Jump to content

Windowsprotectionsuite not found with Maywarebytes. help!


nikoonah
 Share

Recommended Posts

Having some massive problems with MIL's computer so do a Malware scan and it comes clean. Do a Spybot scan and it advises I have Fraud.WindowsProtectionSuite and Microsoft.Windows.Redirected Hosts. Quick search indicates MalwareBytes should clean this out yet dispite an update and uninstall/reinstall/update I still have this issue. Any help is appreciated!

DSS log:

DDS (Ver_09-12-01.01) - NTFSx86

Run by hp people at 11:47:07.37 on Wed 12/23/2009

Internet Explorer: 7.0.5730.11

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1016.431 [GMT -5:00]

AV: Additional Guard *On-access scanning enabled* (Updated) {A3D5D5B5-6D0B-4B73-BF5C-D861CEEDF182}

FW: Additional Guard *enabled* {D480716B-79BC-428B-8B74-86BFDB42E1DB}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\igfxtray.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Documents and Settings\hp people\Local Settings\Temporary Internet Files\Content.IE5\3DHYKDN6\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"

mRun: [AlcxMonitor] ALCXMNTR.EXE

mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL

Notify: igfxcui - igfxsrvc.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

IFEO: image file execution options - svchost.exe

IFEO: brastk.exe - svchost.exe

Hosts: 74.125.45.100 4-open-davinci.com

Hosts: 74.125.45.100 securitysoftwarepayments.com

Hosts: 74.125.45.100 privatesecuredpayments.com

Hosts: 74.125.45.100 secure.privatesecuredpayments.com

Hosts: 74.125.45.100 getantivirusplusnow.com

Note: multiple HOSTS entries found. Please refer to Attach.txt

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hppeop~1\applic~1\mozilla\firefox\profiles\tm7fba5a.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - plugin: c:\documents and settings\hp people\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

S3 SMC2862W;SMC2862W-G EZ Connect g 2.4Ghz 802.11g Wireless USB 2.0 Adapter Driver;c:\windows\system32\drivers\2862wicb.sys --> c:\windows\system32\drivers\2862WICB.sys [?]

=============== Created Last 30 ================

2009-12-23 15:23:02 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-12-23 15:22:59 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-12-23 15:22:59 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-12-19 04:19:24 0 d-----w- c:\windows\system32\etc

2009-12-19 03:37:16 0 d-----w- c:\program files\Trojan Remover

2009-12-19 03:28:34 0 d-----w- c:\windows\pss

2009-12-19 02:24:16 0 d-----w- c:\program files\Spybot - Search & Destroy

2009-12-19 02:24:16 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

2009-12-08 02:22:31 0 ----a-w- c:\windows\system32\18467.exe

2009-12-08 02:02:20 1 ----a-w- C:\s

2009-12-08 02:01:07 69 ----a-w- c:\windows\NeroDigital.ini

2009-12-03 19:14:04 0 ----a-w- c:\windows\PhotoPro.INI

2009-12-02 19:14:21 0 d-----w- c:\docume~1\hppeop~1\applic~1\Malwarebytes

2009-12-02 19:14:14 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2009-12-02 04:05:17 0 d-sh--w- c:\docume~1\alluse~1\applic~1\WIKREDLUDNAG

2009-12-02 04:04:27 0 d-sh--w- c:\docume~1\alluse~1\applic~1\38cb815

==================== Find3M ====================

2009-11-01 19:51:35 121278 ----a-w- c:\windows\HPHins15.dat

2009-10-29 07:46:59 832512 ----a-w- c:\windows\system32\wininet.dll

2009-10-29 07:46:52 78336 ------w- c:\windows\system32\ieencode.dll

2009-10-29 07:46:50 17408 ------w- c:\windows\system32\corpol.dll

2009-10-21 06:00:55 75776 ----a-w- c:\windows\system32\strmfilt.dll

2009-10-21 06:00:55 25088 ----a-w- c:\windows\system32\httpapi.dll

2009-10-13 10:53:29 266752 ----a-w- c:\windows\system32\oakley.dll

2009-10-12 13:54:17 69632 ----a-w- c:\windows\system32\raschap.dll

2009-10-12 13:54:17 112128 ----a-w- c:\windows\system32\rastls.dll

============= FINISH: 11:47:43.29 ===============

MWAB log:

