hosts files

Hang in there, if it works for you, that's all that counts......

 

You can see from the logs how much crap can get into your computer without you knowing it.
I will spend some time digging out all the real bad guys in the OTL log and prepare a Fix to clean your computer. it may be later tomorrow before I complete it. in the meantime if you have any questions please give me a shout. Oh yeah, please don't run, download, install, change or delete anything unless I tell you to. that will make it easier on me not to have to keep going back and making changes to the fix, TNX 2oG

 

whiskey99,
After going a ways in the OTL log I find some User Policies have been changed and need to be reset. The following program, I am pretty sure will reset the policies and also scan for the presents of a Trojan or Rootkit. Please run it and then run OTL and send me a fresh copy of OTL.txt log. I can then see if they were reset. If not I will reset them later using OTL.

RogueKiller

Please download and save RogueKiller to your Desktop.

• Quit all programs that you may have started.
• Please disconnect any USB or external drives from the computer before you run this scan!
• For Vista or Windows 7, right-click and select "Run as Administrator to start" For Windows XP, double-click to start.
• Wait until Prescan has finished ...
• Then Click on "Scan" button
• Wait until the Status box shows "Scan Finished"
• click on "delete"
• Wait until the Status box shows "Deleting Finished"
• Click on "Report" and copy/paste the content of the Notepad into your next reply.
• The log should be found in RKreport[1].txt on your Desktop
• Exit/Close RogueKiller+


2oG

 

RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Admin [Admin rights]
Mode : Remove -- Date : 03/29/2013 10:07:22
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 3 ¤¤¤
[HJPOL] HKCU\[...]\System : DisableTaskMgr (0) -> DELETED
[HJPOL] HKCU\[...]\System : DisableRegistryTools (0) -> DELETED
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
SSDT[46] : NtCreatePort @ 0x8059A59A -> HOOKED (\SystemRoot\system32\DRIVERS\pwipf6.sys @ 0xB6589FE0)
SSDT[48] : NtCreateProcessEx @ 0x805C7540 -> HOOKED (\SystemRoot\system32\DRIVERS\pwipf6.sys @ 0xB658AAE0)
SSDT[57] : NtDebugActiveProcess @ 0x8063A87C -> HOOKED (\SystemRoot\system32\DRIVERS\pwipf6.sys @ 0xB6586230)
SSDT[206] : NtResumeThread @ 0x805CAE60 -> HOOKED (\SystemRoot\system32\DRIVERS\pwipf6.sys @ 0xB6589730)
SSDT[210] : NtSecureConnectPort @ 0x80599212 -> HOOKED (\SystemRoot\system32\DRIVERS\pwipf6.sys @ 0xB6589E30)
SSDT[224] : NtSetInformationFile @ 0x805703F6 -> HOOKED (\SystemRoot\system32\DRIVERS\pwipf6.sys @ 0xB6589580)
S_SSDT[7] : NtGdiAlphaBlend -> HOOKED (\SystemRoot\system32\DRIVERS\pwipf6.sys @ 0xB6587E40)
S_SSDT[13] : NtGdiBitBlt -> HOOKED (\SystemRoot\system32\DRIVERS\pwipf6.sys @ 0xB6587B40)
S_SSDT[122] : NtGdiDeleteObjectApp -> HOOKED (\SystemRoot\system32\DRIVERS\pwipf6.sys @ 0xB65879D0)
S_SSDT[191] : NtGdiGetPixel -> HOOKED (\SystemRoot\system32\DRIVERS\pwipf6.sys @ 0xB6587EC0)
S_SSDT[227] : NtGdiMaskBlt -> HOOKED (\SystemRoot\system32\DRIVERS\pwipf6.sys @ 0xB6587C90)
S_SSDT[233] : NtGdiOpenDCW -> HOOKED (\SystemRoot\system32\DRIVERS\pwipf6.sys @ 0xB6587920)
S_SSDT[237] : NtGdiPlgBlt -> HOOKED (\SystemRoot\system32\DRIVERS\pwipf6.sys @ 0xB6587D40)
S_SSDT[292] : NtGdiStretchBlt -> HOOKED (\SystemRoot\system32\DRIVERS\pwipf6.sys @ 0xB6587BE0)
S_SSDT[298] : NtGdiTransparentBlt -> HOOKED (\SystemRoot\system32\DRIVERS\pwipf6.sys @ 0xB6587DC0)
S_SSDT[307] : NtUserAttachThreadInput -> HOOKED (\SystemRoot\system32\DRIVERS\pwipf6.sys @ 0xB65873D0)
S_SSDT[383] : NtUserGetAsyncKeyState -> HOOKED (\SystemRoot\system32\DRIVERS\pwipf6.sys @ 0xB65876D0)
S_SSDT[416] : NtUserGetKeyState -> HOOKED (\SystemRoot\system32\DRIVERS\pwipf6.sys @ 0xB6587620)
S_SSDT[460] : NtUserMessageCall -> HOOKED (\SystemRoot\system32\DRIVERS\pwipf6.sys @ 0xB6586F00)
S_SSDT[475] : NtUserPostMessage -> HOOKED (\SystemRoot\system32\DRIVERS\pwipf6.sys @ 0xB65870B0)
S_SSDT[476] : NtUserPostThreadMessage -> HOOKED (\SystemRoot\system32\DRIVERS\pwipf6.sys @ 0xB6587240)
S_SSDT[491] : NtUserRegisterRawInputDevices -> HOOKED (\SystemRoot\system32\DRIVERS\pwipf6.sys @ 0xB65874D0)
S_SSDT[502] : NtUserSendInput -> HOOKED (\SystemRoot\system32\DRIVERS\pwipf6.sys @ 0xB6587780)
S_SSDT[509] : NtUserSetClipboardViewer -> HOOKED (\SystemRoot\system32\DRIVERS\pwipf6.sys @ 0xB6587880)
S_SSDT[520] : NtUserSetInformationThread -> HOOKED (\SystemRoot\system32\DRIVERS\pwipf6.sys @ 0xB6586BA0)
S_SSDT[549] : NtUserSetWindowsHookEx -> HOOKED (\SystemRoot\system32\DRIVERS\pwipf6.sys @ 0xB6586C80)
S_SSDT[552] : NtUserSetWinEventHook -> HOOKED (\SystemRoot\system32\DRIVERS\pwipf6.sys @ 0xB6586D60)

