1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Please help with browser hijacking

Discussion in 'Windows - Virus and spyware problems' started by awenner, Jun 12, 2008.

  1. awenner

    awenner Member

    Joined:
    Jun 12, 2008
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    11
    I would be grateful for any help with these issues: I tried to to the prelim steps, but my browser will not display sites like Kaspersky and the VundoFix sites (404 type messages.)I did run McAfee, Spyware Blaster, SPybit, Windows Defender, CCleaner, SDFix.

    1) In IE, Google search results are redirected to weird URLs that are non-existant sites

    2) Firefox will not start (even after a re-install)

    3) McAfee will no longer update (can't access needed online files, subscription still on)

    My Hijack this log is attached. Thank you in advance for any help!

    ARW

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:07:50 AM, on 6/12/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16640)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\McAfee\Common Framework\FrameworkService.exe
    C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
    C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
    C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\system32\IoctlSvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\WINDOWS\system32\SearchIndexer.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
    C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
    C:\Program Files\dvd43\dvd43_tray.exe
    C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
    C:\Program Files\McAfee\Common Framework\UdaterUI.exe
    C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
    C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\McAfee\Common Framework\McTray.exe
    C:\Documents and Settings\Administrator\Local Settings\Application Data\FolderShare\FolderShare.exe
    C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    C:\Program Files\Windows Desktop Search\WindowsSearch.exe
    C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe
    C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\system32\SearchProtocolHost.exe
    C:\Documents and Settings\Administrator\Desktop\SDFix\SDFix\Norman_Malware_Cleaner.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Documents and Settings\Administrator\Desktop\SDFix\SDFix\a2cmd.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://exchange.syr.edu/exchange/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
    O2 - BHO: (no name) - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - (no file)
    O2 - BHO: (no name) - {17E7EDFE-3298-41E7-9FDB-494649B59091} - (no file)
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {5f37fc69-3a05-4fb6-a05b-476d1b0cfd51} - (no file)
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
    O2 - BHO: (no name) - {758A7917-328C-4E1B-B13B-1D94316BE9FE} - (no file)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O2 - BHO: (no name) - {77A3F107-8918-40F2-A55C-5AA94C03487C} - (no file)
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\Scriptcl.dll
    O2 - BHO: (no name) - {E9383002-FC55-4330-B9C9-67E03BC5C840} - (no file)
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
    O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
    O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Windows Live FolderShare] "C:\Documents and Settings\Administrator\Local Settings\Application Data\FolderShare\FolderShare.exe" /background
    O4 - HKCU\..\Run: [FolderShare] "C:\Program Files\FolderShare\FolderShare.exe" /background
    O4 - Startup: Anapod Manager.lnk = C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1199485231692
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1199485372052
    O16 - DPF: {843EE768-3A97-455C-9076-741BA3AD7B62} (QuickBooks Online Edition Utilities Class v10) - https://accounting.quickbooks.com/c5/v21.123/qboax10.cab
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
    O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
    O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
    O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
    O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

    --
    End of file - 8801 bytes


    4) IE browser will apparantly not display sites with URLs that include words like Vundo



    4)
     
  2. cdavfrew

    cdavfrew Regular member

    Joined:
    May 19, 2008
    Messages:
    1,183
    Likes Received:
    0
    Trophy Points:
    46
    Hi awenner.

    Uh oh... sounds like vundo to me. Please note the following:
    1. Vundo is one of the most severe infections out there, thus,
    2. it is extremely hard to remove.
    3. Many have given up fighting it and instead formatted to have a clean system against
    4. the many hidden settings which vundo will make to your computer, which might never be discovered.

    The choice is yours. However, if you wish to fight...

    Rename HijackThis to something like scanner.exe and run it again. Post the new hijackthis log here. Download both vundofix and virtumundobegone on another computer, and transfer it onto this computer. Boot into safe mode, and then run both of those programs (rename these programs as well, to something like vkill).

    Navigate to C:\Windows\system32\drivers\etc and open the hosts file in notepad. Post the contents here. Also, download Autoruns from Sysinternals, and take a screenshot of everything under the tabs Explorer and Winlogon.

    Go to C:\Windows\system32, and list all the files by date. Make sure that both hidden files and folders and hidden system protected files are able to be viewed by adjusting the folder options. Scroll to the latest files, and list the random-named dll or exe files.