Malwarebytes' Anti-Malware 1.42

Database version: 3415

Windows 5.1.2600 Service Pack 2

Internet Explorer 7.0.5730.11

12/23/2009 10:46:45 AM

mbam-log-2009-12-23 (10-46-45).txt

Scan type: Full Scan (C:\|)

Objects scanned: 138084

Time elapsed: 21 minute(s), 9 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Spybot log:

--- Search result list ---

Fraud.WindowsProtectionSuite: [sBI $B197733A] Redirected host (Redirected host, nothing done)

4-open-davinci.com=74.125.45.100

Fraud.WindowsProtectionSuite: [sBI $B197733A] Redirected host (Redirected host, nothing done)

securitysoftwarepayments.com=74.125.45.100

Fraud.WindowsProtectionSuite: [sBI $B197733A] Redirected host (Redirected host, nothing done)

privatesecuredpayments.com=74.125.45.100

Fraud.WindowsProtectionSuite: [sBI $B197733A] Redirected host (Redirected host, nothing done)

secure.privatesecuredpayments.com=74.125.45.100

Fraud.WindowsProtectionSuite: [sBI $B197733A] Redirected host (Redirected host, nothing done)

getantivirusplusnow.com=74.125.45.100

Fraud.WindowsProtectionSuite: [sBI $B197733A] Redirected host (Redirected host, nothing done)

secure-plus-payments.com=74.125.45.100

Fraud.WindowsProtectionSuite: [sBI $B197733A] Redirected host (Redirected host, nothing done)

www.getantivirusplusnow.com=74.125.45.100

Fraud.WindowsProtectionSuite: [sBI $B197733A] Redirected host (Redirected host, nothing done)

www.secure-plus-payments.com=74.125.45.100

Fraud.WindowsProtectionSuite: [sBI $B197733A] Redirected host (Redirected host, nothing done)

www.getavplusnow.com=74.125.45.100

Fraud.WindowsProtectionSuite: [sBI $B197733A] Redirected host (Redirected host, nothing done)

safebrowsing-cache.google.com=74.125.45.100

Fraud.WindowsProtectionSuite: [sBI $B197733A] Redirected host (Redirected host, nothing done)

urs.microsoft.com=74.125.45.100

Fraud.WindowsProtectionSuite: [sBI $B197733A] Redirected host (Redirected host, nothing done)

www.securesoftwarebill.com=74.125.45.100

Fraud.WindowsProtectionSuite: [sBI $B197733A] Redirected host (Redirected host, nothing done)

secure.paysecuresystem.com=74.125.45.100

Fraud.WindowsProtectionSuite: [sBI $B197733A] Redirected host (Redirected host, nothing done)

paysoftbillsolution.com=74.125.45.100

Fraud.WindowsProtectionSuite: [sBI $B197733A] Redirected host (Redirected host, nothing done)

protected.maxisoftwaremart.com=74.125.45.100

Microsoft.Windows.RedirectedHosts: [sBI $B89FBA81] Redirected host (Redirected host, nothing done)

www.securesoftwarebill.com=74.125.45.100

Microsoft.Windows.RedirectedHosts: [sBI $19781685] Redirected host (Redirected host, nothing done)

secure.paysecuresystem.com=74.125.45.100

Microsoft.Windows.RedirectedHosts: [sBI $CEFF52BA] Redirected host (Redirected host, nothing done)

paysoftbillsolution.com=74.125.45.100

DoubleClick: Tracking cookie (Firefox: hp people (default)) (Cookie, fixed)

--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)

2009-01-26 SDFiles.exe (1.6.1.7)

2009-01-26 SDMain.exe (1.0.0.6)

2009-01-26 SDUpdate.exe (1.6.0.12)

2009-01-26 SpybotSD.exe (1.6.2.46)

2009-03-05 TeaTimer.exe (1.6.6.32)

2009-12-18 unins000.exe (51.49.0.0)

2009-01-26 Update.exe (1.6.0.7)

2009-11-04 advcheck.dll (1.6.5.20)

