin: Java Deployment Toolkit 6.0.260.3 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll

CHR - plugin: Java Platform SE 6 U26 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll

CHR - plugin: Adobe Acrobat (Disabled) = C:\Program Files\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll

CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files\Microsoft Silverlight\4.0.60531.0\npctrl.dll

CHR - plugin: Windows Media Player Plug-in Dynamic Link Library (Enabled) = C:\Program Files\Windows Media Player\npdsplay.dll

CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer

CHR - plugin: Native Client (Enabled) = C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\14.0.835.202\ppGoogleNaClPluginChrome.dll

CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\14.0.835.202\pdf.dll

CHR - plugin: AVG Internet Security (Enabled) = C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla\10.0.0.1409_0\plugins/avgnpss.dll

CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npdrmv2.dll

CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npwmsdrm.dll

CHR - plugin: Google Update (Enabled) = C:\Documents and Settings\user\Local Settings\Application Data\Google\Update\1.3.21.69\npGoogleUpdate3.dll

CHR - plugin: Windows Presentation Foundation (Enabled) = c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll

CHR - plugin: Default Plug-in (Enabled) = default_plugin

CHR - Extension: AVG Safe Search = C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla\10.0.0.1409_0\

 

O1 HOSTS File: ([2010/11/23 19:04:33 | 000,002,775 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O1 - Hosts: 127.0.0.1 http://www.covenworldwide.org

O1 - Hosts: 74.125.45.100 4-open-davinci.com

O1 - Hosts: 74.125.45.100 securitysoftwarepayments.com

O1 - Hosts: 74.125.45.100 privatesecuredpayments.com

O1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.com

O1 - Hosts: 74.125.45.100 getantivirusplusnow.com

O1 - Hosts: 74.125.45.100 secure-plus-payments.com

O1 - Hosts: 74.125.45.100 http://www.getantivirusplusnow.com

O1 - Hosts: 74.125.45.100 http://www.secure-plus-payments.com

O1 - Hosts: 74.125.45.100 http://www.getavplusnow.com

O1 - Hosts: 74.125.45.100 safebrowsing-cache.google.com

O1 - Hosts: 74.125.45.100 urs.microsoft.com

O1 - Hosts: 74.125.45.100 http://www.securesoftwarebill.com

O1 - Hosts: 74.125.45.100 secure.paysecuresystem.com

O1 - Hosts: 74.125.45.100 paysoftbillsolution.com

O1 - Hosts: 74.125.45.100 protected.maxisoftwaremart.com

O1 - Hosts: 64.46.38.209 http://www.google.com

O1 - Hosts: 64.46.38.209 google.com

O1 - Hosts: 64.46.38.209 google.com.au

O1 - Hosts: 64.46.38.209 http://www.google.com.au

O1 - Hosts: 64.46.38.209 google.be

O1 - Hosts: 64.46.38.209 http://www.google.be

O1 - Hosts: 64.46.38.209 google.com.br

O1 - Hosts: 64.46.38.209 http://www.google.com.br

O1 - Hosts: 40 more lines...

O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG10\avgssie.dll (AVG Technologies CZ, s.r.o.)

O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)

O2 - BHO: (AVG Security Toolbar BHO) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll ()

O2 - BHO: (Nectar Search Toolbar BHO) - {B7C2F0D8-2209-4693-A15D-5A537211D48B} - C:\Program Files\Nectar Search Toolbar\Toolbar.dll ()

O3 - HKLM\..\Toolbar: (Nectar Search Toolbar) - {8020143D-5926-4394-A04D-DD0B649DA121} - C:\Program Files\Nectar Search Toolbar\Toolbar.dll ()

O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll ()

O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.

O3 - HKCU\..\Toolbar\WebBrowser: (Nectar Search Toolbar) - {8020143D-5926-4394-A04D-DD0B649DA121} - C:\Program Files\Nectar Search Toolbar\Toolbar.dll ()

O3 - HKCU\..\Toolbar\WebBrowser: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll ()

O4 - HKLM..\Run: [ATIModeChange] C:\WINDOWS\System32\Ati2mdxx.exe (ATI Technologies, Inc.)

O4 - HKLM..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG10\avgtray.exe (AVG Technologies CZ, s.r.o.)