    Best Regards :D

    PS: Your java needs updating :)
     
  3. awenner

    awenner Member

    Joined:
    Jun 12, 2008
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    11
    Thank you so much!! I have to break this response into 2 posts, since my replies seem to be hanging when I submit...

    1)HijackThis log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:25:49 PM, on 6/12/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16674)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\McAfee\Common Framework\FrameworkService.exe
    C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
    C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
    C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\system32\IoctlSvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\WINDOWS\system32\SearchIndexer.exe
    C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
    C:\Program Files\dvd43\dvd43_tray.exe
    C:\Program Files\McAfee\Common Framework\UdaterUI.exe
    C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
    C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
    C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Documents and Settings\Administrator\Local Settings\Application Data\FolderShare\FolderShare.exe
    C:\Program Files\McAfee\Common Framework\McTray.exe
    C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    C:\Program Files\Windows Desktop Search\WindowsSearch.exe
    C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe
    C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\WINDOWS\system32\SearchProtocolHost.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://exchange.syr.edu/exchange/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
    O2 - BHO: (no name) - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - (no file)
    O2 - BHO: (no name) - {17E7EDFE-3298-41E7-9FDB-494649B59091} - (no file)
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {5f37fc69-3a05-4fb6-a05b-476d1b0cfd51} - (no file)
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
    O2 - BHO: (no name) - {758A7917-328C-4E1B-B13B-1D94316BE9FE} - (no file)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
    O2 - BHO: (no name) - {77A3F107-8918-40F2-A55C-5AA94C03487C} - (no file)
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\Scriptcl.dll
    O2 - BHO: (no name) - {E9383002-FC55-4330-B9C9-67E03BC5C840} - (no file)
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
    O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
    O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Windows Live FolderShare] "C:\Documents and Settings\Administrator\Local Settings\Application Data\FolderShare\FolderShare.exe" /background
    O4 - HKCU\..\Run: [FolderShare] "C:\Program Files\FolderShare\FolderShare.exe" /background
    O4 - Startup: Anapod Manager.lnk = C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1199485231692
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1199485372052
    O16 - DPF: {843EE768-3A97-455C-9076-741BA3AD7B62} (QuickBooks Online Edition Utilities Class v10) - https://accounting.quickbooks.com/c5/v21.123/qboax10.cab
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
    O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
    O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
    O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
    O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

    --
    End of file - 8527 bytes
    -------------------------------

    2) VundoFix & VBG both run in SAFE MODE; Vundofix found no infected file; the VBG log is:


    [06/12/2008, 10:00:50] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Administrator\Desktop\SDFix\VGone.exe.exe" )
    [06/12/2008, 10:01:08] - Detected System Information:
    [06/12/2008, 10:01:08] - Windows Version: 5.1.2600, Service Pack 2
    [06/12/2008, 10:01:08] - Current Username: Administrator (Admin)
    [06/12/2008, 10:01:08] - Windows is in SAFE mode.
    [06/12/2008, 10:01:08] - Searching for Browser Helper Objects:
    [06/12/2008, 10:01:08] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} ()
    [06/12/2008, 10:01:08] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [06/12/2008, 10:01:08] - No filename found. Continuing.
    [06/12/2008, 10:01:08] - BHO 2: {1392b8d2-5c05-419f-a8f6-b9f15a596612} ()
    [06/12/2008, 10:01:08] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [06/12/2008, 10:01:08] - No filename found. Continuing.
    [06/12/2008, 10:01:08] - BHO 3: {17E7EDFE-3298-41E7-9FDB-494649B59091} ()
    [06/12/2008, 10:01:08] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [06/12/2008, 10:01:08] - No filename found. Continuing.
    [06/12/2008, 10:01:08] - BHO 4: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
    [06/12/2008, 10:01:08] - BHO 5: {5f37fc69-3a05-4fb6-a05b-476d1b0cfd51} ()
    [06/12/2008, 10:01:08] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [06/12/2008, 10:01:08] - No filename found. Continuing.
    [06/12/2008, 10:01:08] - BHO 6: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} (Groove GFS Browser Helper)
    [06/12/2008, 10:01:08] - BHO 7: {758A7917-328C-4E1B-B13B-1D94316BE9FE} ()
    [06/12/2008, 10:01:08] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [06/12/2008, 10:01:08] - No filename found. Continuing.
    [06/12/2008, 10:01:08] - BHO 8: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
    [06/12/2008, 10:01:08] - BHO 9: {77A3F107-8918-40F2-A55C-5AA94C03487C} ()
    [06/12/2008, 10:01:08] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [06/12/2008, 10:01:08] - No filename found. Continuing.
    [06/12/2008, 10:01:08] - BHO 10: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} (scriptproxy)
    [06/12/2008, 10:01:08] - BHO 11: {E9383002-FC55-4330-B9C9-67E03BC5C840} ()
    [06/12/2008, 10:01:08] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [06/12/2008, 10:01:08] - No filename found. Continuing.
    [06/12/2008, 10:01:08] - Finished Searching Browser Helper Objects
    [06/12/2008, 10:01:08] - Finishing up...
    [06/12/2008, 10:01:08] - Nothing found! Exiting...