2007-04-02 aports.dll (2.1.0.0)

2008-06-14 DelZip179.dll (1.79.11.1)

2009-01-26 SDHelper.dll (1.6.2.14)

2008-06-19 sqlite3.dll

2009-01-26 Tools.dll (2.1.6.10)

2009-01-16 UninsSrv.dll (1.0.0.0)

2009-10-08 Includes\Adware.sbi (*)

2009-12-15 Includes\AdwareC.sbi (*)

2009-01-22 Includes\Cookies.sbi (*)

2009-11-03 Includes\Dialer.sbi (*)

2009-12-15 Includes\DialerC.sbi (*)

2009-01-22 Includes\HeavyDuty.sbi (*)

2009-05-26 Includes\Hijackers.sbi (*)

2009-12-15 Includes\HijackersC.sbi (*)

2009-12-15 Includes\Keyloggers.sbi (*)

2009-12-15 Includes\KeyloggersC.sbi (*)

2004-11-29 Includes\LSP.sbi (*)

2009-12-15 Includes\Malware.sbi (*)

2009-12-15 Includes\MalwareC.sbi (*)

2009-03-25 Includes\PUPS.sbi (*)

2009-12-15 Includes\PUPSC.sbi (*)

2009-01-22 Includes\Revision.sbi (*)

2009-01-13 Includes\Security.sbi (*)

2009-12-15 Includes\SecurityC.sbi (*)

2008-06-03 Includes\Spybots.sbi (*)

2008-06-03 Includes\SpybotsC.sbi (*)

2009-11-03 Includes\Spyware.sbi (*)

2009-12-15 Includes\SpywareC.sbi (*)

2009-06-08 Includes\Tracks.uti

2009-12-08 Includes\Trojans.sbi (*)

2009-12-15 Includes\TrojansC.sbi (*)

2008-03-04 Plugins\Chai.dll

2008-03-05 Plugins\Fennel.dll

2008-02-26 Plugins\Mate.dll

2007-12-24 Plugins\TCPIPAddress.dll

--- System information ---

Windows XP (Build: 2600) Service Pack 2 (5.1.2600)

/ Windows / SP1: Microsoft Internationalized Domain Names Mitigation APIs

/ Windows / SP1: Microsoft National Language Support Downlevel APIs

/ Windows Media Format 11 SDK: Hotfix for Windows Media Format 11 SDK (KB929399)

/ Windows Media Player: Security Update for Windows Media Player (KB952069)

/ Windows Media Player: Security Update for Windows Media Player (KB954155)

/ Windows Media Player: Security Update for Windows Media Player (KB968816)

/ Windows Media Player: Security Update for Windows Media Player (KB973540)

/ Windows Media Player 11: Hotfix for Windows Media Player 11 (KB939683)

/ Windows Media Player 11: Security Update for Windows Media Player 11 (KB954154)

/ Windows XP: Security Update for Windows XP (KB941569)

/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB938127-v2)

/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB972260)

/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB974455)

/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB976325)

/ Windows XP / SP0: Update for Windows Internet Explorer 7 (KB976749)

/ Windows XP / SP10: Microsoft Compression Client Pack 1.0 for Windows XP

/ Windows XP / SP2: Windows XP Service Pack 2

/ Windows XP / SP3: Windows XP Hotfix - KB885884

/ Windows XP / SP3: Windows Installer 3.1 (KB893803)

/ Windows XP / SP3: Update for Windows XP (KB898461)

/ Windows XP / SP3: Update for Windows XP (KB904942)

/ Windows XP / SP3: Hotfix for Windows XP (KB914440)

/ Windows XP / SP3: Hotfix for Windows XP (KB915865)

/ Windows XP / SP3: Hotfix for Windows XP (KB926239)

/ Windows XP / SP3: Security Update for Windows XP (KB958470)

/ Windows XP / SP4: Security Update for Windows XP (KB923561)

/ Windows XP / SP4: Security Update for Windows XP (KB938464-v2)

/ Windows XP / SP4: Security Update for Windows XP (KB946648)

/ Windows XP / SP4: Security Update for Windows XP (KB950762)