O4 - HKCU..\Run: [DriverUpdaterPro] C:\Program Files\XPC Tools\Driver Updater Pro\DriverUpdaterPro.exe -t File not found

O4 - HKCU..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: DisallowRun = 1

O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html File not found

O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)

O15 - HKCU\..Trusted Domains: crowdstar.com ([www] http in Trusted sites)

O15 - HKCU\..Trusted Domains: facebook.com ([apps] http in Trusted sites)

O15 - HKCU\..Trusted Domains: facebook.com ([www] * in Trusted sites)

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1214857502447 (WUWebControl Class)

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1215197312243 (MUWebControl Class)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)

O16 - DPF: {A3256902-51FA-45A0-8A97-FC1143C169D9} http://support.microsoft.com/mats/DiagWebControl.cab (Diagnostics ActiveX WebControl)

O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab (Shockwave Flash Object)

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 194.168.4.100 194.168.8.100

O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{251DAF15-1F55-4ED9-924C-8DC5C85EC56D}: DhcpNameServer = 194.168.4.100 194.168.8.100

O18 - Protocol\Handler\avgsecuritytoolbar {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll ()

O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG10\avgpp.dll (AVG Technologies CZ, s.r.o.)

O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)

O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)

O24 - Desktop WallPaper: C:\Documents and Settings\user\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp

O24 - Desktop BackupWallPaper: C:\Documents and Settings\user\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2008/06/30 13:17:09 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O34 - HKLM BootExecute: (autocheck autochk *)

O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG10\avgchsvx.exe /sync)

O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG10\avgrsx.exe /sync /restart)

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

 

========== Files/Folders - Created Within 30 Days ==========

 

[2011/09/29 13:19:04 | 000,000,000 | ---D | C] -- C:\9fdb6c76333d07d3234827f4962d3695

[9 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

 

========== Files - Modified Within 30 Days ==========

 

[2011/10/13 15:40:02 | 000,000,974 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-854245398-2111687655-1060284298-1003UA.job

[2011/10/13 15:36:01 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job

[2011/10/13 14:46:43 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2011/10/13 14:44:32 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job

[2011/10/13 14:44:30 | 000,000,236 | ---- | M] () -- C:\WINDOWS\tasks\OGALogon.job

[2011/10/13 14:44:14 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2011/10/13 14:37:17 | 000,466,512 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat

[2011/10/13 14:37:17 | 000,081,536 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat

[2011/10/13 14:27:52 | 000,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK

[2011/10/12 16:30:56 | 134,726,287 | ---- | M] () -- C:\WINDOWS\System32\drivers\AVG\incavi.avm

[2011/10/12 01:40:03 | 000,000,922 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-854245398-2111687655-1060284298-1003Core.job

[2011/10/11 18:58:40 | 000,237,312 | ---- | M] () -- C:\WINDOWS\System32\drivers\AVG\iavichjg.avm

[2011/10/08 16:24:39 | 000,002,255 | ---- | M] () -- C:\Documents and Settings\user\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk

[2011/10/08 16:24:36 | 000,002,277 | ---- | M] () -- C:\Documents and Settings\user\Desktop\Google Chrome.lnk

[2011/10/03 09:35:11 | 005,971,456 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mshtml.dll

[2011/09/26 11:41:20 | 000,611,328 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\uiautomationcore.dll

[2011/09/26 11:41:20 | 000,220,160 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\oleacc.dll

[2011/09/26 11:41:14 | 000,020,480 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\oleaccrc.dll

[2011/09/26 11:41:14 | 000,020,480 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\oleaccrc.dll

[2011/09/24 17:37:20 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk

[2011/09/22 15:26:21 | 000,006,144 | ---- | M] () -- C:\Documents and Settings\user\My Documents\dummy tma a200.wps

[2011/09/16 12:22:56 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk

[2011/09/15 14:04:59 | 000,000,690 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\AVG 2011.lnk

[9 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

 

========== Files Created - No Company Name ==========

 

[2011/10/04 17:13:10 | 000,015,461 | ---- | C] () -- C:\Documents and Settings\user\My Documents\edinburgh2t.jpg

[2011/09/22 15:26:20 | 000,006,144 | ---- | C] () -- C:\Documents and Settings\user\My Documents\dummy tma a200.wps

[2010/10/20 17:06:12 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat

[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll

[2009/08/03 15:07:42 | 000,230,768 | ---- | C] () -- C:\WINDOWS\System32\OGAEXEC.exe

