TechSpot

Google redirect virus help please!

By beauty
Dec 19, 2010
  1. Hi Everyone:

    I have a problem that it looks like others have had. I was tempted to just follow the directions posted for others since my problem is so similar, but I read the warnings and created a new thread instead.

    When I use google, if I click on a link to a result, I get redirected to a random site. For a brief second, I see on the screen that this document has moved. This hasn't happened using bing, just google and it doesn't happen every time I use google.

    I have run Norton, Malwarebytes and Spybot S&D numerous times and they find nothing except for a while Malwarebytes seemed to indicate that there was a problem with a system file but I haven't gotten that message lately. Recently Norton started blocking the redirects saying something about an intruder, but I think whatever I have is some rootkit malware.

    What do I do? Should I post the Malwarebytes, GMER, etc log files?

    Thanks so much for your help!
     
  2. beauty

    beauty TS Rookie Topic Starter Posts: 64

    GMER log

    See below, thanks.
     
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot!
    If you would like us to check the system for malware, please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

    When you have finished, leave the logs for review in your next reply .
    NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.

    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.

    Are you by chance seeing this:
    [​IMG]

    If you are, click on the Stop Notifying Me button!
     
  4. beauty

    beauty TS Rookie Topic Starter Posts: 64

    Thanks for the welcome!

    I posted the GMER log and it said an adminstrator would have to review it so I didn't post the other logs. I guess my GMER log post hasn't been reviewed yet, since I don't see it posted. I am at another computer right now and as soon as I get back to the affected computer I will post the other logs. Do they have to be reviewed by an administrator for some reason?

    The symantec message I received did say something about an intrusion attempt, but I don't think it was the same as the one you posted and it happened right after I clicked a google result link and briefly saw the "This document has moved" message that I usually see when I get redirected. Norton aborted the redirection which I thought was a good thing.

    Oh, and I was incorrect in what I posted before about malwarebytes - it wasn't malwarebytes that ever said I had a problem with a system file, it was another program I downloaded called HitmanPro. HitmanPro said there was a problem with I think Nvmini.sys or it was suspicious, something like that, but it never could solve the problem so I uninstalled HitmanPro.

    Thanks again for all your help! I usually am able to fix these things on my own by reading and following the advice given to others, but this seems like a rootkit and it is a tough little sucker to remove. I think I probably need TDSSKiller.exe but thought I should ask here first.
     
  5. beauty

    beauty TS Rookie Topic Starter Posts: 64

    See below. Thanks.
     
  6. beauty

    beauty TS Rookie Topic Starter Posts: 64

    I just posted all the logs but it said an admin had to review them.
     
  7. beauty

    beauty TS Rookie Topic Starter Posts: 64

    GMER Log

    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit quick scan 2010-12-19 17:01:49
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 Maxtor_6Y120L0 rev.YAR41BW0
    Running: xtzsw781.exe; Driver: C:\DOCUME~1\LOCALS~1\Temp\pxtdqpow.sys


    ---- Devices - GMER 1.0.15 ----

    Device Ntfs.sys (NT File System Driver/Microsoft Corporation)

    AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

    ---- EOF - GMER 1.0.15 ----



    Malwarebytes Log

    Malwarebytes' Anti-Malware 1.50
    www.malwarebytes.org

    Database version: 5353

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    12/19/2010 10:12:37 PM
    mbam-log-2010-12-19 (22-12-36).txt

    Scan type: Full scan (C:\|)
    Objects scanned: 325151
    Time elapsed: 3 hour(s), 41 minute(s), 59 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)



    Attach

    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-12-12.02)

    Microsoft Windows XP Home Edition
    Boot Device: \Device\HarddiskVolume1
    Install Date: 1/3/2005 4:48:53 PM
    System Uptime: 12/19/2010 4:54:57 PM (1 hours ago)

    Motherboard: Intel Corporation | | D865GLC
    Processor: Intel(R) Pentium(R) 4 CPU 3.00GHz | J2E1 | 2992/200mhz

    ==== Disk Partitions =========================

    A: is Removable
    C: is FIXED (NTFS) - 114 GiB total, 49.622 GiB free.
    E: is CDROM ()