/ Windows XP / SP4: Security Update for Windows XP (KB950974)

/ Windows XP / SP4: Security Update for Windows XP (KB951066)

/ Windows XP / SP4: Security Update for Windows XP (KB951376-v2)

/ Windows XP / SP4: Security Update for Windows XP (KB951748)

/ Windows XP / SP4: Security Update for Windows XP (KB952004)

/ Windows XP / SP4: Hotfix for Windows XP (KB952287)

/ Windows XP / SP4: Security Update for Windows XP (KB952954)

/ Windows XP / SP4: Security Update for Windows XP (KB954600)

/ Windows XP / SP4: Security Update for Windows XP (KB955069)

/ Windows XP / SP4: Security Update for Windows XP (KB956572)

/ Windows XP / SP4: Security Update for Windows XP (KB956802)

/ Windows XP / SP4: Security Update for Windows XP (KB956803)

/ Windows XP / SP4: Security Update for Windows XP (KB956844)

/ Windows XP / SP4: Security Update for Windows XP (KB957097)

/ Windows XP / SP4: Security Update for Windows XP (KB958644)

/ Windows XP / SP4: Security Update for Windows XP (KB958687)

/ Windows XP / SP4: Security Update for Windows XP (KB958869)

/ Windows XP / SP4: Security Update for Windows XP (KB959426)

/ Windows XP / SP4: Security Update for Windows XP (KB960225)

/ Windows XP / SP4: Security Update for Windows XP (KB960803)

/ Windows XP / SP4: Security Update for Windows XP (KB960859)

/ Windows XP / SP4: Security Update for Windows XP (KB961371-v2)

/ Windows XP / SP4: Security Update for Windows XP (KB961501)

/ Windows XP / SP4: Update for Windows XP (KB967715)

/ Windows XP / SP4: Update for Windows XP (KB968389)

/ Windows XP / SP4: Security Update for Windows XP (KB968537)

/ Windows XP / SP4: Security Update for Windows XP (KB969059)

/ Windows XP / SP4: Security Update for Windows XP (KB969947)

/ Windows XP / SP4: Security Update for Windows XP (KB970238)

/ Windows XP / SP4: Security Update for Windows XP (KB970430)

/ Windows XP / SP4: Hotfix for Windows XP (KB970653-v3)

/ Windows XP / SP4: Security Update for Windows XP (KB971486)

/ Windows XP / SP4: Security Update for Windows XP (KB971557)

/ Windows XP / SP4: Security Update for Windows XP (KB971633)

/ Windows XP / SP4: Security Update for Windows XP (KB971657)

/ Windows XP / SP4: Update for Windows XP (KB971737)

/ Windows XP / SP4: Security Update for Windows XP (KB971961)

/ Windows XP / SP4: Security Update for Windows XP (KB973346)

/ Windows XP / SP4: Security Update for Windows XP (KB973354)

/ Windows XP / SP4: Security Update for Windows XP (KB973507)

/ Windows XP / SP4: Security Update for Windows XP (KB973525)

/ Windows XP / SP4: Update for Windows XP (KB973687)

/ Windows XP / SP4: Update for Windows XP (KB973815)

/ Windows XP / SP4: Security Update for Windows XP (KB973869)

/ Windows XP / SP4: Security Update for Windows XP (KB973904)

/ Windows XP / SP4: Security Update for Windows XP (KB974112)

/ Windows XP / SP4: Security Update for Windows XP (KB974318)

/ Windows XP / SP4: Security Update for Windows XP (KB974392)

/ Windows XP / SP4: Security Update for Windows XP (KB974571)

/ Windows XP / SP4: Security Update for Windows XP (KB975025)

/ Windows XP / SP4: Security Update for Windows XP (KB975467)

/ Windows XP / SP4: Hotfix for Windows XP (KB976098-v2)