[2008/12/30 16:31:57 | 000,003,484 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat

[2008/11/20 23:01:00 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat

[2008/07/04 19:43:02 | 000,000,010 | ---- | C] () -- C:\WINDOWS\WININIT.INI

[2008/06/30 22:23:09 | 000,323,584 | ---- | C] () -- C:\WINDOWS\System32\ati2evxx.exe

[2008/06/30 22:23:09 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\ati2evxx.dll

[2008/06/30 20:15:48 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI

[2008/06/30 13:20:57 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat

[2008/06/30 13:13:05 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat

[2008/06/29 16:24:45 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI

[2008/06/29 16:23:15 | 000,201,736 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT

[2006/02/28 13:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin

[2006/02/28 13:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat

[2006/02/28 13:00:00 | 000,466,512 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat

[2006/02/28 13:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat

[2006/02/28 13:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat

[2006/02/28 13:00:00 | 000,081,536 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat

[2006/02/28 13:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin

[2006/02/28 13:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat

[2006/02/28 13:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat

[2006/02/28 13:00:00 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat

[2006/02/28 13:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin

[2006/02/28 13:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat

[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

 

========== LOP Check ==========

 

[2010/11/23 13:45:06 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\All Users\Application Data\1ef34b

[2010/12/23 23:36:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar

[2011/08/27 12:56:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG10

[2010/12/13 01:26:24 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Common Files

[2010/11/23 13:36:56 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\All Users\Application Data\ISCOVRS

[2011/04/14 19:25:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData

[2010/02/02 16:17:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinZip

[2010/12/13 01:29:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\AVG10

[2010/06/25 15:34:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1

[2009/12/29 14:57:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\ElevatedDiagnostics

[2010/08/05 13:57:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\FCTB000061465

[2010/11/23 13:45:02 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\user\Application Data\Internet Security Suite

[2008/08/14 15:21:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\Template

[2011/10/13 14:44:30 | 000,000,236 | ---- | M] () -- C:\WINDOWS\Tasks\OGALogon.job

 

========== Purity Check ==========

 

 

 

 

< End of report >

[nightcrawler]

here is the second report

 

OTL Extras logfile created on: 13/10/2011 15:43:18 - Run 1

OTL by OldTimer - Version 3.2.29.1 Folder = C:\Documents and Settings\user\My Documents\Downloads

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

 

511.33 Mb Total Physical Memory | 200.73 Mb Available Physical Memory | 39.26% Memory free

1.64 Gb Paging File | 1.12 Gb Available in Paging File | 68.44% Paging File free

Paging file location(s): C:\pagefile.sys 1200 1536 [binary data]

 

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 37.25 Gb Total Space | 22.50 Gb Free Space | 60.39% Space Free | Partition Type: NTFS

 

Computer Name: USER-CC143CCFDF | User Name: user | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: Current user

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

 

========== Extra Registry (SafeList) ==========

 

 

========== File Associations ==========

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

 

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]

.html [@ = ChromeHTML] -- Reg Error: Key error. File not found

 

========== Shell Spawning ==========

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

exefile [open] -- "%1" %*

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

 

========== Security Center Settings ==========

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"FirstRunDisabled" = 1

"AntiVirusDisableNotify" = 0

"FirewallDisableNotify" = 0

"UpdatesDisableNotify" = 0

"AntiVirusOverride" = 0

"FirewallOverride" = 0

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

 

========== System Restore Settings ==========

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]

"DisableSR" = 0

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]

"Start" = 0

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]

"Start" = 2

 

========== Firewall Settings ==========

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall" = 1

"DoNotAllowExceptions" = 0

 

========== Authorized Applications List ==========

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"C:\Program Files\AVG\AVG10\avgdiagex.exe" = C:\Program Files\AVG\AVG10\avgdiagex.exe:*:Enabled:AVG Diagnostics 2011 -- (AVG Technologies CZ, s.r.o.)

"C:\Program Files\AVG\AVG10\avgnsx.exe" = C:\Program Files\AVG\AVG10\avgnsx.exe:*:Enabled:Online Shield -- (AVG Technologies CZ, s.r.o.)

"C:\Program Files\AVG\AVG10\avgemcx.exe" = C:\Program Files\AVG\AVG10\avgemcx.exe:*:Enabled:Personal E-mail Scanner -- (AVG Technologies CZ, s.r.o.)

