Check out some similar questions!

coachcj · Jun 6, 2007, 08:23 PM

I have a virus in C:\\WINDOWS\system32\drivers\etc\hosts I'm using AVG free edition. I've put the file in the virus vault, it says it's possible to heal the file except that there isn't enough info to do so. Any ideas of what I should do?

invisibleman_productions · Jun 7, 2007, 06:30 AM

You will need to reset your host file to the default Microsoft configuration, To do that

Please download HostsXpert.zip

1. Unzip HostsXpert.zip
2. Double click on HostsXpert.exe
3. Then click on "Restore Original Hosts" to restore your Hosts file to its default condition..
4. Click on Make Hosts Read Only to secure it against further infection.
5. Close program when complete.

To be sure you computer is spyware free you need to run all the security essential programs.

5hano19 · Mar 1, 2008, 06:17 AM

I Can't Answer That Question I tried hostxpert but it keeps saying - Can't Create File C:\\WINDOWS\system32\drivers\etc\hosts
I Need Help Can Any Body Help?

invisibleman_productions · Mar 1, 2008, 07:29 AM

What is the name of the file? If it is in the virus vault then it has been quarantied. And it is not in the hosts file . The hosts files is a text file.

Let the experts take a look at what's happening on your computer.Visit the HijackThis Logs and Analysis forum. HijackThis Logs and Malware Removal forum or SWI Forums or
Or Alliance of Security Analysis Professionals™

5hano19 · Mar 1, 2008, 08:03 AM

It's a host file I keep getting it come up with AVG and it says it has been changed what can I do?

5hano19 · Mar 1, 2008, 10:23 AM

I found out it's a DESKTOP HIJACKER.SPYSHERIFF can any one help

invisibleman_productions · Mar 4, 2008, 10:18 AM

How To Remove Spysheriff / Winstall.exe / Spysheriff.exe

adeyohannes · Mar 4, 2008, 08:58 PM

Hello all I have same question with invisableman_production. I have virus too ( C:\WINDOWS\system32\drivers\etc\hosts ) can I erase that folder etc ?

invisibleman_productions · Mar 5, 2008, 08:43 PM

adeyohannes which programs have your run till now(antivirus,antispyware) . Can you post a screen shot of the screen

Download and run the Malwarebytes' Anti-Malware
Post the log from the program

The best protection for your computer is a 3-tiered approach:
[1] anti-spyware software [2] anti-virus software, and a [3] firewall
[1] Latest Security News from the net: Latest list of Firewalls (use only one at at time)

[2] Latest Latest list of Anti Virus programs (use only one at at time)

[3] Latest Latest list of Anti Spyware removal tools

LUANG · Mar 10, 2008, 05:37 PM

Hi Invisable man, I also have the same problem with regards to the host file showing up on AVG virus scan and I tried all that you indicated above and it still keeps showing up. Any suggestions on what it might be?

Will00 · Mar 11, 2008, 08:15 PM

If any of you would like to have the problem fixed I can most certainly look at the problem through HijackThis. You can download it here and when the scan is done simply post the log in text here as a reply.

Snippy · Mar 21, 2008, 11:21 PM

I also have this file coming up, kind of weird. Here's my log. I don't know what's going on with my computer but sometimes it doesn't respond when I try to open something. I always got to end up closing some program in order to open a folder/program. And another thing is my menu bar flashing crazy sometimes which is also weird since I can't do anything (this applies to like QuarkXpress as well) rulers flash and I can't work until it stops flashing... hope my log will give you clues :(