--- Startup entries list ---

Located: HK_LM:Run, AlcxMonitor

command: ALCXMNTR.EXE

file: C:\WINDOWS\ALCXMNTR.EXE

size: 57344

MD5: 7B8875A5B04932AC73AFD8079864DB68

Located: HK_LM:Run, HotKeysCmds

command: C:\WINDOWS\system32\hkcmd.exe

file: C:\WINDOWS\system32\hkcmd.exe

size: 118784

MD5: EA5DD164296F66241BEAD39E12FA69F2

Located: HK_LM:Run, IgfxTray

command: C:\WINDOWS\system32\igfxtray.exe

file: C:\WINDOWS\system32\igfxtray.exe

size: 155648

MD5: 8BBBADA96FFE1449EDD39256EDA99CD8

Located: HK_LM:Run, RemoteControl

command: "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

file: C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

size: 32768

MD5: 915A106A2FB87292CEF0AD4F36ADF313

Located: HK_LM:RunOnce, Malwarebytes' Anti-Malware

command: C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

file: C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

size: 429392

MD5: 2970CFA4346986666874A033088231AF

Located: HK_CU:Run, ctfmon.exe

where: S-1-5-21-1123561945-1563985344-682003330-1004...

command: C:\WINDOWS\system32\ctfmon.exe

file: C:\WINDOWS\system32\ctfmon.exe

size: 15360

MD5: 24232996A38C0B0CF151C2140AE29FC8

Located: HK_CU:Run, SpybotSD TeaTimer

where: S-1-5-21-1123561945-1563985344-682003330-1004...

command: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

file: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

size: 2260480

MD5: 390679F7A217A5E73D756276C40AE887

Located: Startup (common), Microsoft Office.lnk

where: C:\Documents and Settings\All Users\Start Menu\Programs\Startup...

command: C:\Program Files\Microsoft Office\Office10\OSA.EXE

file: C:\Program Files\Microsoft Office\Office10\OSA.EXE

size: 83360

MD5: 5BC65464354A9FD3BEAA28E18839734A

Located: WinLogon, crypt32chain

command: crypt32.dll

file: crypt32.dll

size: 0

MD5: D41D8CD98F00B204E9800998ECF8427E

Warning: if the file is actually larger than 0 bytes,

the checksum could not be properly calculated!

Located: WinLogon, cryptnet

command: cryptnet.dll

file: cryptnet.dll

size: 0

MD5: D41D8CD98F00B204E9800998ECF8427E

Warning: if the file is actually larger than 0 bytes,

the checksum could not be properly calculated!

Located: WinLogon, cscdll

command: cscdll.dll

file: cscdll.dll

size: 0

MD5: D41D8CD98F00B204E9800998ECF8427E

Warning: if the file is actually larger than 0 bytes,

the checksum could not be properly calculated!

Located: WinLogon, igfxcui

command: igfxsrvc.dll

file: igfxsrvc.dll

size: 0

MD5: D41D8CD98F00B204E9800998ECF8427E

Warning: if the file is actually larger than 0 bytes,

the checksum could not be properly calculated!

Located: WinLogon, ScCertProp

command: wlnotify.dll

file: wlnotify.dll

size: 0

MD5: D41D8CD98F00B204E9800998ECF8427E

Warning: if the file is actually larger than 0 bytes,

the checksum could not be properly calculated!

Located: WinLogon, Schedule

command: wlnotify.dll

file: wlnotify.dll

size: 0

MD5: D41D8CD98F00B204E9800998ECF8427E

Warning: if the file is actually larger than 0 bytes,

the checksum could not be properly calculated!

Located: WinLogon, sclgntfy

command: sclgntfy.dll

file: sclgntfy.dll

size: 0

MD5: D41D8CD98F00B204E9800998ECF8427E

Warning: if the file is actually larger than 0 bytes,

the checksum could not be properly calculated!

Located: WinLogon, SensLogn

command: WlNotify.dll

file: WlNotify.dll

size: 0

MD5: D41D8CD98F00B204E9800998ECF8427E

Warning: if the file is actually larger than 0 bytes,

the checksum could not be properly calculated!

Located: WinLogon, termsrv

command: wlnotify.dll

file: wlnotify.dll

size: 0

MD5: D41D8CD98F00B204E9800998ECF8427E

Warning: if the file is actually larger than 0 bytes,

the checksum could not be properly calculated!

Located: WinLogon, wlballoon

command: wlnotify.dll

file: wlnotify.dll

size: 0

MD5: D41D8CD98F00B204E9800998ECF8427E

Warning: if the file is actually larger than 0 bytes,

the checksum could not be properly calculated!