¤¤¤ Extern Hives: ¤¤¤
-> D:\windows\system32\config\SOFTWARE
-> D:\windows\system32\config\SYSTEM
-> D:\Users\Default\NTUSER.DAT

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1000gratisproben.com
127.0.0.1 1001namen.com
127.0.0.1 www.1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
127.0.0.1 www.100sexlinks.com
[...]


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST3160812AS +++++
--- User ---
[MBR] 3fd38abb520868dacdafda57c123720c
[BSP] 864d25af0c9e06eaab822894972bd089 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 81920 | Size: 10240 Mo
2 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 21053440 | Size: 142306 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[2]_D_03292013_02d1007.txt >>
RKreport[1]_S_03292013_02d1006.txt ; RKreport[2]_D_03292013_02d1007.txt

 

HI,2oldGeek, here is scan did not see your reply until this morning when got home last nite i received my new video card and installed it is a
(GALAXY GEFORCE 61 TGS4HX2LTX GEFORCE GT 610 GC).
The PSU on this PC is supposed to be boarder line only 305 watts but it appears to be running alright time will tell,but will need to replace PSU.
You do not know how lucky you are that i finally learned how to copy&paste,thanks

 

No, you just don’t know how lucky you are to be able to copy/past LOL.

You have gathered a lot of malware and I am going to make some suggestions…
Remember these are My Suggestions, it’s Your Computer so, you can do what you feel is best for you.

Ad-Aware and SpyBot S&D are old technology that we were using in the 90’s and early 2000. They have outlived their usefulness IMHO.

I suggest you uninstall both Ad-Aware and SpyBotS&D. then install Avast HERE.
It has 8 different real-time shields to protect you.

Now uninstall Java. Unless you have some serious need for Java I would suggest leaving it off your computer. It is mostly for business and very few web sites use it. If you must install it, make sure that it is at least Java 7 update 17, like you have now.

