Originally Posted by
coachcj
I have a virus in C:\\WINDOWS\system32\drivers\etc\hosts I'm using AVG free edition. I've put the file in the virus vault, it says it's possible to heal the file except that there isn't enough info to do so. Any ideas of what I should do?
I am having the same problem. I have downloaded and used HostXpert to reset my host file and every time after I do that the host file resets with the virus even after I check the box to make the folder read-only. I'm including a Hijack Log so hopefully someone can tell me where the main virus is so I can hunt it down and nuke it!
Log created by WinPatrol [FREE Edition] version 16.0.2009.6:16.0.2009.6
Scan saved at 12:41:21 AM, on 8/03/2009
Platform: Windows XP SP2 Service Pack 2 (Build 2600)
MSIE: Internet Explorer (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRAM FILES\COMMON FILES\Apple\MOBILE DEVICE SUPPORT\bin\APPLEMOBILEDEVICESERVICE.EXE
C:\PROGRAM FILES\Bonjour\MDNSRESPONDER.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRAM FILES\PC TOOLS ANTIVIRUS\PCTAVSvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\alg.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\TMAS_OE\TMAS_OEMON.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRAM FILES\Java\JRE1.6.0_07\bin\jusched.exe
C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\iexplore.exe
C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROLEX.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
Google
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
MSN.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
MSN.com
O2 - BHO: - {02478D38-C3F9-4efb-9B51-7695ECA05670} -
O2 - BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: - {443896bd-fa59-d8d7-e4b1-6e6a3f4d3c78} -
O2 - BHO: TBSB05288 Class - {6714ADBD-C6C1-42A8-BD84-9C9339059421} - C:\Program Files\IEToolbar\ECO Bar\ecobar.dll
O2 - BHO: thesuperads - {a7aea817-e045-9de4-b168-54da957c7945} - C:\WINDOWS\system32\nse48.dll
O3 - Toolbar: ECO Bar - {10000000-1000-1000-1000-100000000000} - C:\Program Files\IEToolbar\ECO Bar\ecobar.dll
O4 - HKLM\.. \Run: [NvCplDaemon]C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\.. \Run: [nwiz]nwiz.exe /install
O4 - HKLM\.. \Run: [NvMediaCenter]C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\.. \Run: [UfSeAgnt.exe]C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
O4 - HKLM\.. \Run: [WinPatrol [FREE Edition]]C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\.. \Run: [Adobe Reader Speed Launcher]C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
O4 - HKLM\.. \Run: [ParetoLogic Anti-Virus PLUS]C:\Program Files\ParetoLogic\Anti-Virus PLUS\Pareto_AV.lnk -NM -hidesplash
O4 - HKCU\.. \Run: [CTFMON.EXE]C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\.. \Run: [OE]C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [Java (Sun)] Java (Sun) - C:\Program Files\Java\jre1.6.0_07\bin
O11 - Options group: [] -
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL =
MSN.com
O14 - IERESET.INF: SEARCH_PAGE_URL =
Bing
O14 - IERESET.INF:HKCU, Start Page = %START_PAGE_URL%
O14 - IERESET.INF:HKLM, Default_Page_URL = %START_PAGE_URL%
O14 - IERESET.INF:HKLM, Default_Search_URL = %SEARCH_PAGE_URL%
O14 - IERESET.INF:HKLM, Search Page = %SEARCH_PAGE_URL%
O14 - IERESET.INF:HKCU, Search Page = %SEARCH_PAGE_URL%
O15 - Trusted Zone: aol.com
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) -
http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} (
http://fpdownload.macromedia.com/get...rent/ultrashim) -
http://fpdownload.macromedia.com/get.../ultrashim.cab
O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) -
http://ak.imgag.com/imgag/cp/install/Crusher.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (
http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp) -
http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O20 - AppInit_DLLs: karina.dat
O21 - UPnPMonitor - UPnP Tray Monitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - C:\WINDOWS\system32\upnpui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: getPlus(R) Helper - - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools AntiVirus Engine - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O23 - Service: Trend Micro Central Control Component - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service - - C:\Program Files\Trend Micro\BM\TMBMSRV.exe /service
O23 - Service: Trend Micro Personal Firewall - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
O23 - Service: Trend Micro Proxy Service - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: plasservice - ParetoLogic Inc. - C:\Program Files\Common Files\ParetoLogic\PLAS\plasservice.exe
--- Additional WinPatrol Info ---
Default Browser: Windows® Internet Explorer - Internet Explorer version 8.00.6001.18702
MSIE: Internet Explorer (8.00.6001.18702)
121 IE Cookies in Folder: C:\Documents and Settings\Jenny.JENNY-7A99074D4\Cookies\
WP00 - HKLM\CS1: BootExecute = autocheck autochk *
WP00 - HKLM\CCS: BootExecute = autocheck autochk *
WP00 - HKLM\CS2: BootExecute = autocheck autochk *
WP00 - HKLM\CS3: BootExecute = autocheck autochk *
WP02 - HKLM\CCS: Command = C:\WINDOWS\system32\cmd.exe
WP03 - Windows Automatic Update = 4:Automatically download recommended updates for my computer and install them.