--- Browser helper object list ---

{18DF081C-E8AD-4283-A596-FA578C2EBDC3} (AcroIEHelperStub)

location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

BHO name: AcroIEHelperStub

CLSID name: Adobe PDF Link Helper

Path: C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\

Long name: AcroIEHelperShim.dll

Short name: ACROIE~2.DLL

Date (created): 2/27/2009 1:07:26 PM

Date (last access): 12/23/2009 10:15:32 AM

Date (last write): 2/27/2009 1:07:26 PM

Filesize: 75128

Attributes: archive

MD5: 5CF6190CD875DA6B35256FEE573E7908

CRC32: 764BA81B

Version: 9.1.0.163

{53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)

location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

BHO name:

CLSID name: Spybot-S&D IE Protection

description: Spybot-S&D IE Browser plugin

classification: Legitimate

known filename: SDhelper.dll

info link: http://spybot.eon.net.au/

info source: Patrick M. Kolla

Path: C:\PROGRA~1\SPYBOT~1\

Long name: SDHelper.dll

Short name:

Date (created): 12/18/2009 9:24:18 PM

Date (last access): 12/23/2009 11:40:32 AM

Date (last write): 1/26/2009 3:31:02 PM

Filesize: 1879896

Attributes: archive

MD5: 022C2F6DCCDFA0AD73024D254E62AFAC

CRC32: 5BA24007

Version: 1.6.2.14

--- ActiveX list ---

{E2883E8F-472F-4FB0-9522-AC9BF37916A7} ()

DPF name:

CLSID name:

Installer: C:\WINDOWS\Downloaded Program Files\gp.inf

Codebase: http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

--- Process list ---

PID: 0 ( 0) [system]