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    RP1745: 9/21/2010 12:55:37 PM - System Checkpoint
    RP1746: 9/22/2010 2:07:30 PM - System Checkpoint
    RP1747: 9/23/2010 3:41:20 PM - System Checkpoint
    RP1748: 9/24/2010 4:31:43 PM - System Checkpoint
    RP1749: 9/25/2010 5:55:49 PM - System Checkpoint
    RP1750: 9/26/2010 6:19:43 PM - System Checkpoint
    RP1751: 9/27/2010 7:02:33 PM - System Checkpoint
    RP1752: 9/28/2010 8:40:04 PM - System Checkpoint
    RP1753: 9/29/2010 9:00:24 AM - Software Distribution Service 3.0
    RP1754: 9/30/2010 10:26:32 AM - System Checkpoint
    RP1755: 10/1/2010 10:50:56 AM - System Checkpoint
    RP1756: 10/2/2010 3:05:39 PM - System Checkpoint
    RP1757: 10/3/2010 4:26:32 PM - System Checkpoint
    RP1758: 10/4/2010 4:38:27 PM - System Checkpoint
    RP1759: 10/5/2010 5:02:27 PM - System Checkpoint
    RP1760: 10/6/2010 5:14:27 PM - System Checkpoint
    RP1761: 10/7/2010 5:50:29 PM - System Checkpoint
    RP1762: 10/10/2010 12:44:45 AM - System Checkpoint
    RP1763: 10/11/2010 2:19:43 AM - System Checkpoint
    RP1764: 10/12/2010 2:43:43 AM - System Checkpoint
    RP1765: 10/13/2010 3:40:09 AM - System Checkpoint
    RP1766: 10/13/2010 9:00:29 AM - Software Distribution Service 3.0
    RP1767: 10/14/2010 10:08:09 AM - System Checkpoint
    RP1768: 10/15/2010 10:44:10 AM - System Checkpoint
    RP1769: 10/16/2010 11:44:12 AM - System Checkpoint
    RP1770: 10/17/2010 12:56:12 PM - System Checkpoint
    RP1771: 10/18/2010 1:47:54 PM - System Checkpoint
    RP1772: 10/19/2010 1:59:53 PM - System Checkpoint
    RP1773: 10/20/2010 4:24:25 PM - System Checkpoint
    RP1774: 10/21/2010 5:26:29 PM - System Checkpoint
    RP1775: 10/22/2010 6:14:26 PM - System Checkpoint
    RP1776: 10/23/2010 6:26:27 PM - System Checkpoint
    RP1777: 10/25/2010 12:02:26 AM - System Checkpoint
    RP1778: 10/26/2010 9:01:38 PM - System Checkpoint
    RP1779: 10/27/2010 9:13:27 PM - System Checkpoint
    RP1780: 10/28/2010 10:33:03 PM - System Checkpoint
    RP1781: 10/29/2010 11:29:32 PM - System Checkpoint
    RP1782: 10/31/2010 10:14:54 AM - System Checkpoint
    RP1783: 11/1/2010 11:26:12 AM - System Checkpoint
    RP1784: 11/2/2010 12:14:13 PM - System Checkpoint
    RP1785: 11/3/2010 12:38:21 PM - System Checkpoint
    RP1786: 11/4/2010 1:24:44 PM - System Checkpoint
    RP1787: 11/5/2010 2:51:35 PM - System Checkpoint
    RP1788: 11/6/2010 3:35:41 PM - System Checkpoint
    RP1789: 11/7/2010 4:48:37 PM - System Checkpoint
    RP1790: 11/8/2010 9:00:10 PM - System Checkpoint
    RP1791: 11/9/2010 9:42:25 PM - System Checkpoint
    RP1792: 11/10/2010 2:04:24 PM - Software Distribution Service 3.0
    RP1793: 11/11/2010 4:01:29 PM - System Checkpoint
    RP1794: 11/12/2010 4:36:28 PM - System Checkpoint
    RP1795: 11/13/2010 4:50:24 PM - System Checkpoint
    RP1796: 11/14/2010 5:14:24 PM - System Checkpoint
    RP1797: 11/15/2010 6:26:22 PM - System Checkpoint
    RP1798: 11/16/2010 7:14:24 PM - System Checkpoint
    RP1799: 11/17/2010 8:18:24 PM - Installed Java(TM) 6 Update 22
    RP1800: 11/17/2010 8:21:32 PM - Installed MSN Toolbar Setup
    RP1801: 11/18/2010 11:41:01 PM - System Checkpoint
    RP1802: 11/20/2010 12:16:57 AM - System Checkpoint
    RP1803: 11/21/2010 1:37:13 AM - System Checkpoint
    RP1804: 11/22/2010 2:37:10 AM - System Checkpoint
    RP1805: 11/23/2010 3:38:42 AM - System Checkpoint
    RP1806: 11/24/2010 3:39:42 AM - System Checkpoint
    RP1807: 11/25/2010 5:12:58 AM - System Checkpoint
    RP1808: 11/26/2010 5:24:57 AM - System Checkpoint
    RP1809: 11/27/2010 6:12:56 AM - System Checkpoint
    RP1810: 11/28/2010 7:07:12 AM - System Checkpoint
    RP1811: 11/29/2010 8:07:10 AM - System Checkpoint
    RP1812: 11/30/2010 8:55:10 AM - System Checkpoint
    RP1813: 12/1/2010 5:41:20 PM - System Checkpoint
    RP1814: 12/2/2010 6:04:27 PM - System Checkpoint
    RP1815: 12/3/2010 6:07:55 PM - System Checkpoint
    RP1816: 12/4/2010 7:51:23 PM - System Checkpoint
    RP1817: 12/5/2010 8:42:33 PM - System Checkpoint
    RP1818: 12/6/2010 9:56:56 PM - System Checkpoint
    RP1819: 12/7/2010 11:18:34 PM - System Checkpoint
    RP1820: 12/9/2010 3:01:45 PM - System Checkpoint
    RP1821: 12/10/2010 5:03:11 PM - System Checkpoint
    RP1822: 12/11/2010 5:49:39 PM - System Checkpoint
    RP1823: 12/12/2010 6:01:12 PM - System Checkpoint
    RP1824: 12/13/2010 6:01:38 PM - System Checkpoint
    RP1825: 12/14/2010 7:14:41 PM - System Checkpoint
    RP1826: 12/15/2010 8:01:41 PM - System Checkpoint
    RP1827: 12/16/2010 9:00:28 AM - Software Distribution Service 3.0
    RP1828: 12/17/2010 9:12:38 AM - System Checkpoint
    RP1829: 12/18/2010 9:48:36 AM - System Checkpoint
    RP1830: 12/19/2010 10:00:57 AM - System Checkpoint