Java Script is a different animal and runs on Firefox. You will be protected from bad script by the script shield in Avast.

• Double click OTL.exe to launch the program.
• Copy/Paste the contents of the code box below into the Custom Scans/Fixes box.

Code:

:OTL
O4 - HKLM..\Run: [SearchProtection] C:\Documents and Settings\All Users\Application Data\Search Protection\_run.bat File not found
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.8313.1002\swg.dll (Google Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present 
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Infodelivery present 
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Restrictions present 
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present 
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Infodelivery present 
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Restrictions present 
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present 
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Infodelivery present 
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Restrictions present 
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present 
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Infodelivery present 
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Restrictions present 
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 
O7 - HKU\S-1-5-21-682003330-1592454029-839522115-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present 
O7 - HKU\S-1-5-21-682003330-1592454029-839522115-1003\Software\Policies\Microsoft\Internet Explorer\Infodelivery present 
O7 - HKU\S-1-5-21-682003330-1592454029-839522115-1003\Software\Policies\Microsoft\Internet Explorer\Restrictions present 
O7 - HKU\S-1-5-21-682003330-1592454029-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 
O7 - HKU\S-1-5-21-682003330-1592454029-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoBandCustomize = 0 
O7 - HKU\S-1-5-21-682003330-1592454029-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 
O7 - HKU\S-1-5-21-682003330-1592454029-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 
O7 - HKU\S-1-5-21-682003330-1592454029-839522115-1008\Software\Policies\Microsoft\Internet Explorer\Control Panel present 
O7 - HKU\S-1-5-21-682003330-1592454029-839522115-1008\Software\Policies\Microsoft\Internet Explorer\Infodelivery present 
O7 - HKU\S-1-5-21-682003330-1592454029-839522115-1008\Software\Policies\Microsoft\Internet Explorer\Restrictions present 
O7 - HKU\S-1-5-21-682003330-1592454029-839522115-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O15 - HKU\S-1-5-21-682003330-1592454029-839522115-1003\..Trusted Domains: comcast.net ([%20www] https in Trusted sites) 
O15 - HKU\S-1-5-21-682003330-1592454029-839522115-1003\..Trusted Domains: genieo.com ([yahoo] http in Trusted sites) 
O15 - HKU\S-1-5-21-682003330-1592454029-839522115-1003\..Trusted Domains: microsoft.com ([www.update] https in Trusted sites) 
O15 - HKU\S-1-5-21-682003330-1592454029-839522115-1003\..Trusted Ranges: Range1 ([*] in Trusted sites)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} [url]http://fpdownload.macromedia.com/get/fl...t/ultrashim.cab[/url] (Reg Error: Key error.) 
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} [url]http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab[/url] (Reg Error: Key error.)

:Files
pconfig /flushdns /c
C:\Documents and Settings\All Users\Application Data\Search Protection

:Commands
[emptytemp]
[PURITY]
[emptyjava]
[EMPTYFLASH]
[createrestorepoint]
[reboot]

• Click the Run Fix button.
• OTL will now process the instructions.
• When finished a box will open asking you to open the fix log, click OK.
• The fix log will open.
• Copy/Paste the log in your next reply please.

Note: If necessary, OTL may re-boot your computer, or request that you do so, if it does, re-boot your computer. A log will be produced upon re-boot.

Any questions? How are you running when you finish this fix?
2oG

 

HI,I did as you suggested and removed the three items SB&D,AD-AWARE,JAVA 7.
and downloaded avast,now will run OTL.

 

HI,2oldGEEK,I have tried to download OTL,but all i an right now is an error 404.
Went BLEEPINGCOMPUTERS.COM. and could not download there either the download that i did the other nite is gone from my downloads will elsewhere on PC for it.

 

bleepingcomputers is bad. hold on and ill find one - also need to fix the file i see it double spaced for some reason. so hold on.

 

OK, I fixed the fix file.
try to download OTL from here:

Download OTL by Old Timer and save it to your Desktop.