    [06/12/2008, 10:01:50] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Administrator\Desktop\SDFix\VGone.exe.exe" )
    [06/12/2008, 10:01:52] - Detected System Information:
    [06/12/2008, 10:01:52] - Windows Version: 5.1.2600, Service Pack 2
    [06/12/2008, 10:01:52] - Current Username: Administrator (Admin)
    [06/12/2008, 10:01:52] - Windows is in SAFE mode.
    [06/12/2008, 10:01:52] - Searching for Browser Helper Objects:
    [06/12/2008, 10:01:52] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} ()
    [06/12/2008, 10:01:52] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [06/12/2008, 10:01:52] - No filename found. Continuing.
    [06/12/2008, 10:01:52] - BHO 2: {1392b8d2-5c05-419f-a8f6-b9f15a596612} ()
    [06/12/2008, 10:01:52] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [06/12/2008, 10:01:52] - No filename found. Continuing.
    [06/12/2008, 10:01:52] - BHO 3: {17E7EDFE-3298-41E7-9FDB-494649B59091} ()
    [06/12/2008, 10:01:52] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [06/12/2008, 10:01:52] - No filename found. Continuing.
    [06/12/2008, 10:01:52] - BHO 4: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
    [06/12/2008, 10:01:52] - BHO 5: {5f37fc69-3a05-4fb6-a05b-476d1b0cfd51} ()
    [06/12/2008, 10:01:52] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [06/12/2008, 10:01:52] - No filename found. Continuing.
    [06/12/2008, 10:01:52] - BHO 6: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} (Groove GFS Browser Helper)
    [06/12/2008, 10:01:52] - BHO 7: {758A7917-328C-4E1B-B13B-1D94316BE9FE} ()
    [06/12/2008, 10:01:52] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [06/12/2008, 10:01:52] - No filename found. Continuing.
    [06/12/2008, 10:01:52] - BHO 8: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
    [06/12/2008, 10:01:52] - BHO 9: {77A3F107-8918-40F2-A55C-5AA94C03487C} ()
    [06/12/2008, 10:01:52] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [06/12/2008, 10:01:52] - No filename found. Continuing.
    [06/12/2008, 10:01:52] - BHO 10: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} (scriptproxy)
    [06/12/2008, 10:01:52] - BHO 11: {E9383002-FC55-4330-B9C9-67E03BC5C840} ()
    [06/12/2008, 10:01:52] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [06/12/2008, 10:01:52] - No filename found. Continuing.
    [06/12/2008, 10:01:52] - Finished Searching Browser Helper Objects
    [06/12/2008, 10:01:52] - Finishing up...
    [06/12/2008, 10:01:52] - Nothing found! Exiting...


    More in next post...

    ARW
     
  4. awenner

    awenner Member

    Joined:
    Jun 12, 2008
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    11
    3) Hosts (it's too big to send..here's the top part)

    # This MVPS HOSTS file is a free download from: #
    # http://www.mvps.org/winhelp2002/ #
    # #
    # Notes: the browser does not read this "#" symbol #
    # You can create your own notes, after the # symbol #
    # This *must* be the first line: 127.0.0.1 localhost #
    # *********************************************************#
    # ----------------- Updated: June-05-2008 ------------------#
    # *********************************************************#
    # #
    # Entries with comments are all searchable via Google. #
    # #
    # Disclaimer: this file is free to use for personal use #
    # only. Furthermore it is NOT permitted to copy any of the #
    # contents or host on any other site without permission or #
    # meeting the full criteria of the below license terms. #
    # #
    # This work is licensed under the Creative Commons #
    # Attribution-NonCommercial-ShareAlike License. #
    # http://creativecommons.org/licenses/by-nc-sa/3.0/ #

    127.0.0.1 localhost

    #start of lines added by WinHelp2002
    # [Misc A - Z]

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 ad.a8.net

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 asy.a8ww.net

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 www.abx4.com #[Adware.ABXToolbar]

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 acezip.net #[SiteAdvisor.acezip.net]

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 www.acezip.net #[Win32/Adware.180Solutions]

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 phpadsnew.abac.com

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 a.abnad.net

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 b.abnad.net

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 c.abnad.net #[eTrust.Tracking.Cookie]

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 d.abnad.net

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 e.abnad.net

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 t.abnad.net

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 banners.absolpublisher.com

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 tracking.absolstats.com

    127.0.0.1 adv.abv.bg
    127.0.0.1 bimg.abv.bg
    127.0.0.1 www2.a-counter.kiev.ua

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 accuserveadsystem.com

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 www.accuserveadsystem.com

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 gtb5.acecounter.com

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 gtcc1.acecounter.com

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 gtp1.acecounter.com #[eTrust.Tracking.Cookie]

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 acestats.com

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 www.acestats.com

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 achmedia.com

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 ads.active.com

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 am1.activemeter.com

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 www.activemeter.com #[eTrust.Tracking.Cookie]

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 ads.activepower.net

    127.0.0.1 stat.active24stats.nl #[eTrust.Tracking.Cookie]

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 web.acumenpi.com #[AdvertPro]

    127.0.0.1 ad.ad24.ru
    127.0.0.1 at.ad2click.nl
    127.0.0.1 cms.ad2click.nl

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 ads.ad2games.com

    127.0.0.1 banner.ad.nu

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 ad-up.com

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 www.ad-up.com

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 cl21.v4.adaction.se

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 www.adagencypro.com

    127.0.0.1 ads.adap.tv

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 vad.adbasket.net

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 ad.pop1.adbn.ru

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 adserv.adbonus.com

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 www.adbonus.com

    127.0.0.1 james.adbutler.de #[Tenebril.TrackingCookie]
    127.0.0.1 www.adbutler.de #[SunBelt.AdButler.de]

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 adc2.adcentriconline.com

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 adcp.adcentriconline.com

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 bell.adcentriconline.com #[Wildcard DNS]

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 content.adcentriconline.com

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 media.adcentriconline.com

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 publicis.adcentriconline.com

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 ad-clix.com

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 www.ad-clix.com

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 adcomplete.com

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 www.adcomplete.com

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 axa.addcontrol.net #[Ewido.TrackingCookie.Addcontrol]

    127.0.0.1 www.add-hhh.info #[TR/Dialer.22352.B]

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 ads.addynamix.com #[SpySweeper.Spy.Cookie]

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 e13.media.addynamix.com

    127.0.0.1 www.adeos.eu

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 adcode.adengage.com

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 stats2.adengage.com

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 www.adengage.com

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 pt.server1.adexit.com

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 www.adexit.com

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 www.ad4ever.com

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 track.adform.net

    127.0.0.1 ads.adfox.ru
    127.0.0.1 gazeta.adfox.ru
    127.0.0.1 adfun.ru
    127.0.0.1 ad1.adfun.ru
    127.0.0.1 ad2.adfun.ru
    127.0.0.1 ad3.adfun.ru
    127.0.0.1 ad4.adfun.ru

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 harvest.adgardener.com

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 harvest6.adgardener.com

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 harvest7.adgardener.com

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 harvest8.adgardener.com

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 harvest11.adgardener.com

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 harvest12.adgardener.com

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 harvest13.adgardener.com

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 harvest163.adgardener.com

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 harvest176.adgardener.com

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 seeds.adgardener.com

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 www.adgroups.net

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 www.ad-groups.com #[Ban Man Pro Banner Code]

    127.0.0.1 host1.adhese.be #[Adhese Datamine Tag]
    127.0.0.1 host2.adhese.be
    127.0.0.1 host3.adhese.be #[ad.be.doubleclick.net]
    127.0.0.1 host4.adhese.be

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 ads.adhsm.adhese.com

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 pool.adhsm.adhese.com

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 ssl3.adhost.com

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 www2.adhost.com

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 zone10.adicate.com

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 adfarm1.adition.com

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 imagesrv.adition.com

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 ad.adition.net

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 hosting.adjug.com

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 tracking.adjug.com

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 adsearch.adkontekst.pl

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 community.adlandpro.com #[Ad-Aware Tracking.Cookie]

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 pk.adlandpro.com

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 te.adlandpro.com #[eTrust.Tracking.Cookie]

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 trafficex.adlandpro.com

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 www.adlandpro.com #[Ad-Aware Tracking.Cookie]

    127.0.0.1 engine.adland.ru #[eTrust.Tracking.Cookie]

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 publicidad.adlead.com

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 www.adlimg03.com

    127.0.0.1 classic.adlink.de
    127.0.0.1 regio.adlink.de
    127.0.0.1 west.adlink.de

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 rc.de.adlink.net #[eTrust.Tracking.Cookie]

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 tr.de.adlink.net

    127.0.0.1 ads3.adman.gr #[eTrust.Tracking.Cookie]
    127.0.0.1 r2d2.adman.gr

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 www.adminder.com #[SpySweeper.Spy.Cookie]

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 apps.admission.net #[Spotlight Ads]

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 appcache.admission.net

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 view.admission.net

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 rms.admeta.com #[admeta.basefarm.net][eTrust.Tracking.Cookie]

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 ads.admodus.com #[eTrust.Tracking.Cookie]

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 ad.adnet.biz #[eTrust.Tracking.Cookie]

    127.0.0.1 engine.adnet.ru
    127.0.0.1 ad.adnetwork.com.br
    127.0.0.1 agoraua.adocean.pl
    127.0.0.1 s1.ad.adocean.pl #[Ewido.Tracking.Cookie]
    127.0.0.1 s1.advicepl.adocean.pl
    127.0.0.1 s1.centrumcz.adocean.pl #[eTrust.Tracking.Cookie]
    127.0.0.1 s1.cz.adocean.pl
    127.0.0.1 s1.czgde.adocean.pl
    127.0.0.1 s1.myao.adocean.pl
    127.0.0.1 s1.pracuj.adocean.pl
    127.0.0.1 s1.skgde.adocean.pl
    127.0.0.1 s2.ad.adocean.pl

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 ad01.adonspot.com

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 ad02.adonspot.com

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 www.adplz.com

    127.0.0.1 ab.adpro.com.ua
    127.0.0.1 system.adquick.nl
    127.0.0.1 www.adquest.nl
    127.0.0.1 adx.adrenaline.cz

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 adroll.com

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 c.adroll.com

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 www.adsforindians.com

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 ad.adrefer.net

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 www.adreporting.com #[SunBelt.Adreporting.com]

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 cntr.adrime.com

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 images.adrime.com

    127.0.0.1 ad.adriver.ru

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 www.adrotate.net

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 serv.ad-rotator.com #[SpySweeper.Spy.Cookie]

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 ad.ads8.com

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 vip.ads8.com

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 www.ads183.com

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 antevenio.flux.ads-click.com

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 acnetwork.flux.acsyndication.com

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 img.ads-click.com

    127.0.0.1 ad.ads.dk
    127.0.0.1 tdkads.ads.dk

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 www.adservtech.com

    127.0.0.1 adservicedomain.info

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 adsfac.net #[Facilitate Tracking Code]

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 images.adshuffle.com

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 this.content.served.by.adshuffle.com

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 adsaway.com #[HTML/TrojanDownloader.Agent.BP trojan]

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 www.adsaway.com #[Google.Warning]

    127.0.0.1 adsfac.eu
    127.0.0.1 www.adshot.de

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 network.adsmarket.com

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 allchix.adsmax.com

    # Potentially malicious hosts entry modified by Norman Virus Control
    # 127.0.0.1 www2.adsmax.com

     
  5. awenner

    awenner Member

    Joined:
    Jun 12, 2008
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    11
    I'm sorry -- the site is hanging when I try to post any more logs...maybe I can try again later...

    the sys 32 fle has some weird things like MRT.exe, quartz.dll, mshtml.dll, wininit.dll, webcheck.dll, urlmon.dll, url.dll, iertutil.dll, iernonce.dll, ieframe.dll,ieudinit.exe, ie4uinit.dll


    Thank you!!

    ARW
     
  6. cdavfrew

    cdavfrew Regular member

    Joined:
    May 19, 2008
    Messages:
    1,183
    Likes Received:
    0
    Trophy Points:
    46

Share This Page