 

 

========== HKEY_LOCAL_MACHINE Uninstall List ==========

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel

"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java 6 Update 26

"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP

"{4192EAC0-6B36-4723-B216-D0E86E7757AC}" = Jasc Paint Shop Photo Album 5

"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater

"{52504CE6-E909-4113-B232-4AFEC6543A61}" = B44Inst

"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable

"{727DAFCB-E3AF-46E3-8A38-EB9C3EAA0A88}" = AVG 2011

"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable

"{764D06D8-D8DE-411E-A1C8-D9E9380F8A84}" = Microsoft Works 7.0

"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

"{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570

"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight

"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003

"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

"{9E0EC833-C05C-4385-9AE2-AA26A89B098B}" = AVG 2011

"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2

"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = C-Major Audio

"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper

"{AC76BA86-7AD7-1033-7B44-A94000000001}" = Adobe Reader 9.4.6

"{B194272D-1F92-46DF-99EB-8D5CE91CB4EC}" = Adobe AIR

"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0

"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy

"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2

"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1

"{E7C97E98-4C2D-BEAF-5D2F-CC45A2F95D90}" = Acrobat.com

"Adobe AIR" = Adobe AIR

"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX

"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin

"All ATI Software" = ATI - Software Uninstall Utility

"ATI Display Driver" = ATI Display Driver

"AVG" = AVG 2011

"BCM V.92 56K Modem" = BCM V.92 56K Modem

"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com

"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs

"ie8" = Windows Internet Explorer 8

"InstallShield_{52504CE6-E909-4113-B232-4AFEC6543A61}" = Broadcom 440x Driver Installer

"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.2.1300

"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1

"Mozilla Firefox 6.0.2 (x86 en-GB)" = Mozilla Firefox 6.0.2 (x86 en-GB)

"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP

"Nectar Search Toolbar" = Nectar Search Toolbar

"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs

"Windows Media Format Runtime" = Windows Media Format 11 runtime

"Windows Media Player" = Windows Media Player 11

"Windows XP Service Pack" = Windows XP Service Pack 3

"WMFDist11" = Windows Media Format 11 runtime

"wmp11" = Windows Media Player 11

"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

 

========== HKEY_CURRENT_USER Uninstall List ==========

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"309a46b1dc89b774" = Dell Driver Download Manager

"Google Chrome" = Google Chrome

 

========== Last 10 Event Log Errors ==========

 

[ Application Events ]

Error - 22/09/2011 08:08:00 | Computer Name = USER-CC143CCFDF | Source = crypt32 | ID = 131080

Description = Failed auto update retrieval of third-party root list sequence number

from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>

with error: The specified server cannot perform the requested operation.

 

Error - 22/09/2011 08:08:01 | Computer Name = USER-CC143CCFDF | Source = crypt32 | ID = 131080

Description = Failed auto update retrieval of third-party root list sequence number

from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>

with error: The specified server cannot perform the requested operation.

 

Error - 22/09/2011 08:08:01 | Computer Name = USER-CC143CCFDF | Source = crypt32 | ID = 131080

Description = Failed auto update retrieval of third-party root list sequence number

from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>

with error: The specified server cannot perform the requested operation.

 

Error - 29/09/2011 08:18:07 | Computer Name = USER-CC143CCFDF | Source = crypt32 | ID = 131080

Description = Failed auto update retrieval of third-party root list sequence number

from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>

with error: This operation returned because the timeout period expired.

 

Error - 06/10/2011 07:26:03 | Computer Name = USER-CC143CCFDF | Source = crypt32 | ID = 131080

Description = Failed auto update retrieval of third-party root list sequence number

from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>

with error: This operation returned because the timeout period expired.

 

Error - 06/10/2011 07:26:05 | Computer Name = USER-CC143CCFDF | Source = crypt32 | ID = 131080

Description = Failed auto update retrieval of third-party root list sequence number

from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>

with error: The specified server cannot perform the requested operation.

 

Error - 06/10/2011 07:26:27 | Computer Name = USER-CC143CCFDF | Source = crypt32 | ID = 131080

Description = Failed auto update retrieval of third-party root list sequence number

from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>

with error: The specified server cannot perform the requested operation.