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:17:00 AM, on 3/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Razer\Diamondback 3G\razerhid.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Logitech\Gaming Software\LWEMon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\DAEMON Tools Pro\DTProAgent.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\LClock\lclock.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\Rainlendar2\Rainlendar2.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Extensis\Suitcase 9.2\Suitcase.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hamachi\hamachi.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Styler\Styler.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Razer\Diamondback 3G\razertra.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Razer\Diamondback 3G\razerofa.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\PROGRA~1\Grisoft\AVG7\avgwb.dat
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = Customize Your Settings
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Loader Class - {F880A4A8-C436-4AC4-AFD1-AA0BDC9552DD} - C:\Program Files\FindeXer Nightly\FindeXer.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\.. \Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\.. \Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\.. \Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\.. \Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\.. \Run: [Diamondback] C:\Program Files\Razer\Diamondback 3G\razerhid.exe
O4 - HKLM\.. \Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\.. \Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\.. \Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\.. \Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\.. \Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\.. \Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\.. \Run: [Start WingMan Profiler] C:\Program Files\Logitech\Gaming Software\LWEMon.exe /noui
O4 - HKLM\.. \Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\.. \Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\.. \Run: [nwiz] nwiz.exe /install
O4 - HKLM\.. \Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\.. \Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKCU\.. \Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\.. \Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\.. \Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - HKCU\.. \Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\.. \Run: [LClock] C:\Program Files\LClock\lclock.exe
O4 - HKCU\.. \Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\.. \Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
O4 - HKUS\S-1-5-19\.. \Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\.. \RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\.. \Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\.. \RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\.. \Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\.. \RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\.. \Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\.. \RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O4 - Startup: hamachi.lnk = C:\Program Files\Hamachi\hamachi.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: Styler.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Suitcase Startup.lnk = ?
O4 - Global Startup: Super Turbo Tango Patcher Reloader.lnk = C:\WINDOWS\Super Turbo Tango Patcher\Reloader.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/softwareupda...31/CTSUEng.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1204176628437
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1204176621890
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupda...5034/CTPID.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762# # (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

--
End of file - 12691 bytes

sarrah_resh · May 5, 2008, 09:55 PM

Originally Posted by coachcj

I have a virus in C:\\WINDOWS\system32\drivers\etc\hosts I'm using AVG free edition. I've put the file in the virus vault, it says it's possible to heal the file except that there isn't enough info to do so. Any ideas of what I should do?

I have the same prob as coachcj and nothing works
I tried all the above solutions... what should I do now?

talpur · Aug 25, 2008, 04:17 AM

Thank you it really worked for me..

rajesh8mfi · Aug 30, 2008, 04:13 AM

It's a host file I keep getting it come up with AVG and it says it has been changed what can I do?

colinquinn · Feb 6, 2009, 03:49 PM

Originally Posted by adeyohannes

Hello all i have same question with invisableman_production. i have virus too ( C:\WINDOWS\system32\drivers\etc\hosts ) can i erase that folder etc ?

I can't open anything other than my browser. What are my options?

ubharedev · Feb 24, 2009, 11:14 PM

Scan the Computer with Avast once again.

UndrTheBrdwalk · Aug 2, 2009, 07:42 PM

Originally Posted by coachcj

I have a virus in C:\\WINDOWS\system32\drivers\etc\hosts I'm using AVG free edition. I've put the file in the virus vault, it says it's possible to heal the file except that there isn't enough info to do so. Any ideas of what I should do?

I am having the same problem. I have downloaded and used HostXpert to reset my host file and every time after I do that the host file resets with the virus even after I check the box to make the folder read-only. I'm including a Hijack Log so hopefully someone can tell me where the main virus is so I can hunt it down and nuke it!