    ==== Hosts File Hijack ======================

    Hosts: 127.0.0.1 www.spywareinfo.com
    Hosts: 173.232.149.92 www.google.com
    Hosts: 173.232.149.92 google.com
    Hosts: 173.232.149.92 google.com.au
    Hosts: 173.232.149.92 www.google.com.au
    Hosts: 173.232.149.92 google.be
    Hosts: 173.232.149.92 www.google.be
    Hosts: 173.232.149.92 google.com.br
    Hosts: 173.232.149.92 www.google.com.br
    Hosts: 173.232.149.92 google.ca
    Hosts: 173.232.149.92 www.google.ca
    Hosts: 173.232.149.92 google.ch
    Hosts: 173.232.149.92 www.google.ch
    Hosts: 173.232.149.92 google.de
    Hosts: 173.232.149.92 www.google.de

    ==== Installed Programs ======================

    Adobe Flash Player 10 ActiveX
    Adobe Reader 8.2.5
    Adobe® Photoshop® Album Starter Edition 3.2
    AOL Coach Version 1.0(Build:20030807.3)
    AOL Instant Messenger
    AOL Uninstaller (Choose which Products to Remove)
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    ATX / Kleinrock Tax Products (Remove Only)
    ATX / Kleinrock Tax Products 2006 (Remove Only)
    ATX XML Printer
    Avery DesignPro
    Avery Wizard 3.0
    Bonjour
    ComcastSUPPORT
    Creative Driver
    Critical Update for Windows Media Player 11 (KB959772)
    Download Updater (AOL LLC)
    Draft Analyzer
    Gateway Drivers and Applications Recovery
    GoToMeeting 4.5.0.457
    Hotfix for Windows Internet Explorer 7 (KB947864)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    Intel(R) PRO Network Adapters and Drivers
    Intel(R) PROSet
    iPod for Windows 2006-03-23
    iTunes
    J2SE Runtime Environment 5.0 Update 10
    J2SE Runtime Environment 5.0 Update 7
    J2SE Runtime Environment 5.0 Update 8
    J2SE Runtime Environment 5.0 Update 9
    Java 2 Runtime Environment, SE v1.4.2
    Java Auto Updater
    Java(TM) 6 Update 22
    Learn2 Player (Uninstall Only)
    Lernout & Hauspie TruVoice American English TTS Engine
    LimeWire 4.18.8
    Logitech Desktop Messenger
    Logitech MouseWare 9.79
    Macromedia Shockwave Player
    Malwarebytes' Anti-Malware
    MetaFrame Presentation Server Web Client for Win32
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft National Language Support Downlevel APIs
    Microsoft Office Small Business Edition 2003
    Microsoft Office Visio Professional 2003
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft VC9 runtime libraries
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Windows User State Migration Tool version 2.6
    Microsoft Works
    Microsoft Works 2004 Setup Launcher
    Microsoft Works Suite Add-in for Microsoft Word
    MobileMe Control Panel
    MSN Music Assistant
    MSXML 4.0 SP2 (KB927978)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    Nero OEM
    Norton Internet Security 2006
    Norton Security Suite
    NVIDIA Windows 2000/XP Display Drivers
    pdfFactory
    Picasa 2
    Picture Package
    QuickTime
    RealPlayer Basic
    RitzPix E-Z Print & Share
    Rummi 6.0.34
    Safari
    Security Update for Windows Internet Explorer 7 (KB938127)
    Security Update for Windows Internet Explorer 7 (KB939653)
    Security Update for Windows Internet Explorer 7 (KB942615)
    Security Update for Windows Internet Explorer 7 (KB944533)
    Security Update for Windows Internet Explorer 7 (KB950759)
    Security Update for Windows Internet Explorer 7 (KB953838)
    Security Update for Windows Internet Explorer 7 (KB956390)
    Security Update for Windows Internet Explorer 7 (KB958215)
    Security Update for Windows Internet Explorer 7 (KB960714)
    Security Update for Windows Internet Explorer 7 (KB961260)
    Security Update for Windows Internet Explorer 7 (KB963027)
    Security Update for Windows Internet Explorer 8 (KB2183461)
    Security Update for Windows Internet Explorer 8 (KB2360131)
    Security Update for Windows Internet Explorer 8 (KB2416400)
    Security Update for Windows Internet Explorer 8 (KB969897)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB972260)