 

Well i got it to download,but unclear about your instructions should i be able to just click the RUNFIX button and it will run a scan or what should i be looking for,maybe what you may have done from your end made it work as have ready to go,thanks

 

OK, I have tried to run the RUN FIX button but it is telling me there is no file to run.
Should i run a scan first.

 

first copy the fix in the CODE box then paste it into the custom scan/fixes box on OTL.


• Double click OTL.exe to launch the program.
• Copy/Paste the contents of the code box below into the Custom Scans/Fixes box.

Code:

:OTL
O4 - HKLM..\Run: [SearchProtection] C:\Documents and Settings\All Users\Application Data\Search Protection\_run.bat File not found
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.8313.1002\swg.dll (Google Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present 
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Infodelivery present 
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Restrictions present 
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present 
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Infodelivery present 
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Restrictions present 
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present 
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Infodelivery present 
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Restrictions present 
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present 
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Infodelivery present 
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Restrictions present 
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 
O7 - HKU\S-1-5-21-682003330-1592454029-839522115-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present 
O7 - HKU\S-1-5-21-682003330-1592454029-839522115-1003\Software\Policies\Microsoft\Internet Explorer\Infodelivery present 
O7 - HKU\S-1-5-21-682003330-1592454029-839522115-1003\Software\Policies\Microsoft\Internet Explorer\Restrictions present 
O7 - HKU\S-1-5-21-682003330-1592454029-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 
O7 - HKU\S-1-5-21-682003330-1592454029-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoBandCustomize = 0 
O7 - HKU\S-1-5-21-682003330-1592454029-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 
O7 - HKU\S-1-5-21-682003330-1592454029-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 
O7 - HKU\S-1-5-21-682003330-1592454029-839522115-1008\Software\Policies\Microsoft\Internet Explorer\Control Panel present 
O7 - HKU\S-1-5-21-682003330-1592454029-839522115-1008\Software\Policies\Microsoft\Internet Explorer\Infodelivery present 
O7 - HKU\S-1-5-21-682003330-1592454029-839522115-1008\Software\Policies\Microsoft\Internet Explorer\Restrictions present 
O7 - HKU\S-1-5-21-682003330-1592454029-839522115-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O15 - HKU\S-1-5-21-682003330-1592454029-839522115-1003\..Trusted Domains: comcast.net ([%20www] https in Trusted sites) 
O15 - HKU\S-1-5-21-682003330-1592454029-839522115-1003\..Trusted Domains: genieo.com ([yahoo] http in Trusted sites) 
O15 - HKU\S-1-5-21-682003330-1592454029-839522115-1003\..Trusted Domains: microsoft.com ([www.update] https in Trusted sites) 
O15 - HKU\S-1-5-21-682003330-1592454029-839522115-1003\..Trusted Ranges: Range1 ([*] in Trusted sites)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} [url]http://fpdownload.macromedia.com/get/fl...t/ultrashim.cab[/url] (Reg Error: Key error.) 
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} [url]http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab[/url] (Reg Error: Key error.)

:Files
pconfig /flushdns /c
C:\Documents and Settings\All Users\Application Data\Search Protection

:Commands
[emptytemp]
[PURITY]
[emptyjava]
[EMPTYFLASH]
[createrestorepoint]
[reboot]

• Click the Run Fix button.
• OTL will now process the instructions.
• When finished a box will open asking you to open the fix log, click OK.
• The fix log will open.
• Copy/Paste the log in your next reply please.

Note: If necessary, OTL may re-boot your computer, or request that you do so, if it does, re-boot your computer. A log will be produced upon re-boot.

 

use this one:
http://forums.afterdawn.com/thread_jump.cfm/957756/5847186

the one I just sent has double spacing - wrong!

 

did you get it and understand?

 

HI,I am missing something here sent reply but looks like it take heres another one.
should i run a scan before clicking runfix button as it is telling there is no file to fix.

 

Just reboot - clear it up and try again

 

did you figure it out???

 

Sorry it is still telling me that it can not do it because there is no file to run,i have OTL in my lower task and can pull it up click on RUNFIX nothing happens is there a step that is missing in process and this is after reboot.

 

Here is what it says word for word.
No fix has been provided.
Click OK to load it from a file or CANCEL.
This is all i get when i try to run OTL.