Log created by WinPatrol [FREE Edition] version 16.0.2009.6:16.0.2009.6
Scan saved at 12:41:21 AM, on 8/03/2009
Platform: Windows XP SP2 Service Pack 2 (Build 2600)
MSIE: Internet Explorer (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRAM FILES\COMMON FILES\Apple\MOBILE DEVICE SUPPORT\bin\APPLEMOBILEDEVICESERVICE.EXE
C:\PROGRAM FILES\Bonjour\MDNSRESPONDER.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRAM FILES\PC TOOLS ANTIVIRUS\PCTAVSvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\alg.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\TMAS_OE\TMAS_OEMON.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRAM FILES\Java\JRE1.6.0_07\bin\jusched.exe
C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\iexplore.exe
C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROLEX.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Google
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
O2 - BHO: - {02478D38-C3F9-4efb-9B51-7695ECA05670} -
O2 - BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: - {443896bd-fa59-d8d7-e4b1-6e6a3f4d3c78} -
O2 - BHO: TBSB05288 Class - {6714ADBD-C6C1-42A8-BD84-9C9339059421} - C:\Program Files\IEToolbar\ECO Bar\ecobar.dll
O2 - BHO: thesuperads - {a7aea817-e045-9de4-b168-54da957c7945} - C:\WINDOWS\system32\nse48.dll
O3 - Toolbar: ECO Bar - {10000000-1000-1000-1000-100000000000} - C:\Program Files\IEToolbar\ECO Bar\ecobar.dll
O4 - HKLM\.. \Run: [NvCplDaemon]C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\.. \Run: [nwiz]nwiz.exe /install
O4 - HKLM\.. \Run: [NvMediaCenter]C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\.. \Run: [UfSeAgnt.exe]C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
O4 - HKLM\.. \Run: [WinPatrol [FREE Edition]]C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\.. \Run: [Adobe Reader Speed Launcher]C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
O4 - HKLM\.. \Run: [ParetoLogic Anti-Virus PLUS]C:\Program Files\ParetoLogic\Anti-Virus PLUS\Pareto_AV.lnk -NM -hidesplash
O4 - HKCU\.. \Run: [CTFMON.EXE]C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\.. \Run: [OE]C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [Java (Sun)] Java (Sun) - C:\Program Files\Java\jre1.6.0_07\bin
O11 - Options group: [] -
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL = MSN.com
O14 - IERESET.INF: SEARCH_PAGE_URL = Bing
O14 - IERESET.INF:HKCU, Start Page = %START_PAGE_URL%
O14 - IERESET.INF:HKLM, Default_Page_URL = %START_PAGE_URL%
O14 - IERESET.INF:HKLM, Default_Search_URL = %SEARCH_PAGE_URL%
O14 - IERESET.INF:HKLM, Search Page = %SEARCH_PAGE_URL%
O14 - IERESET.INF:HKCU, Search Page = %SEARCH_PAGE_URL%
O15 - Trusted Zone: aol.com
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} (http://fpdownload.macromedia.com/get...rent/ultrashim) - http://fpdownload.macromedia.com/get.../ultrashim.cab
O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://ak.imgag.com/imgag/cp/install/Crusher.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O20 - AppInit_DLLs: karina.dat

O21 - UPnPMonitor - UPnP Tray Monitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - C:\WINDOWS\system32\upnpui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: getPlus(R) Helper - - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools AntiVirus Engine - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O23 - Service: Trend Micro Central Control Component - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service - - C:\Program Files\Trend Micro\BM\TMBMSRV.exe /service
O23 - Service: Trend Micro Personal Firewall - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
O23 - Service: Trend Micro Proxy Service - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: plasservice - ParetoLogic Inc. - C:\Program Files\Common Files\ParetoLogic\PLAS\plasservice.exe

--- Additional WinPatrol Info ---
Default Browser: Windows® Internet Explorer - Internet Explorer version 8.00.6001.18702
MSIE: Internet Explorer (8.00.6001.18702)
121 IE Cookies in Folder: C:\Documents and Settings\Jenny.JENNY-7A99074D4\Cookies\

WP00 - HKLM\CS1: BootExecute = autocheck autochk *
WP00 - HKLM\CCS: BootExecute = autocheck autochk *
WP00 - HKLM\CS2: BootExecute = autocheck autochk *
WP00 - HKLM\CS3: BootExecute = autocheck autochk *
WP02 - HKLM\CCS: Command = C:\WINDOWS\system32\cmd.exe

WP03 - Windows Automatic Update = 4:Automatically download recommended updates for my computer and install them.