    Security Update for Windows Internet Explorer 8 (KB974455)
    Security Update for Windows Internet Explorer 8 (KB976325)
    Security Update for Windows Internet Explorer 8 (KB978207)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 10 (KB917734)
    Security Update for Windows Media Player 10 (KB936782)
    Security Update for Windows Media Player 11 (KB936782)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows Media Player 9 (KB917734)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2296199)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2436673)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951376)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977165)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Security Update for Windows XP (KB982802)
    Smart Link 56K Modem
    Snapshot Viewer
    Sony Digital Voice Player Ver.2.1
    Sony Picture Utility
    Sony Player Plug-in for Windows Media Player
    Sony USB Driver
    Spelling Dictionaries Support For Adobe Reader 8
    Spybot - Search & Destroy
    Update for Windows Internet Explorer 8 (KB971180)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB976749)
    Update for Windows Internet Explorer 8 (KB980182)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    Viewpoint Media Player
    VoiceOver Kit
    WebFldrs XP
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Internet Explorer 7
    Windows Internet Explorer 8
    Windows Live ID Sign-in Assistant
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows XP Service Pack 3

    ==== Event Viewer Messages From Past Week ========

    12/19/2010 5:07:04 PM, error: Service Control Manager [7016] - The SmartLinkService service has reported an invalid current state 0.
    12/19/2010 4:57:46 PM, error: System Error [1003] - Error code 10000050, parameter1 fd8fe018, parameter2 00000000, parameter3 ebb3fea8, parameter4 00000000.
    12/19/2010 4:54:35 PM, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.
    12/19/2010 4:23:58 PM, error: Service Control Manager [7034] - The WAN Miniport (ATW) Service service terminated unexpectedly. It has done this 1 time(s).
    12/19/2010 4:23:58 PM, error: Service Control Manager [7034] - The Viewpoint Manager Service service terminated unexpectedly. It has done this 1 time(s).
    12/19/2010 4:23:58 PM, error: Service Control Manager [7034] - The SmartLinkService service terminated unexpectedly. It has done this 1 time(s).
    12/19/2010 4:23:58 PM, error: Service Control Manager [7034] - The PrismXL service terminated unexpectedly. It has done this 1 time(s).
    12/19/2010 4:23:58 PM, error: Service Control Manager [7034] - The NVIDIA Driver Helper Service service terminated unexpectedly. It has done this 1 time(s).
    12/19/2010 4:23:58 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
    12/19/2010 4:23:58 PM, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
    12/19/2010 4:23:58 PM, error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).
    12/19/2010 4:23:58 PM, error: Service Control Manager [7034] - The AOL Connectivity Service service terminated unexpectedly. It has done this 1 time(s).
    12/19/2010 4:23:58 PM, error: Service Control Manager [7031] - The Windows Live ID Sign-in Assistant service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 10000 milliseconds: Restart the service.
    12/19/2010 4:23:58 PM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    12/17/2010 10:44:27 AM, error: Dhcp [1002] - The IP address lease 192.168.0.2 for the Network Card with network address 000CF1905109 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
    12/16/2010 10:44:22 PM, error: Dhcp [1002] - The IP address lease 192.168.0.3 for the Network Card with network address 000CF1905109 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
    12/16/2010 1:28:37 PM, error: NetBT [4321] - The name "MSHOME :1d" could not be registered on the Interface with IP address 192.168.0.3. The machine with the IP address 192.168.0.2 did not allow the name to be claimed by this machine.