 

Error - 06/10/2011 07:26:27 | Computer Name = USER-CC143CCFDF | Source = crypt32 | ID = 131080

Description = Failed auto update retrieval of third-party root list sequence number

from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>

with error: The specified server cannot perform the requested operation.

 

Error - 06/10/2011 07:27:30 | Computer Name = USER-CC143CCFDF | Source = crypt32 | ID = 131080

Description = Failed auto update retrieval of third-party root list sequence number

from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>

with error: This network connection does not exist.

 

Error - 06/10/2011 07:27:30 | Computer Name = USER-CC143CCFDF | Source = crypt32 | ID = 131080

Description = Failed auto update retrieval of third-party root list sequence number

from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>

with error: This network connection does not exist.

 

[ System Events ]

Error - 07/10/2011 17:47:35 | Computer Name = USER-CC143CCFDF | Source = Service Control Manager | ID = 7026

Description = The following boot-start or system-start driver(s) failed to load:

SASDIFSV SASKUTIL

 

Error - 08/10/2011 10:07:34 | Computer Name = USER-CC143CCFDF | Source = Service Control Manager | ID = 7026

Description = The following boot-start or system-start driver(s) failed to load:

SASDIFSV SASKUTIL

 

Error - 09/10/2011 09:28:09 | Computer Name = USER-CC143CCFDF | Source = Service Control Manager | ID = 7026

Description = The following boot-start or system-start driver(s) failed to load:

SASDIFSV SASKUTIL

 

Error - 10/10/2011 08:18:25 | Computer Name = USER-CC143CCFDF | Source = Service Control Manager | ID = 7026

Description = The following boot-start or system-start driver(s) failed to load:

SASDIFSV SASKUTIL

 

Error - 11/10/2011 10:13:00 | Computer Name = USER-CC143CCFDF | Source = Service Control Manager | ID = 7026

Description = The following boot-start or system-start driver(s) failed to load:

SASDIFSV SASKUTIL

 

Error - 12/10/2011 11:03:12 | Computer Name = USER-CC143CCFDF | Source = Service Control Manager | ID = 7026

Description = The following boot-start or system-start driver(s) failed to load:

SASDIFSV SASKUTIL

 

Error - 12/10/2011 13:16:52 | Computer Name = USER-CC143CCFDF | Source = Service Control Manager | ID = 7026

Description = The following boot-start or system-start driver(s) failed to load:

SASDIFSV SASKUTIL

 

Error - 13/10/2011 04:30:57 | Computer Name = USER-CC143CCFDF | Source = Service Control Manager | ID = 7026

Description = The following boot-start or system-start driver(s) failed to load:

SASDIFSV SASKUTIL

 

Error - 13/10/2011 09:09:44 | Computer Name = USER-CC143CCFDF | Source = Service Control Manager | ID = 7026

Description = The following boot-start or system-start driver(s) failed to load:

SASDIFSV SASKUTIL

 

Error - 13/10/2011 09:45:51 | Computer Name = USER-CC143CCFDF | Source = Service Control Manager | ID = 7026

Description = The following boot-start or system-start driver(s) failed to load:

SASDIFSV SASKUTIL

 

 

< End of report >

[nightcrawler]

The other report was submitted but it is waiting for approval by a moderator before being posted.

[Starbuck]

Hi nightcrawler,

 

I've removed some duplicate posts from this thread.

 

but i can't find the text that you need to copy and paste into otl before the scan is started, is this no longer necessary?

I know the board software was upgraded a few days ago, maybe some things have gotten deleted in the change over.

It was there when i originally posted, but as you say it's now missing.

The extra scans would have given us more info, but i can see what we needed to know from the report you posted.

 

Also otl just opened up the scan page when i clicked run program without appearing to download it to my desktop, is this normal as well?

If you clicked run from the download page instead of download, then this would have happened.

 

Seems the cause of the malware problem was due to a rogue AV program, we'll remove the leftovers.

I've also included the Nectar Search Toolbar in the list for this reason:

 

Nectar Search Toolbar - a Softomate/Besttoolbars Toolbar variant - Softomate customizes toolbars to customers needs. The dll files for their toolbars can contain some spyware/adware functionality, although not all of the toolbars use this.

I added it to the fix to be on the safe side.

 

Step 1

Please disable Spybot S&D’s TeaTimer protection, because it is known to interfere with our fixes.

• Open Spybot and click on 'Mode' then click 'Advanced Mode'.
  
• Click on 'Tools' in bottom left hand corner.
  