PID: 420 ( 4) \SystemRoot\System32\smss.exe

size: 50688

PID: 476 ( 420) \??\C:\WINDOWS\system32\csrss.exe

size: 6144

PID: 500 ( 420) \??\C:\WINDOWS\system32\winlogon.exe

size: 502272

PID: 544 ( 500) C:\WINDOWS\system32\services.exe

size: 110592

MD5: 37561F8D4160D62DA86D24AE41FAE8DE

PID: 556 ( 500) C:\WINDOWS\system32\lsass.exe

size: 13312

MD5: 84885F9B82F4D55C6146EBF6065D75D2

PID: 696 ( 544) C:\WINDOWS\system32\svchost.exe

size: 14336

MD5: 8F078AE4ED187AAABC0A305146DE6716

PID: 756 ( 544) C:\WINDOWS\system32\svchost.exe

size: 14336

MD5: 8F078AE4ED187AAABC0A305146DE6716

PID: 792 ( 544) C:\WINDOWS\System32\svchost.exe

size: 14336

MD5: 8F078AE4ED187AAABC0A305146DE6716

PID: 840 ( 544) C:\WINDOWS\System32\svchost.exe

size: 14336

MD5: 8F078AE4ED187AAABC0A305146DE6716

PID: 880 ( 544) C:\WINDOWS\System32\svchost.exe

size: 14336

MD5: 8F078AE4ED187AAABC0A305146DE6716

PID: 1064 ( 544) C:\WINDOWS\system32\spoolsv.exe

size: 57856

MD5: 7435B108B935E42EA92CA94F59C8E717

PID: 1148 ( 544) C:\WINDOWS\System32\svchost.exe

size: 14336

MD5: 8F078AE4ED187AAABC0A305146DE6716

PID: 1204 ( 544) C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

size: 270336

MD5: 0EFEE4F2D23BA2D8B27FBA942106E0E1

PID: 1272 ( 544) C:\WINDOWS\System32\svchost.exe

size: 14336

MD5: 8F078AE4ED187AAABC0A305146DE6716

PID: 1544 ( 544) C:\WINDOWS\System32\alg.exe

size: 44544

MD5: F1958FBF86D5C004CF19A5951A9514B7

PID: 1796 (1712) C:\WINDOWS\Explorer.EXE

size: 1032192

MD5: A0732187050030AE399B241436565E64

PID: 2016 (1796) C:\WINDOWS\system32\igfxtray.exe

size: 155648

MD5: 8BBBADA96FFE1449EDD39256EDA99CD8

PID: 2028 (1796) C:\WINDOWS\system32\hkcmd.exe

size: 118784

MD5: EA5DD164296F66241BEAD39E12FA69F2

PID: 2040 (1796) C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

size: 32768

MD5: 915A106A2FB87292CEF0AD4F36ADF313

PID: 156 (1796) C:\WINDOWS\system32\ctfmon.exe

size: 15360

MD5: 24232996A38C0B0CF151C2140AE29FC8

PID: 164 (1796) C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

size: 2260480

MD5: 390679F7A217A5E73D756276C40AE887

PID: 1216 ( 792) C:\WINDOWS\system32\wuauclt.exe

size: 53472

MD5: 62BB79160F86CD962F312C68C6239BFD

PID: 2036 (1796) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

size: 5365592

MD5: 0477C2F9171599CA5BC3307FDFBA8D89

PID: 1092 (1796) C:\Program Files\Internet Explorer\iexplore.exe

size: 634632

MD5: 4F9B04D546C23A295F3F0AE015BE51DB

PID: 956 (1796) C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

size: 1394000

MD5: E75105DF25DA39DCAC3EBB6D1C2AB79C

PID: 1740 ( 956) C:\WINDOWS\system32\NOTEPAD.EXE

size: 69120

MD5: 388B8FBC36A8558587AFC90FB23A3B99

PID: 188 (1796) C:\WINDOWS\system32\NOTEPAD.EXE

size: 69120

MD5: 388B8FBC36A8558587AFC90FB23A3B99

PID: 4 ( 0) System

--- Browser start & search pages list ---

Spybot - Search & Destroy browser pages report, 12/23/2009 12:25:19 PM

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page

C:\WINDOWS\system32\blank.htm

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page

http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page

http://www.google.com/

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page

%SystemRoot%\system32\blank.htm

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page

http://go.microsoft.com/fwlink/?LinkId=54896

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page

http://go.microsoft.com/fwlink/?LinkId=69157

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL

http://go.microsoft.com/fwlink/?LinkId=69157

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL

http://go.microsoft.com/fwlink/?LinkId=54896

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant

http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch

http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm

--- Winsock Layered Service Provider list ---

Protocol 0: MSAFD Tcpip [TCP/IP]

GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}

Filename: %SystemRoot%\system32\mswsock.dll

Description: Microsoft Windows NT/2k/XP IP protocol

DB filename: %SystemRoot%\system32\mswsock.dll

DB protocol: MSAFD Tcpip [*]

Protocol 1: MSAFD Tcpip [uDP/IP]

GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}

Filename: %SystemRoot%\system32\mswsock.dll

Description: Microsoft Windows NT/2k/XP IP protocol

DB filename: %SystemRoot%\system32\mswsock.dll

DB protocol: MSAFD Tcpip [*]

Protocol 2: MSAFD Tcpip [RAW/IP]

GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}

Filename: %SystemRoot%\system32\mswsock.dll

Description: Microsoft Windows NT/2k/XP IP protocol

DB filename: %SystemRoot%\system32\mswsock.dll

DB protocol: MSAFD Tcpip [*]

Protocol 3: RSVP UDP Service Provider

GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}

Filename: %SystemRoot%\system32\rsvpsp.dll

Description: Microsoft Windows NT/2k/XP RVSP

DB filename: %SystemRoot%\system32\rsvpsp.dll

DB protocol: RSVP * Service Provider

Protocol 4: RSVP TCP Service Provider

GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}

Filename: %SystemRoot%\system32\rsvpsp.dll

Description: Microsoft Windows NT/2k/XP RVSP

DB filename: %SystemRoot%\system32\rsvpsp.dll

DB protocol: RSVP * Service Provider

Protocol 5: MSAFD NetBIOS [\Device\NetBT_Tcpip_{DBAEC3FA-3643-4C3E-BB19-C1C184AA382F}] SEQPACKET 0

GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}

Filename: %SystemRoot%\system32\mswsock.dll

Description: Microsoft Windows NT/2k/XP NetBios protocol

DB filename: %SystemRoot%\system32\mswsock.dll

DB protocol: MSAFD NetBIOS *

Protocol 6: MSAFD NetBIOS [\Device\NetBT_Tcpip_{DBAEC3FA-3643-4C3E-BB19-C1C184AA382F}] DATAGRAM 0

GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}

Filename: %SystemRoot%\system32\mswsock.dll

Description: Microsoft Windows NT/2k/XP NetBios protocol

DB filename: %SystemRoot%\system32\mswsock.dll

DB protocol: MSAFD NetBIOS *

Protocol 7: MSAFD NetBIOS [\Device\NetBT_Tcpip_{5ABE2B71-866B-49FC-B6A2-9B1824FBA38D}] SEQPACKET 1

GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}

Filename: %SystemRoot%\system32\mswsock.dll

Description: Microsoft Windows NT/2k/XP NetBios protocol

DB filename: %SystemRoot%\system32\mswsock.dll

DB protocol: MSAFD NetBIOS *

Protocol 8: MSAFD NetBIOS [\Device\NetBT_Tcpip_{5ABE2B71-866B-49FC-B6A2-9B1824FBA38D}] DATAGRAM 1

GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}

Filename: %SystemRoot%\system32\mswsock.dll

Description: Microsoft Windows NT/2k/XP NetBios protocol

DB filename: %SystemRoot%\system32\mswsock.dll

DB protocol: MSAFD NetBIOS *

Protocol 9: MSAFD NetBIOS [\Device\NetBT_Tcpip_{51BD6592-9F47-4E88-ACB7-2505A1EF06CA}] SEQPACKET 2

GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}

Filename: %SystemRoot%\system32\mswsock.dll

Description: Microsoft Windows NT/2k/XP NetBios protocol

DB filename: %SystemRoot%\system32\mswsock.dll

DB protocol: MSAFD NetBIOS *

Protocol 10: MSAFD NetBIOS [\Device\NetBT_Tcpip_{51BD6592-9F47-4E88-ACB7-2505A1EF06CA}] DATAGRAM 2

GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}

Filename: %SystemRoot%\system32\mswsock.dll

Description: Microsoft Windows NT/2k/XP NetBios protocol

DB filename: %SystemRoot%\system32\mswsock.dll

DB protocol: MSAFD NetBIOS *

Namespace Provider 0: Tcpip

GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}

Filename: %SystemRoot%\System32\mswsock.dll

Description: Microsoft Windows NT/2k/XP TCP/IP name space provider

DB filename: %SystemRoot%\system32\mswsock.dll

DB protocol: TCP/IP

Namespace Provider 1: NTDS

GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}

Filename: %SystemRoot%\System32\winrnr.dll

Description: Microsoft Windows NT/2k/XP name space provider

DB filename: %SystemRoot%\system32\winrnr.dll

DB protocol: NTDS

Namespace Provider 2: Network Location Awareness (NLA) Namespace

GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}

Filename: %SystemRoot%\System32\mswsock.dll

Description: Microsoft Windows NT/2k/XP name space provider

DB filename: %SystemRoot%\system32\mswsock.dll

DB protocol: NLA-Namespace

attach.zip

Link to post
Share on other sites

  • Staff

Hi,

Something is locking the hostsfile. Please navigate to the C:\WINDOWS\system32\drivers\etc\hosts file, rightclick, check properties and make sure that read only is unchecked. Then try HostsXpert again.

If that didn't work, do next..

Open Malwarebytes > More Tools tab > Fileassasin > Click Run Tool

Then an explorer Window will open.

Copy and paste next in the field under file name:

C:\WINDOWS\system32\drivers\etc\hosts

Then Click open next to it.

You should see this image:

post-102-1261668030_thumb.jpg

Click yes there.

FileAssassin will then delete the hosts file.

To recreate it again (default hosts file), start Hostxpert again.

It will give a warning that the hosts file doesn't exist and Press OK to create hosts file.

Click OK there.

Link to post
Share on other sites

  • Staff

Glad I could help. :)

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Holidays and well and Happy Surfing again! :P

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.