    ==== End Of File ===========================



    DDS

    DDS (Ver_10-12-12.02) - NTFSx86
    Run at 17:06:40.70 on Sun 12/19/2010
    Internet Explorer: 8.0.6001.18702
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.59 [GMT -5:00]

    AV: My Security Engine *Enabled/Updated* {B9957D53-70E8-4E46-99C7-84CF629C0FD8}
    AV: Norton Security Suite *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
    FW: My Security Engine *Enabled*
    FW: Norton Internet Worm Protection *Disabled*
    FW: Norton Security Suite *Enabled*

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    svchost.exe
    C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Norton Security Suite\Engine\4.3.0.5\ccSvcHst.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    C:\WINDOWS\system32\slserv.exe
    C:\WINDOWS\System32\svchost.exe -k imgsvc
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\WINDOWS\system32\CTHELPER.EXE
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\Program Files\Common Files\AOL\1187212991\ee\AOLSoftware.exe
    C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Norton Security Suite\Engine\4.3.0.5\ccSvcHst.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\whatever\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = about:blank
    uWindow Title = Microsoft Internet Explorer provided by Comcast
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    mWindow Title = Microsoft Internet Explorer provided by Comcast
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton security suite\engine\4.3.0.5\coIEPlg.dll
    BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton security suite\engine\4.3.0.5\IPSBHO.DLL
    BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Norton Internet Security 2006: {9ecb9560-04f9-4bbc-943d-298ddf1699e1} - CNisExtBho Class
    BHO: NAV Helper: {a8f38d8d-e480-4d52-b7a2-731bb6995fdd} - CNavExtBho Class
    BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - No File
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    {0b53eac3-8d69-4b9e-9b19-a37c9a5676a7}
    {c4069e3a-68f1-403e-b40e-20066696354b}
    TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton security suite\engine\4.3.0.5\coIEPlg.dll
    TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
    TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
    EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    uRun: [IncrediMail] c:\program files\incredimail\bin\IncMail.exe /c
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
    mRun: [PRONoMgr.exe] c:\program files\intel\ncs\proset\PRONoMgr.exe
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [CTHelper] CTHELPER.EXE
    mRun: [NeroCheck] c:\windows\system32\NeroCheck.exe
    mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
    mRun: [Logitech Utility] Logi_MwX.Exe
    mRun: [pdfFactory Dispatcher v2] c:\windows\system32\spool\drivers\w32x86\3\fppdis2a.exe
    mRun: [tgcmd] "c:\program files\support.com\bin\tgcmd.exe" /server
    mRun: [HostManager] c:\program files\common files\aol\1187212991\ee\AOLSoftware.exe
    mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.2\apps\apdproxy.exe"
    mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
    mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    dRun: [ALUAlert] c:\program files\symantec\liveupdate\ALUNotify.exe
    dRunOnce: [SetDefaultMidi] MIDIDEF.EXE
    IE: &Add animation to IncrediMail Style Box - c:\progra~1\incred~1\bin\resources\WebMenuImg.htm
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
    IE: {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/
    IE: {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/
    IE: {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/
    IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
    IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
    DPF: {0C92900E-4D5A-4F04-ACC9-729E1767BBAE} - hxxp://www.ritzpix.com/net/Uploader/LPUploader45.cab
    DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://support.gateway.com/support/profiler/PCPitStop.CAB
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc.cab
    DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
    DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1150504065499
    DPF: {6A344D34-5231-452A-8A57-D064AC9B7862}
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
    DPF: {AE6C4705-0F11-4ACB-BDD4-37F138BEF289} - hxxp://www.ritzpix.com/net/Uploader/LPUploader41.cab
    DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Hosts: 127.0.0.1 www.spywareinfo.com
    Hosts: 173.232.149.92 www.google.com
    Hosts: 173.232.149.92 google.com
    Hosts: 173.232.149.92 google.com.au
    Hosts: 173.232.149.92 www.google.com.au

    Note: multiple HOSTS entries found. Please refer to Attach.txt

    ============= SERVICES / DRIVERS ===============

    R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0403000.005\symds.sys [2010-10-28 328752]
    R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0403000.005\symefa.sys [2010-10-28 173104]
    R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\bashdefs\20101123.003\BHDrvx86.sys [2010-11-22 691248]
    R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0403000.005\cchpx86.sys [2010-10-28 501888]
    R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0403000.005\ironx86.sys [2010-10-28 116784]
    R2 N360;Norton Security Suite;c:\program files\norton security suite\engine\4.3.0.5\ccsvchst.exe [2010-10-28 126392]
    R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-6-3 24652]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-8-28 102448]
    R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\ipsdefs\20101215.001\IDSXpx86.sys [2010-12-16 341944]
    R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\virusdefs\20101219.003\NAVENG.SYS [2010-12-19 86008]
    R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\virusdefs\20101219.003\NAVEX15.SYS [2010-12-19 1360760]
    S2 AIM;AIM;"c:\windows\aim.exe" --> c:\windows\aim.exe [?]
    S3 rdriv;rdriv;\??\c:\windows\system32\rdriv.sys --> c:\windows\system32\rdriv.sys [?]