WP06 - Delayed Start: [SunJavaUpdateSched]C:\PROGRAM FILES\Java\JRE1.6.0_07\bin\jusched.exe
WP06 - Delayed Start: [PCTAVApp]C:\PROGRAM FILES\PC TOOLS ANTIVIRUS\PCTAV.exe

WP31 - Scheduled Tasks: [ParetoLogic Update Version2.job]C:\Program Files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe 08/03/2009 12:33 AM
WP31 - Scheduled Tasks: [ParetoLogic Registration.job]C:\WINDOWS\system32\rundll32.exe Never
WP31 - Scheduled Tasks: [ParetoLogic Anti-Virus PLUS_dbsummary.job]C:\Program Files\ParetoLogic\Anti-Virus PLUS\Pareto_AV.exe Never
WP31 - Scheduled Tasks: [ParetoLogic Anti-Virus PLUS.job]C:\Program Files\ParetoLogic\Anti-Virus PLUS\Pareto_AV.exe 08/03/2009 2:00 AM
WP31 - Scheduled Tasks: [Ad-Aware Update (Weekly).job]C:\Program Files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe 06/16/2009 5:50 PM

WP16 - ActiveX: {19916E01-B44E-4E31-94A4-4696DF46157B} [InformationCardSigninHelper Class] C:\WINDOWS\system32\icardie.dll 8.00.6001.18702
WP16 - ActiveX: {22D6F312-B0F6-11D0-94AB-0080C74C7E95} [Windows Media Player] C:\WINDOWS\system32\wmpdxm.dll 10.00.00.3802
WP16 - ActiveX: {25336920-03F9-11CF-8FD0-00AA00686F13} [HTML Document] C:\WINDOWS\system32\mshtml.dll 8.00.6001.18812
WP16 - ActiveX: {2933BF90-7B36-11D2-B20E-00C04F983E60} [XML DOM Document] C:\WINDOWS\system32\msxml3.dll 8.100.1048.0
WP16 - ActiveX: {2D360201-FFF5-11D1-8D03-00A0C959BC0A} [DHTML Edit Control Safe for Scripting for IE5] C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\Triedit\dhtmled.ocx 6.01.9232
WP16 - ActiveX: {3050F819-98B5-11CF-BB82-00AA00BDCE0B} [HtmlDlgSafeHelper Class] C:\WINDOWS\system32\mshtmled.dll 8.00.6001.18702
WP16 - ActiveX: {48123BC4-99D9-11D1-A6B3-00C04FD91555} [XML Document] C:\WINDOWS\system32\msxml3.dll 8.100.1048.0
WP16 - ActiveX: {6414512B-B978-451D-A0D8-FCFDF33E833C} [WUWebControl Class] C:\WINDOWS\system32\wuweb.dll 7.2.6001.788
WP16 - ActiveX: {6BF52A52-394A-11D3-B153-00C04F79FAA6} [Windows Media Player] C:\WINDOWS\system32\wmp.dll 10.00.00.4058
WP16 - ActiveX: {8856F961-340A-11D0-A96B-00C04FD705A2} [Microsoft Web Browser] C:\WINDOWS\system32\ieframe.dll 8.00.6001.18812
WP16 - ActiveX: {CA8A9780-280D-11CF-A24D-444553540000} [Adobe PDF Reader] C:\PROGRAM FILES\COMMON FILES\Adobe\Acrobat\ActiveX\AcroPDF.dll
WP16 - ActiveX: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} [Microsoft Url Search Hook] C:\WINDOWS\system32\ieframe.dll 8.00.6001.18812
WP16 - ActiveX: {D27CDB6E-AE6D-11CF-96B8-444553540000} [Shockwave Flash Object] C:\WINDOWS\system32\Macromed\Flash\Flash9f.ocx 9,0,124,0
WP16 - ActiveX: {DE4AF3B0-F4D4-11D3-B41A-0050DA2E6C21} [QuickTimeCheck Class] C:\PROGRAM FILES\QUICKTIME\QTSystem\QUICKTIMECHECK.OCX QuickTime 7.6.2 (1324)
WP16 - ActiveX: {ED8C108E-4349-11D2-91A4-00C04F7969E8} [XML HTTP Request] C:\WINDOWS\system32\msxml3.dll 8.100.1048.0
WP16 - ActiveX: {F5078F32-C551-11D3-89B9-0000F81FE221} [XML DOM Document 3.0] C:\WINDOWS\system32\msxml3.dll 8.100.1048.0
WP16 - ActiveX: {F5078F40-C551-11D3-89B9-0000F81FE221} [XML Document 3.0] C:\WINDOWS\system32\msxml3.dll 8.100.1048.0
WP16 - ActiveX: {F6D90F16-9C73-11D3-B32E-00C04F990BB4} [XML HTTP] C:\WINDOWS\system32\msxml3.dll 8.100.1048.0
WP16 - ActiveX: {05589fa1-c356-11ce-bf01-00aa0055595a} [ActiveMovieControl Object] C:\WINDOWS\system32\wmpdxm.dll 10.00.00.3802
WP16 - ActiveX: {1D2B4F40-1F10-11D1-9E88-00C04FDCAB92} [ThumbCtl Class] C:\WINDOWS\system32\webvw.dll 6.00.2900.2180
WP16 - ActiveX: {22D6F312-B0F6-11D0-94AB-0080C74C7E95} [Windows Media Player] C:\WINDOWS\system32\wmpdxm.dll 10.00.00.3802
WP16 - ActiveX: {8856F961-340A-11D0-A96B-00C04FD705A2} [Microsoft Web Browser] C:\WINDOWS\system32\ieframe.dll 8.00.6001.18812
WP16 - ActiveX: {AE24FDAE-03C6-11D1-8B76-0080C744F389} [Microsoft Scriptlet Component] C:\WINDOWS\system32\mshtml.dll 8.00.6001.18812
WP16 - ActiveX: {CA8A9780-280D-11CF-A24D-444553540000} [Adobe PDF Reader] C:\PROGRAM FILES\COMMON FILES\Adobe\Acrobat\ActiveX\AcroPDF.dll
WP16 - ActiveX: {D27CDB6E-AE6D-11CF-96B8-444553540000} [Shockwave Flash Object] C:\WINDOWS\system32\Macromed\Flash\Flash9f.ocx 9,0,124,0
WP16 - ActiveX: {E5DF9D10-3B52-11D1-83E8-00A0C90DC849} [WebViewFolderIcon Class] C:\WINDOWS\system32\webvw.dll 6.00.2900.2180