• Click on the 'System Startup' icon.
  Uncheck 'Teatimer' box and/or uncheck 'Resident'.
  
• Then, check next to the computer clock to see if the icon for Spybot is still there.
  If it is, right click it and choose 'exit Spybot-S&D Resident'.

 

Reboot the computer.

 

it can be re-enabled once we are finished.

 

 

Step 2

Double click on OTL to run it.

Copy the lines in the codebox below. (make sure that :Otl is on the first line )

:otl
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings: "ProxyServer" = http=127.0.0.1:25569
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.http_port: 25569
O3 - HKLM\..\Toolbar: (Nectar Search Toolbar) - {8020143D-5926-4394-A04D-DD0B649DA121} - C:\Program Files\Nectar Search Toolbar\Toolbar.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (Nectar Search Toolbar) - {8020143D-5926-4394-A04D-DD0B649DA121} - C:\Program Files\Nectar Search Toolbar\Toolbar.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O4 - HKCU..\Run: [DriverUpdaterPro] C:\Program Files\XPC Tools\Driver Updater Pro\DriverUpdaterPro.exe -t File not found
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8 574934B26AC4.dll/cmsidewiki.html File not found
O15 - HKCU\..Trusted Domains: crowdstar.com ([www] http in Trusted sites)
O15 - HKCU\..Trusted Domains: facebook.com ([apps] http in Trusted sites)
O15 - HKCU\..Trusted Domains: facebook.com ([www] * in Trusted sites)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
[2010/11/23 13:45:02 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\user\Application Data\Internet Security Suite
[2010/11/23 13:45:06 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\All Users\Application Data\1ef34b
[2010/11/23 13:36:56 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\All Users\Application Data\ISCOVRS

:Files
ipconfig /flushdns /c

:commands
[emptytemp]
[purity]
[RESETHOSTS]
[EMPTYFLASH]

• Return to OTL,
  
• right click in the Custom Scans/Fixes window (under the blue bar) and choose Paste.
   
  http://img.photobucket.com/albums/v708/starbuck50/new%20forum/scan-fix.png
   
  
• Click the red Run Fix button.
   
  http://img.photobucket.com/albums/v708/starbuck50/runfixbutton.png
   
  
• OTL will reboot your system once the fix has completed.
  
• After the reboot, you may need to double click OTL to launch the program and retrieve the log.

 

Copy and paste the contents of the OTL log that comes up after the fix in your next reply.

 

if you lose the report, there will be a copy here:

C:\_OTL\MovedFiles

 

 

 

Step 3

Let's double check something:

 

• Download TDSSKiller and save it to your Desktop.
   
  
• Doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  
• Vista/Win7 users should right-click and select Run As Administrator.
   
  http://img.photobucket.com/albums/v708/starbuck50/new/tdss1.png
   
  
• If an infected file is detected, the default action will be Cure, click on Continue.
   
  http://img.photobucket.com/albums/v708/starbuck50/new/tdss2.png
   
  
• If a suspicious file is detected, the default action will be Skip, click on Continue.
   
  http://img.photobucket.com/albums/v708/starbuck50/new/tdss3.png
   
  
• It may ask you to reboot the computer to complete the process. Click on Reboot Now.
   
  http://img.photobucket.com/albums/v708/starbuck50/new/tdss4.png
   
  
• If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  
• If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file in your next reply.
   
  

 

In your next reply, please submit:

Otl fix report

TDSSKiller report

 

Note:

The Otl fix will reset your hosts file for you.

 

 

Thanks.

[nightcrawler]

Hi, i tried to run the fix with otl but it just seemed to freeze straight after starting it, i left it for approximately 25 mins before it came up with not responding, at this point the only way i could get out of otl was to crash the pc completely. I had noticed by the pc clock the spybot symbol occasionally appear with a padlock over it and the avg logo with a yellow exclamation mark over it as well, i'm not sure if that is significant or not.

 

Thanks

[Starbuck]

Hi nightcrawler,

 

Did you disable Spybot as asked?

I had noticed by the pc clock the spybot symbol occasionally appear with a padlock over it and the avg logo with a yellow exclamation mark over it as well, i'm not sure if that is significant or not.

When the fix is run it should disable any running processes's ( meaning you should lose everything on your desktop)

So these items shouldn't appear.

 

Try again and let me know if things are still the same.