    =============== Created Last 30 ================

    2010-12-16 03:16:45 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
    2010-12-16 03:15:34 45568 -c----w- c:\windows\system32\dllcache\wab.exe

    ==================== Find3M ====================

    2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
    2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-11-06 00:26:58 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec
    2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys

    ============= FINISH: 17:09:37.15 ===============
     
  8. beauty

    beauty TS Rookie Topic Starter Posts: 64

    Posted them again, same thing. I guess I will just wait for them to be reviewed by moderator.
     
  9. beauty

    beauty TS Rookie Topic Starter Posts: 64

    Oops, sorry for the double posting of the logs! I guess I just needed to be patient.
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Yes, you do need to be patient. Please don't PM me unles I haven't replied in 2 days- Sundays don't count. I'm helping others and I'll get to your logs as soon as I can.
     
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Your host files have been hijacked. Please do the following:

    You will need to do a DNS Flush, then reset your router.
    Start> Run> type cmd> enter> at the C prompt type ipconfig /flushdns (note space before the /)

    Exit the Command prompt when finished and shut the system down.-

    • [1]. Shut down your computer, and any other computer connected to your router.
      [2]. On the back of the router, there should be a small hole or button labelled RESET. Using a bent paper clip or similar item, hold that in continuously for twenty seconds.
      [3]. Unplug the router. Wait sixty seconds.
      [4].Now holding again the reset button, plug it back in. Continue holding the reset button for twenty seconds. Unplug the router again.
      [5].With the router unplugged, start your computer. Run MBAM again.
      [6].Connect to the router again. The turn the router back on.
      [7].When it stabilizes, reboot your workstation and try to access the internet. If you have any issues, access the Router configuration page and re-enter your authentication information.
      [8]. Reboot the system and test the internet. You may have to reconfigure the router settings based on your setup.
    ========================================
    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    ===================================
    Download the HijackThis Installer and save to the desktop:
    1. Double-click on HJTInstall.exe to run the program.
    2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
    3. Accept the license agreement by clicking the "I Accept" button.
    4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
    5. Click "Save log" to save the log file and then the log will open in notepad.
    6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
     
  12. beauty

    beauty TS Rookie Topic Starter Posts: 64

    Hey, thanks Bobbye! This is better than a rootkit. I take it this was the part of the log file that showed it:

    ==== Hosts File Hijack ======================

    Hosts: 127.0.0.1 www.spywareinfo.com
    Hosts: 173.232.149.92 www.google.com
    Hosts: 173.232.149.92 google.com
    Hosts: 173.232.149.92 google.com.au
    Hosts: 173.232.149.92 www.google.com.au
    Hosts: 173.232.149.92 google.be
    Hosts: 173.232.149.92 www.google.be
    Hosts: 173.232.149.92 google.com.br
    Hosts: 173.232.149.92 www.google.com.br
    Hosts: 173.232.149.92 google.ca
    Hosts: 173.232.149.92 www.google.ca
    Hosts: 173.232.149.92 google.ch
    Hosts: 173.232.149.92 www.google.ch
    Hosts: 173.232.149.92 google.de
    Hosts: 173.232.149.92 www.google.de


    So does this mean that whomever owns the IP address 173.232.149.92 is the culprit?

    Why doesn't Norton detect this?

    Thanks again!
     
  13. beauty

    beauty TS Rookie Topic Starter Posts: 64

    Thanks, bobbye. Any idea how this happened? This is not my computer so I am not sure how they ended up with this result.

    Is the owner of the IP address 173.232.149.92 the culprit?

    I am surprised that Norton doesn't catch something like this.
     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    And you did what?
    Where is Eset log.
    Where is new Mbam log?
    Where is HJT log> for me to tell you what to check?
     
  15. beauty

    beauty TS Rookie Topic Starter Posts: 64

    I haven't had a chance to get back to the computer to try the recommendations yet since it is about 1/2 an hour away. I am going to try to get back there either tonight or tomorrow or Friday.

    I was just curious as to how the host files got hijacked and surprised that Norton can't detect it.
     
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I don't know how they got hijacked or why Norton didn't detect it. It frequently is caused by a DNS Changer infection which is why I had you do the flush and reset.