WP32 - Hidden File: C:\boot.ini
WP32 - Hidden File: C:\hiberfil.sys
WP32 - Hidden File: C:\IO.SYS
WP32 - Hidden File: C:\MSDOS.SYS
WP32 - Hidden File: C:\NTDETECT.COM
WP32 - Hidden File: C:\ntldr
WP32 - Hidden File: C:\pagefile.sys
WP32 - Hidden File: C:\sqmdata00.sqm
WP32 - Hidden File: C:\sqmdata01.sqm
WP32 - Hidden File: C:\sqmdata02.sqm
WP32 - Hidden File: C:\sqmdata03.sqm
WP32 - Hidden File: C:\sqmdata04.sqm
WP32 - Hidden File: C:\sqmdata05.sqm
WP32 - Hidden File: C:\sqmdata06.sqm
WP32 - Hidden File: C:\sqmdata07.sqm
WP32 - Hidden File: C:\sqmdata08.sqm
WP32 - Hidden File: C:\sqmdata09.sqm
WP32 - Hidden File: C:\sqmdata10.sqm
WP32 - Hidden File: C:\sqmdata11.sqm
WP32 - Hidden File: C:\sqmdata12.sqm
WP32 - Hidden File: C:\sqmdata13.sqm
WP32 - Hidden File: C:\sqmdata14.sqm
WP32 - Hidden File: C:\sqmdata15.sqm
WP32 - Hidden File: C:\sqmdata16.sqm
WP32 - Hidden File: C:\sqmdata17.sqm
WP32 - Hidden File: C:\sqmdata18.sqm
WP32 - Hidden File: C:\sqmdata19.sqm
WP32 - Hidden File: C:\sqmnoopt00.sqm
WP32 - Hidden File: C:\sqmnoopt01.sqm
WP32 - Hidden File: C:\sqmnoopt02.sqm
WP32 - Hidden File: C:\sqmnoopt03.sqm
WP32 - Hidden File: C:\sqmnoopt04.sqm
WP32 - Hidden File: C:\sqmnoopt05.sqm
WP32 - Hidden File: C:\sqmnoopt06.sqm
WP32 - Hidden File: C:\sqmnoopt07.sqm
WP32 - Hidden File: C:\sqmnoopt08.sqm
WP32 - Hidden File: C:\sqmnoopt09.sqm
WP32 - Hidden File: C:\sqmnoopt10.sqm
WP32 - Hidden File: C:\sqmnoopt11.sqm
WP32 - Hidden File: C:\sqmnoopt12.sqm
WP32 - Hidden File: C:\sqmnoopt13.sqm