WP06 - Delayed Start: [SunJavaUpdateSched]C:\PROGRAM FILES\Java\JRE1.6.0_07\bin\jusched.exe
WP06 - Delayed Start: [PCTAVApp]C:\PROGRAM FILES\PC TOOLS ANTIVIRUS\PCTAV.exe
WP31 - Scheduled Tasks: [ParetoLogic Update Version2.job]C:\Program Files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe 08/03/2009 12:33 AM
WP31 - Scheduled Tasks: [ParetoLogic Registration.job]C:\WINDOWS\system32\rundll32.exe Never
WP31 - Scheduled Tasks: [ParetoLogic Anti-Virus PLUS_dbsummary.job]C:\Program Files\ParetoLogic\Anti-Virus PLUS\Pareto_AV.exe Never
WP31 - Scheduled Tasks: [ParetoLogic Anti-Virus PLUS.job]C:\Program Files\ParetoLogic\Anti-Virus PLUS\Pareto_AV.exe 08/03/2009 2:00 AM
WP31 - Scheduled Tasks: [Ad-Aware Update (Weekly).job]C:\Program Files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe 06/16/2009 5:50 PM
WP16 - ActiveX: {19916E01-B44E-4E31-94A4-4696DF46157B} [InformationCardSigninHelper Class] C:\WINDOWS\system32\icardie.dll 8.00.6001.18702
WP16 - ActiveX: {22D6F312-B0F6-11D0-94AB-0080C74C7E95} [Windows Media Player] C:\WINDOWS\system32\wmpdxm.dll 10.00.00.3802
WP16 - ActiveX: {25336920-03F9-11CF-8FD0-00AA00686F13} [HTML Document] C:\WINDOWS\system32\mshtml.dll 8.00.6001.18812
WP16 - ActiveX: {2933BF90-7B36-11D2-B20E-00C04F983E60} [XML DOM Document] C:\WINDOWS\system32\msxml3.dll 8.100.1048.0
WP16 - ActiveX: {2D360201-FFF5-11D1-8D03-00A0C959BC0A} [DHTML Edit Control Safe for Scripting for IE5] C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\Triedit\dhtmled.ocx 6.01.9232
WP16 - ActiveX: {3050F819-98B5-11CF-BB82-00AA00BDCE0B} [HtmlDlgSafeHelper Class] C:\WINDOWS\system32\mshtmled.dll 8.00.6001.18702
WP16 - ActiveX: {48123BC4-99D9-11D1-A6B3-00C04FD91555} [XML Document] C:\WINDOWS\system32\msxml3.dll 8.100.1048.0
WP16 - ActiveX: {6414512B-B978-451D-A0D8-FCFDF33E833C} [WUWebControl Class] C:\WINDOWS\system32\wuweb.dll 7.2.6001.788
WP16 - ActiveX: {6BF52A52-394A-11D3-B153-00C04F79FAA6} [Windows Media Player] C:\WINDOWS\system32\wmp.dll 10.00.00.4058
WP16 - ActiveX: {8856F961-340A-11D0-A96B-00C04FD705A2} [Microsoft Web Browser] C:\WINDOWS\system32\ieframe.dll 8.00.6001.18812
WP16 - ActiveX: {CA8A9780-280D-11CF-A24D-444553540000} [Adobe PDF Reader] C:\PROGRAM FILES\COMMON FILES\Adobe\Acrobat\ActiveX\AcroPDF.dll
WP16 - ActiveX: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} [Microsoft Url Search Hook] C:\WINDOWS\system32\ieframe.dll 8.00.6001.18812
WP16 - ActiveX: {D27CDB6E-AE6D-11CF-96B8-444553540000} [Shockwave Flash Object] C:\WINDOWS\system32\Macromed\Flash\Flash9f.ocx 9,0,124,0
WP16 - ActiveX: {DE4AF3B0-F4D4-11D3-B41A-0050DA2E6C21} [QuickTimeCheck Class] C:\PROGRAM FILES\QUICKTIME\QTSystem\QUICKTIMECHECK.OCX QuickTime 7.6.2 (1324)