    Malware can get by any security program. All it takes is a click in the wrong place. I don't see Norton stopping any more malware infections than other security. It is also a big resource user.
     
  17. beauty

    beauty TS Rookie Topic Starter Posts: 64

    I hear you about Norton being a resource hog. Their computer is old and slow and they don't have the money to upgrade right now but I thought if they got rid of Norton it may run faster. They use Norton because it is free from Comcast.

    Do you have a recommendation for an AV program that is not such a big resource user?

    Thank you!
     
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I don't recommend any security suites! I find stand-alone security programs to be less bloated and easier to handle. Norton has always been known to use a lot of resources. Check out the following- all free, all good:

    Have layered Security:
    • Antivirus Software(only one):Both of the following programs are free and known to be good:
      [o]Avira Free
      [o]Avast Home
    • Firewall (only one): Use bi-directional firewall. Both of the following programs are free and known to be good:
      [o]Comodo
      [o]Zone Alarm
    • Antispyware: I recommend all of the following:
      [o]Spywareblaster: SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
      [o] ZonedOut and save to your desktop. This replaces IE/Spyad and manages the Zones in Internet explorer. This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
     
  19. beauty

    beauty TS Rookie Topic Starter Posts: 64

    thanks, bobbye.

    I went back over the house where the computer was yesterday, but their internet service was out and they have to have a technician come on Monday to try to fix the cable.
     
  20. beauty

    beauty TS Rookie Topic Starter Posts: 64

    Well for some crazy reason, their cable internet is working but cable TV is not. Anyhow, I was able to flush the DNS and then run ESET and HijackThis. Logs below. Looks like ESET found 4 bad guys.

    ESETSmartInstaller@High as CAB hook log:
    OnlineScanner.ocx - registred OK
    # version=7
    # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
    # OnlineScanner.ocx=1.0.0.6419
    # api_version=3.0.2
    # EOSSerial=3d1900506628ac4eb8b8760a0a6febad
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=true
    # antistealth_checked=true
    # utc_time=2010-12-25 08:58:42
    # local_time=2010-12-25 03:58:42 (-0500, Eastern Standard Time)
    # country="United States"
    # lang=9
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=3584 16777191 100 0 0 0 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=146143
    # found=4
    # cleaned=0
    # scan_time=8594
    C:\Documents and Settings\All Users\Application Data\2c2e744\33.mof Win32/RogueAV.A trojan (unable to clean) 00000000000000000000000000000000 I
    C:\Program Files\AIM\Sysfiles\WxBug.EXE Win32/Adware.WBug.A application (unable to clean) 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100602-142523.backup Win32/Qhost trojan (unable to clean) 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100602-145049.backup Win32/Qhost trojan (unable to clean) 00000000000000000000000000000000 I


    HijackThis

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 4:18:09 PM, on 12/25/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Norton Security Suite\Engine\4.3.0.5\ccSvcHst.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    C:\WINDOWS\system32\slserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Program Files\Norton Security Suite\Engine\4.3.0.5\ccSvcHst.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\CTHELPER.EXE
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
    C:\Program Files\support.com\bin\tgcmd.exe
    C:\Program Files\Common Files\AOL\1187212991\ee\AOLSoftware.exe
    C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\Program Files\Trend Micro\Hijack This\Trend Micro\HiJackThis\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O1 - Hosts: 173.232.149.92 www.google.com
    O1 - Hosts: 173.232.149.92 google.com
    O1 - Hosts: 173.232.149.92 google.com.au
    O1 - Hosts: 173.232.149.92 www.google.com.au
    O1 - Hosts: 173.232.149.92 google.be
    O1 - Hosts: 173.232.149.92 www.google.be
    O1 - Hosts: 173.232.149.92 google.com.br
    O1 - Hosts: 173.232.149.92 www.google.com.br
    O1 - Hosts: 173.232.149.92 google.ca
    O1 - Hosts: 173.232.149.92 www.google.ca
    O1 - Hosts: 173.232.149.92 google.ch
    O1 - Hosts: 173.232.149.92 www.google.ch
    O1 - Hosts: 173.232.149.92 google.de
    O1 - Hosts: 173.232.149.92 www.google.de
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Security Suite\Engine\4.3.0.5\coIEPlg.dll
    O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Security Suite\Engine\4.3.0.5\IPSBHO.DLL
    O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - (no file)
    O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - (no file)
    O2 - BHO: (no name) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - (no file)
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: (no name) - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - (no file)
    O3 - Toolbar: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - (no file)
    O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Security Suite\Engine\4.3.0.5\coIEPlg.dll
    O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [pdfFactory Dispatcher v2] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
    O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1187212991\ee\AOLSoftware.exe
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
    O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
    O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'Default user')
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
    O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0C92900E-4D5A-4F04-ACC9-729E1767BBAE} (Image Uploader Control) - http://www.ritzpix.com/net/Uploader/LPUploader45.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
    O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1150504065499
    O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} -
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
    O16 - DPF: {AE6C4705-0F11-4ACB-BDD4-37F138BEF289} (Image Uploader Control) - http://www.ritzpix.com/net/Uploader/LPUploader41.cab
    O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} (Java Plug-in 1.6.0_20) -
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
    O23 - Service: AIM - Unknown owner - C:\WINDOWS\aim.exe (file missing)
    O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Norton Security Suite (N360) - Symantec Corporation - C:\Program Files\Norton Security Suite\Engine\4.3.0.5\ccSvcHst.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