WP33 - File Type .AVI: [Video Clip]C:\Program Files\Windows Media Player\wmplayer.exe /prefetch:8 /Open %L
WP33 - File Type .BAT: [MS-DOS Batch File]%1 %*
WP33 - File Type .CAB: [Cabinet File]C:\WINDOWS\Explorer.exe /idlist,%I,%L
WP33 - File Type .CAT: [Security Catalog]rundll32.exe cryptext.dll,CryptExtOpenCAT %1
WP33 - File Type .CHM: [Compiled HTML Help file]C:\WINDOWS\hh.exe %1
WP33 - File Type .COM: [MS-DOS Application]%1 %*
WP33 - File Type .CMD: [Windows NT Command Script]%1 %*
WP33 - File Type .DOC: [WordPad Document]C:\Program Files\Windows NT\Accessories\WORDPAD.EXE %1
WP33 - File Type .EML: [Internet E-Mail Message]C:\Program Files\Outlook Express\msimn.exe /eml:%1
WP33 - File Type .EXE: [Application]%1 %*
WP33 - File Type .INF: [Setup Information]C:\WINDOWS\System32\NOTEPAD.EXE %1
WP33 - File Type .JS: [JScript Script File]C:\WINDOWS\System32\WScript.exe %1 %*
WP33 - File Type .LOG: [Text Document]C:\WINDOWS\system32\NOTEPAD.EXE %1
WP33 - File Type .MSI: [Windows Installer Package]C:\WINDOWS\System32\msiexec.exe /i %1 %*
WP33 - File Type .MID: [MIDI Sequence]C:\Program Files\Windows Media Player\wmplayer.exe /Open %L
WP33 - File Type .MP3: [MP3 Format Sound]C:\Program Files\Windows Media Player\wmplayer.exe /prefetch:6 /Open %L
WP33 - File Type .PIF: [Shortcut to MS-DOS Program]%1 %*
WP33 - File Type .REG: [Registration Entries]regedit.exe %1
WP33 - File Type .RTF: [Rich Text Document]C:\Program Files\Windows NT\Accessories\WORDPAD.EXE %1
WP33 - File Type .SCR: [Screen Saver]%1 /S
WP33 - File Type .TXT: [Text Document]C:\WINDOWS\system32\NOTEPAD.EXE %1
WP33 - File Type .URL: [Internet Shortcut]C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\ieframe.dll,OpenURL %l
WP33 - File Type .VBS: [VBScript Script File]C:\WINDOWS\System32\WScript.exe %1 %*
WP33 - File Type .VBE: [VBScript Encoded Script File]C:\WINDOWS\System32\WScript.exe %1 %*
WP33 - File Type .WSF: [Windows Script File]C:\WINDOWS\System32\WScript.exe %1 %*
WP33 - File Type .WSH: [Windows Script Host Settings File]C:\WINDOWS\System32\WScript.exe %1 %*

Memory currently in use: 37%
Physical Memory Free: 651,956 KB
Paging File Free: 1,012,112 KB
Virtual Memory Free: 2,050,752 KB

--
End of file

eid · Sep 2, 2009, 09:25 PM

65.54.239.80 messenger.hotmail.com
65.54.239.80 dp.msnmessenger.skadns.ne

vincepeter · Dec 3, 2009, 03:55 AM

Hi, I also got the problem of this host file, the virus name: it said in the virus vault " host file contains forbidden domain name guru.avg.com". It is very annoying the resident shield alert appears all the time.