WP16 - ActiveX: {ED8C108E-4349-11D2-91A4-00C04F7969E8} [XML HTTP Request] C:\WINDOWS\system32\msxml3.dll 8.100.1048.0
WP16 - ActiveX: {F5078F32-C551-11D3-89B9-0000F81FE221} [XML DOM Document 3.0] C:\WINDOWS\system32\msxml3.dll 8.100.1048.0
WP16 - ActiveX: {F5078F40-C551-11D3-89B9-0000F81FE221} [XML Document 3.0] C:\WINDOWS\system32\msxml3.dll 8.100.1048.0
WP16 - ActiveX: {F6D90F16-9C73-11D3-B32E-00C04F990BB4} [XML HTTP] C:\WINDOWS\system32\msxml3.dll 8.100.1048.0
WP16 - ActiveX: {05589fa1-c356-11ce-bf01-00aa0055595a} [ActiveMovieControl Object] C:\WINDOWS\system32\wmpdxm.dll 10.00.00.3802
WP16 - ActiveX: {1D2B4F40-1F10-11D1-9E88-00C04FDCAB92} [ThumbCtl Class] C:\WINDOWS\system32\webvw.dll 6.00.2900.2180
WP16 - ActiveX: {22D6F312-B0F6-11D0-94AB-0080C74C7E95} [Windows Media Player] C:\WINDOWS\system32\wmpdxm.dll 10.00.00.3802
WP16 - ActiveX: {8856F961-340A-11D0-A96B-00C04FD705A2} [Microsoft Web Browser] C:\WINDOWS\system32\ieframe.dll 8.00.6001.18812
WP16 - ActiveX: {AE24FDAE-03C6-11D1-8B76-0080C744F389} [Microsoft Scriptlet Component] C:\WINDOWS\system32\mshtml.dll 8.00.6001.18812
WP16 - ActiveX: {CA8A9780-280D-11CF-A24D-444553540000} [Adobe PDF Reader] C:\PROGRAM FILES\COMMON FILES\Adobe\Acrobat\ActiveX\AcroPDF.dll
WP16 - ActiveX: {D27CDB6E-AE6D-11CF-96B8-444553540000} [Shockwave Flash Object] C:\WINDOWS\system32\Macromed\Flash\Flash9f.ocx 9,0,124,0
WP16 - ActiveX: {E5DF9D10-3B52-11D1-83E8-00A0C90DC849} [WebViewFolderIcon Class] C:\WINDOWS\system32\webvw.dll 6.00.2900.2180
WP32 - Hidden File: C:\boot.ini
WP32 - Hidden File: C:\hiberfil.sys
WP32 - Hidden File: C:\IO.SYS
WP32 - Hidden File: C:\MSDOS.SYS
WP32 - Hidden File: C:\NTDETECT.COM
WP32 - Hidden File: C:\ntldr
WP32 - Hidden File: C:\pagefile.sys
WP32 - Hidden File: C:\sqmdata00.sqm
WP32 - Hidden File: C:\sqmdata01.sqm
WP32 - Hidden File: C:\sqmdata02.sqm
WP32 - Hidden File: C:\sqmdata03.sqm
WP32 - Hidden File: C:\sqmdata04.sqm
WP32 - Hidden File: C:\sqmdata05.sqm
WP32 - Hidden File: C:\sqmdata06.sqm
WP32 - Hidden File: C:\sqmdata07.sqm
WP32 - Hidden File: C:\sqmdata08.sqm
WP32 - Hidden File: C:\sqmdata09.sqm
WP32 - Hidden File: C:\sqmdata10.sqm
WP32 - Hidden File: C:\sqmdata11.sqm
WP32 - Hidden File: C:\sqmdata12.sqm
WP32 - Hidden File: C:\sqmdata13.sqm
WP32 - Hidden File: C:\sqmdata14.sqm
WP32 - Hidden File: C:\sqmdata15.sqm
WP32 - Hidden File: C:\sqmdata16.sqm
WP32 - Hidden File: C:\sqmdata17.sqm
WP32 - Hidden File: C:\sqmdata18.sqm
WP32 - Hidden File: C:\sqmdata19.sqm
WP32 - Hidden File: C:\sqmnoopt00.sqm
WP32 - Hidden File: C:\sqmnoopt01.sqm
WP32 - Hidden File: C:\sqmnoopt02.sqm
WP32 - Hidden File: C:\sqmnoopt03.sqm
WP32 - Hidden File: C:\sqmnoopt04.sqm
WP32 - Hidden File: C:\sqmnoopt05.sqm
WP32 - Hidden File: C:\sqmnoopt06.sqm
WP32 - Hidden File: C:\sqmnoopt07.sqm
WP32 - Hidden File: C:\sqmnoopt08.sqm
WP32 - Hidden File: C:\sqmnoopt09.sqm
WP32 - Hidden File: C:\sqmnoopt10.sqm
WP32 - Hidden File: C:\sqmnoopt11.sqm
WP32 - Hidden File: C:\sqmnoopt12.sqm
WP32 - Hidden File: C:\sqmnoopt13.sqm
WP33 - File Type .AVI: [Video Clip]C:\Program Files\Windows Media Player\wmplayer.exe /prefetch:8 /Open %L
WP33 - File Type .BAT: [MS-DOS Batch File]%1 %*
WP33 - File Type .CAB: [Cabinet File]C:\WINDOWS\Explorer.exe /idlist,%I,%L
WP33 - File Type .CAT: [Security Catalog]rundll32.exe cryptext.dll,CryptExtOpenCAT %1
WP33 - File Type .CHM: [Compiled HTML Help file]C:\WINDOWS\hh.exe %1
WP33 - File Type .COM: [MS-DOS Application]%1 %*
WP33 - File Type .CMD: [Windows NT Command Script]%1 %*
WP33 - File Type .DOC: [WordPad Document]C:\Program Files\Windows NT\Accessories\WORDPAD.EXE %1
WP33 - File Type .EML: [Internet E-Mail Message]C:\Program Files\Outlook Express\msimn.exe /eml:%1
WP33 - File Type .EXE: [Application]%1 %*
WP33 - File Type .INF: [Setup Information]C:\WINDOWS\System32\NOTEPAD.EXE %1
WP33 - File Type .JS: [JScript Script File]C:\WINDOWS\System32\WScript.exe %1 %*
WP33 - File Type .LOG: [Text Document]C:\WINDOWS\system32\NOTEPAD.EXE %1
WP33 - File Type .MSI: [Windows Installer Package]C:\WINDOWS\System32\msiexec.exe /i %1 %*
WP33 - File Type .MID: [MIDI Sequence]C:\Program Files\Windows Media Player\wmplayer.exe /Open %L
WP33 - File Type .MP3: [MP3 Format Sound]C:\Program Files\Windows Media Player\wmplayer.exe /prefetch:6 /Open %L
WP33 - File Type .PIF: [Shortcut to MS-DOS Program]%1 %*
WP33 - File Type .REG: [Registration Entries]regedit.exe %1
WP33 - File Type .RTF: [Rich Text Document]C:\Program Files\Windows NT\Accessories\WORDPAD.EXE %1
WP33 - File Type .SCR: [Screen Saver]%1 /S
WP33 - File Type .TXT: [Text Document]C:\WINDOWS\system32\NOTEPAD.EXE %1
WP33 - File Type .URL: [Internet Shortcut]C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\ieframe.dll,OpenURL %l
WP33 - File Type .VBS: [VBScript Script File]C:\WINDOWS\System32\WScript.exe %1 %*
WP33 - File Type .VBE: [VBScript Encoded Script File]C:\WINDOWS\System32\WScript.exe %1 %*
WP33 - File Type .WSF: [Windows Script File]C:\WINDOWS\System32\WScript.exe %1 %*
WP33 - File Type .WSH: [Windows Script Host Settings File]C:\WINDOWS\System32\WScript.exe %1 %*
Memory currently in use: 37%
Physical Memory Free: 651,956 KB
Paging File Free: 1,012,112 KB
Virtual Memory Free: 2,050,752 KB
--
End of file