    --
    End of file - 12256 bytes
     
  21. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Processes	
      
      :Files 
      C:\Documents and Settings\All Users\Application Data\2c2e744\33.mof 
      C:\Program Files\AIM\Sysfiles\WxBug.EXE 
      C:\WINDOWS\system32\drivers\etc\hosts.20100602-142523.backup 
      C:\WINDOWS\system32\drivers\etc\hosts.20100602-145049.backup 
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    =============================================
    Please reopen HijackThis to 'do system scan only.' Check each of the following if present:

    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    O1 - Hosts: 173.232.149.92 www.google.com
    O1 - Hosts: 173.232.149.92 google.com
    O1 - Hosts: 173.232.149.92 google.com.au
    O1 - Hosts: 173.232.149.92 www.google.com.au
    O1 - Hosts: 173.232.149.92 google.be
    O1 - Hosts: 173.232.149.92 www.google.be
    O1 - Hosts: 173.232.149.92 google.com.br
    O1 - Hosts: 173.232.149.92 www.google.com.br
    O1 - Hosts: 173.232.149.92 google.ca
    O1 - Hosts: 173.232.149.92 www.google.ca
    O1 - Hosts: 173.232.149.92 google.ch
    O1 - Hosts: 173.232.149.92 www.google.ch
    O1 - Hosts: 173.232.149.92 google.de
    O1 - Hosts: 173.232.149.92 www.google.de
    O2 - BHO: (no name) - {dcee3e00-f94a-4740-988e-03dc2f38c34f} - (no file)
    O3 - Toolbar: (no name) - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - (no file)
    O3 - Toolbar: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - (no file)
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe


    Close all Windows except HijackThis and click on "Fix Checked."

    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

    Click on Start> Control Panel> Add/Remove Programs> Uninstall any Viewpoint entries
    Click on Start> Run> type in services.msc> Double click on Viewpoint Manager Service> Change the Startup type to Disabled> Stop the Service> Exit Services.

    Use Windows Explorer: Windows key + E> My Computer> Double click on Local Drive> Programs> do a right click> Delete any Viewpoint folders.
    Exit Explorer

    Reboot into Normal Mode

    Replace the Host Files
    MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.

    Let me know how they are doing after the cable fix.
     
  22. beauty

    beauty TS Rookie Topic Starter Posts: 64

    Ok, I did it and the OTM log is pasted below. However, after I removed Viewpoint in Safe mode, there were not any Viewpoint entries to stop/delete for these steps:



    OTM log

    All processes killed
    ========== PROCESSES ==========
    ========== FILES ==========
    C:\Documents and Settings\All Users\Application Data\2c2e744\33.mof moved successfully.
    C:\Program Files\AIM\Sysfiles\WxBug.EXE moved successfully.
    C:\WINDOWS\system32\drivers\etc\hosts.20100602-142523.backup moved successfully.
    C:\WINDOWS\system32\drivers\etc\hosts.20100602-145049.backup moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: All Users
    ->Flash cache emptied: 0 bytes

    User:
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User:
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User:
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 575588 bytes

    User:
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 4450720 bytes
    ->Java cache emptied: 0 bytes
    ->Flash cache emptied: 2527 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 16864 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 5.00 mb


    OTM by OldTimer - Version 3.1.17.2 log created on 12292010_193841

    Files moved on Reboot...
    File C:\WINDOWS\temp\Perflib_Perfdata_6d8.dat not found!

    Registry entries deleted on Reboot...
     
  23. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Are you having any more redirecting?
     
  24. beauty

    beauty TS Rookie Topic Starter Posts: 64

    No. It always was intermittent, though, but hopefully whatever it was is gone for good. Thanks a bunch!
     
  25. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, let's cleanup and close this thread. If the problem recurs, we'll try again.

    Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.

    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    Empty the Recycle Bin
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...