wow.
and after all that, your hijack this log is nearly identical.
so, try again.
rescan and check the following:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O1 - Hosts: 66.159.20.52 www1.ndhosting.com
O1 - Hosts: 66.159.20.52 www3.ndhosting.com
O1 - Hosts: 66.159.20.52 www2.ndhosting.com
O1 - Hosts: 66.159.20.52 www.ndhosting.com
O1 - Hosts: 66.159.20.52 www.kinghost.com
O1 - Hosts: 66.159.20.52 kinghost.com
O1 - Hosts: 66.159.20.52 www1.kinghost.com
O1 - Hosts: 66.159.20.52 www2.kinghost.com
O1 - Hosts: 66.159.20.52 www3.kinghost.com
O1 - Hosts: 66.159.20.52 www4.kinghost.com
O1 - Hosts: 66.159.20.52 www5.kinghost.com
O1 - Hosts: 66.159.20.52 www6.kinghost.com
O1 - Hosts: 66.159.20.52 www7.kinghost.com
O1 - Hosts: 66.159.20.52 www8.kinghost.com
O1 - Hosts: 66.159.20.52 www9.kinghost.com
O1 - Hosts: 66.159.20.52 www10.kinghost.com
O1 - Hosts: 66.159.20.52 www.smutserver.com
O1 - Hosts: 66.159.20.52 smutserver.com
O1 - Hosts: 66.159.20.52 www1.smutserver.com
O1 - