« previous next »
Pages: [1]

Author Topic: Help  (Read 1656 times)

Offline Ificanspam

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Help
« on: December 13, 2009, 06:21:32 AM »
Unable to open task manager with ctr+alt+del.
computer is slowing down
and im getting an pop up from system defender wich i didn't download.

Plz help me!
(soz about my english)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:21:14, on 13-12-2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Norman\Npm\Bin\Elogsvc.exe
C:\Program Files\Norman\Ngs\Bin\Nprosec.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norman\Npm\Bin\Zanda.exe
C:\Program Files\Norman\npm\bin\nvoy.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Norman\Npm\Bin\ZLH.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Documents and Settings\All Users\Application Data\a2117b8\WSa211.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Ares\Ares.exe
C:\Documents and Settings\genevieve\Application Data\SystemProc\lsass.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Norman\Npm\Bin\Njeeves.exe
C:\Program Files\Norman\Npm\Bin\scheduler.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Norman\Nse\bin\NSESVC.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Norman\Nvc\bin\nvcoas.exe
C:\Program Files\Norman\Nvc\Bin\Nip.exe
C:\Program Files\Norman\Nvc\Bin\cclaw.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.conduit.com?SearchSource=10&ctid=CT2233703
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - URLSearchHook: (no name) - {09ec805c-cb2e-4d53-b0d3-a75a428b81c7} - (no file)
O1 - Hosts: 74.125.45.100 securitysoftwarepayments.com
O1 - Hosts: 74.125.45.100 privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 secure-plus-payments.com
O1 - Hosts: 74.125.45.100 www.secure-plus-payments.com
O1 - Hosts: 74.125.45.100 safebrowsing-cache.google.com
O1 - Hosts: 74.125.45.100 urs.microsoft.com
O1 - Hosts: 74.125.45.100 www.securesoftwarebill.com
O1 - Hosts: 74.125.45.100 secure.paysecuresystem.com
O1 - Hosts: 74.125.45.100 paysoftbillsolution.com
O1 - Hosts: 74.125.45.100 protected.maxisoftwaremart.com
O1 - Hosts: 67.215.245.21 www.google-analytics.com
O1 - Hosts: 93.174.89.12 google.ae
O1 - Hosts: 93.174.89.12 google.as
O1 - Hosts: 93.174.89.12 google.at
O1 - Hosts: 93.174.89.12 google.az
O1 - Hosts: 93.174.89.12 google.ba
O1 - Hosts: 93.174.89.12 google.be
O1 - Hosts: 93.174.89.12 google.bg
O1 - Hosts: 93.174.89.12 google.bs
O1 - Hosts: 93.174.89.12 google.ca
O1 - Hosts: 93.174.89.12 google.cd
O1 - Hosts: 93.174.89.12 google.com.gh
O1 - Hosts: 93.174.89.12 google.com.hk
O1 - Hosts: 93.174.89.12 google.com.jm
O1 - Hosts: 93.174.89.12 google.com.mx
O1 - Hosts: 93.174.89.12 google.com.my
O1 - Hosts: 93.174.89.12 google.com.na
O1 - Hosts: 93.174.89.12 google.com.nf
O1 - Hosts: 93.174.89.12 google.com.ng
O1 - Hosts: 93.174.89.12 google.ch
O1 - Hosts: 93.174.89.12 google.com.np
O1 - Hosts: 93.174.89.12 google.com.pr
O1 - Hosts: 93.174.89.12 google.com.qa
O1 - Hosts: 93.174.89.12 google.com.sg
O1 - Hosts: 93.174.89.12 google.com.tj
O1 - Hosts: 93.174.89.12 google.com.tw
O1 - Hosts: 93.174.89.12 google.dj
O1 - Hosts: 93.174.89.12 google.de
O1 - Hosts: 93.174.89.12 google.dk
O1 - Hosts: 93.174.89.12 google.dm
O1 - Hosts: 93.174.89.12 google.ee
O1 - Hosts: 93.174.89.12 google.fi
O1 - Hosts: 93.174.89.12 google.fm
O1 - Hosts: 93.174.89.12 google.fr
O1 - Hosts: 93.174.89.12 google.ge
O1 - Hosts: 93.174.89.12 google.gg
O1 - Hosts: 93.174.89.12 google.gm
O1 - Hosts: 93.174.89.12 google.gr
O1 - Hosts: 93.174.89.12 google.ht
O1 - Hosts: 93.174.89.12 google.ie
O1 - Hosts: 93.174.89.12 google.im
O1 - Hosts: 93.174.89.12 google.in
O1 - Hosts: 93.174.89.12 google.it
O1 - Hosts: 93.174.89.12 google.ki
O1 - Hosts: 93.174.89.12 google.la
O1 - Hosts: 93.174.89.12 google.li
O1 - Hosts: 93.174.89.12 google.lv
O1 - Hosts: 93.174.89.12 google.ma
O1 - Hosts: 93.174.89.12 google.ms
O1 - Hosts: 93.174.89.12 google.mu
O1 - Hosts: 93.174.89.12 google.mw
O1 - Hosts: 93.174.89.12 google.nl
O1 - Hosts: 93.174.89.12 google.no
O1 - Hosts: 93.174.89.12 google.nr
O1 - Hosts: 93.174.89.12 google.nu
O1 - Hosts: 93.174.89.12 google.pl
O1 - Hosts: 93.174.89.12 google.pn
O1 - Hosts: 93.174.89.12 google.pt
O1 - Hosts: 93.174.89.12 google.ro
O1 - Hosts: 93.174.89.12 googleWebsite removed for spamming
O1 - Hosts: 93.174.89.12 google.rw
O1 - Hosts: 93.174.89.12 google.sc
O1 - Hosts: 93.174.89.12 google.se
O1 - Hosts: 93.174.89.12 google.sh
O1 - Hosts: 93.174.89.12 google.si
O1 - Hosts: 93.174.89.12 google.sm
O1 - Hosts: 93.174.89.12 google.sn
O1 - Hosts: 93.174.89.12 google.st
O1 - Hosts: 93.174.89.12 google.tl
O1 - Hosts: 93.174.89.12 google.tm
O1 - Hosts: 93.174.89.12 google.tt
O1 - Hosts: 93.174.89.12 google.us
O1 - Hosts: 93.174.89.12 google.vu
O1 - Hosts: 93.174.89.12 google.ws
O1 - Hosts: 93.174.89.12 google.co.ck
O1 - Hosts: 93.174.89.12 google.co.id
O1 - Hosts: 93.174.89.12 google.co.il
O1 - Hosts: 93.174.89.12 google.co.in
O1 - Hosts: 93.174.89.12 google.co.jp
O1 - Hosts: 93.174.89.12 google.co.kr
O1 - Hosts: 93.174.89.12 google.co.ls
O1 - Hosts: 93.174.89.12 google.co.ma
O1 - Hosts: 93.174.89.12 google.co.nz
O1 - Hosts: 93.174.89.12 google.co.tz
O1 - Hosts: 93.174.89.12 google.co.ug
O1 - Hosts: 93.174.89.12 google.co.uk
O1 - Hosts: 93.174.89.12 google.co.za
O1 - Hosts: 93.174.89.12 google.co.zm
O1 - Hosts: 93.174.89.12 google.com
O1 - Hosts: 93.174.89.12 google.com.af
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: gwprimawega - {2839f2e0-c2b3-0a40-818e-56a9505f758e} - C:\WINDOWS\system32\k1pJbO_qX_IK.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Norman ZANDA] "C:\Program Files\Norman\Npm\Bin\ZLH.EXE" /LOAD /SPLASH
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [lsdefrag] C:\DOCUME~1\GENEVI~1\LOCALS~1\Temp\osewxmarcn.tmp
O4 - HKLM\..\Run: [System Defender] "C:\Documents and Settings\All Users\Application Data\a2117b8\WSa211.exe" /s /d
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ZagrebLand] C:\DOCUME~1\GENEVI~1\LOCALS~1\Temp\c.exe
O4 - HKLM\..\Policies\Explorer\Run: [RTHDBPL] C:\Documents and Settings\genevieve\Application Data\SystemProc\lsass.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &Download all 4shared files - C:\Program Files\4shared Desktop\down_all.htm
O8 - Extra context menu item: &Download using 4shared Desktop - C:\Program Files\4shared Desktop\down_link.htm
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: In weblog opnemen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &In weblog opnemen met Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1252513825562
O16 - DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} (Battlefield Heroes Updater) - https://www.battlefieldheroes.com/static/up...er_4.0.23.0.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Program Files\Norman\Npm\Bin\Elogsvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Norman NJeeves - Norman ASA - C:\Program Files\Norman\Npm\Bin\Njeeves.exe
O23 - Service: Norman ZANDA - Norman ASA - C:\Program Files\Norman\Npm\Bin\Zanda.exe
O23 - Service: Norman Security service (NPROSECSVC) - Norman ASA - C:\Program Files\Norman\Ngs\Bin\Nprosec.exe
O23 - Service: Norman Scanner Engine Service (nsesvc) - Norman ASA - C:\Program Files\Norman\Nse\bin\NSESVC.EXE
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Program Files\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Unknown owner - C:\Program Files\Norman\Nvc\BIN\NVCSCHED.EXE (file missing)
O23 - Service: Norman Resource Provider (NVOY) - Norman ASA - C:\Program Files\Norman\npm\bin\nvoy.exe
O23 - Service: Norman Scheduler Service (Scheduler) - Norman ASA - C:\Program Files\Norman\Npm\Bin\scheduler.exe

--
End of file - 14601 bytes
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Help
« Reply #1 on: December 13, 2009, 12:19:56 PM »
Hi  Ificanspam
Your English is fine

Can you do the following please
Please disable SpybotSD TeaTimer, as it may hinder the removal of the infection. You can enable it after you're clean.
To disable SpybotSD TeaTimer:

Open Spybot and click on Mode and check Advanced Mode
Check yes to next window.
Click on Tools in bottom left hand corner.
Click on Resident icon.
Uncheck Teatimer box.
Click Allow Change box if prompted
Close Spybot

Download [color=\"#0000FF\"]TFC[/color][/b] by OldTimer to your desktop.
Don't run it yet

Do a "System scan only" with Hijackthis and put a check next to these entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.conduit.com?SearchSource=10&ctid=CT2233703

R3 - URLSearchHook: (no name) - {09ec805c-cb2e-4d53-b0d3-a75a428b81c7} - (no file)
O1 - Hosts: 74.125.45.100 securitysoftwarepayments.com
O1 - Hosts: 74.125.45.100 privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 secure-plus-payments.com
O1 - Hosts: 74.125.45.100 www.secure-plus-payments.com
O1 - Hosts: 74.125.45.100 safebrowsing-cache.google.com
O1 - Hosts: 74.125.45.100 urs.microsoft.com
O1 - Hosts: 74.125.45.100 www.securesoftwarebill.com
O1 - Hosts: 74.125.45.100 secure.paysecuresystem.com
O1 - Hosts: 74.125.45.100 paysoftbillsolution.com
O1 - Hosts: 74.125.45.100 protected.maxisoftwaremart.com
O1 - Hosts: 67.215.245.21 www.google-analytics.com
O1 - Hosts: 93.174.89.12 google.ae
O1 - Hosts: 93.174.89.12 google.as
O1 - Hosts: 93.174.89.12 google.at
O1 - Hosts: 93.174.89.12 google.az
O1 - Hosts: 93.174.89.12 google.ba
O1 - Hosts: 93.174.89.12 google.be
O1 - Hosts: 93.174.89.12 google.bg
O1 - Hosts: 93.174.89.12 google.bs
O1 - Hosts: 93.174.89.12 google.ca
O1 - Hosts: 93.174.89.12 google.cd
O1 - Hosts: 93.174.89.12 google.com.gh
O1 - Hosts: 93.174.89.12 google.com.hk
O1 - Hosts: 93.174.89.12 google.com.jm
O1 - Hosts: 93.174.89.12 google.com.mx
O1 - Hosts: 93.174.89.12 google.com.my
O1 - Hosts: 93.174.89.12 google.com.na
O1 - Hosts: 93.174.89.12 google.com.nf
O1 - Hosts: 93.174.89.12 google.com.ng
O1 - Hosts: 93.174.89.12 google.ch
O1 - Hosts: 93.174.89.12 google.com.np
O1 - Hosts: 93.174.89.12 google.com.pr
O1 - Hosts: 93.174.89.12 google.com.qa
O1 - Hosts: 93.174.89.12 google.com.sg
O1 - Hosts: 93.174.89.12 google.com.tj
O1 - Hosts: 93.174.89.12 google.com.tw
O1 - Hosts: 93.174.89.12 google.dj
O1 - Hosts: 93.174.89.12 google.de
O1 - Hosts: 93.174.89.12 google.dk
O1 - Hosts: 93.174.89.12 google.dm
O1 - Hosts: 93.174.89.12 google.ee
O1 - Hosts: 93.174.89.12 google.fi
O1 - Hosts: 93.174.89.12 google.fm
O1 - Hosts: 93.174.89.12 google.fr
O1 - Hosts: 93.174.89.12 google.ge
O1 - Hosts: 93.174.89.12 google.gg
O1 - Hosts: 93.174.89.12 google.gm
O1 - Hosts: 93.174.89.12 google.gr
O1 - Hosts: 93.174.89.12 google.ht
O1 - Hosts: 93.174.89.12 google.ie
O1 - Hosts: 93.174.89.12 google.im
O1 - Hosts: 93.174.89.12 google.in
O1 - Hosts: 93.174.89.12 google.it
O1 - Hosts: 93.174.89.12 google.ki
O1 - Hosts: 93.174.89.12 google.la
O1 - Hosts: 93.174.89.12 google.li
O1 - Hosts: 93.174.89.12 google.lv
O1 - Hosts: 93.174.89.12 google.ma
O1 - Hosts: 93.174.89.12 google.ms
O1 - Hosts: 93.174.89.12 google.mu
O1 - Hosts: 93.174.89.12 google.mw
O1 - Hosts: 93.174.89.12 google.nl
O1 - Hosts: 93.174.89.12 google.no
O1 - Hosts: 93.174.89.12 google.nr
O1 - Hosts: 93.174.89.12 google.nu
O1 - Hosts: 93.174.89.12 google.pl
O1 - Hosts: 93.174.89.12 google.pn
O1 - Hosts: 93.174.89.12 google.pt
O1 - Hosts: 93.174.89.12 google.ro
O1 - Hosts: 93.174.89.12 googleWebsite removed for spamming
O1 - Hosts: 93.174.89.12 google.rw
O1 - Hosts: 93.174.89.12 google.sc
O1 - Hosts: 93.174.89.12 google.se
O1 - Hosts: 93.174.89.12 google.sh
O1 - Hosts: 93.174.89.12 google.si
O1 - Hosts: 93.174.89.12 google.sm
O1 - Hosts: 93.174.89.12 google.sn
O1 - Hosts: 93.174.89.12 google.st
O1 - Hosts: 93.174.89.12 google.tl
O1 - Hosts: 93.174.89.12 google.tm
O1 - Hosts: 93.174.89.12 google.tt
O1 - Hosts: 93.174.89.12 google.us
O1 - Hosts: 93.174.89.12 google.vu
O1 - Hosts: 93.174.89.12 google.ws
O1 - Hosts: 93.174.89.12 google.co.ck
O1 - Hosts: 93.174.89.12 google.co.id
O1 - Hosts: 93.174.89.12 google.co.il
O1 - Hosts: 93.174.89.12 google.co.in
O1 - Hosts: 93.174.89.12 google.co.jp
O1 - Hosts: 93.174.89.12 google.co.kr
O1 - Hosts: 93.174.89.12 google.co.ls
O1 - Hosts: 93.174.89.12 google.co.ma
O1 - Hosts: 93.174.89.12 google.co.nz
O1 - Hosts: 93.174.89.12 google.co.tz
O1 - Hosts: 93.174.89.12 google.co.ug
O1 - Hosts: 93.174.89.12 google.co.uk
O1 - Hosts: 93.174.89.12 google.co.za
O1 - Hosts: 93.174.89.12 google.co.zm
O1 - Hosts: 93.174.89.12 google.com
O1 - Hosts: 93.174.89.12 google.com.af

O2 - BHO: gwprimawega - {2839f2e0-c2b3-0a40-818e-56a9505f758e} - C:\WINDOWS\system32\k1pJbO_qX_IK.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O4 - HKLM\..\Run: [lsdefrag] C:\DOCUME~1\GENEVI~1\LOCALS~1\Temp\osewxmarcn.tmp
O4 - HKLM\..\Run: [System Defender] "C:\Documents and Settings\All Users\Application Data\a2117b8\WSa211.exe" /s /d

O4 - HKCU\..\Run: [ZagrebLand] C:\DOCUME~1\GENEVI~1\LOCALS~1\Temp\c.exe
O4 - HKLM\..\Policies\Explorer\Run: [RTHDBPL] C:\Documents and Settings\genevieve\Application Data\SystemProc\lsass.exe

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)


After you have ticked the above entries, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

TFC.exe
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
       
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job.
Once its finished it should automatically reboot your machine, if it doesn't, manually reboot to ensure a complete clean

Back in Windows
Download Malwarebytes' Anti-Malware from Here or Here
Save the installer to desktop

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
       
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
       
  • Make sure that everything is checked, and click Remove Selected.
        * When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
       
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

With the log from MBAM, can you also run Hijackthis again
Do a fresh Scan and Save logfile and post it's new log
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline Ificanspam

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Help
« Reply #2 on: December 13, 2009, 04:06:36 PM »
Thx for the fast replay! but since it's my girlfriends pc i won't be on it till wednesday.
Should have mentioned that before xD

Thx and I'll see you next wednesday!
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Help
« Reply #3 on: December 13, 2009, 11:09:33 PM »
Don't wait too long, before you know it she's infected with more than she has right now
Post back as soon as possible
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Pages: [1]
« previous next »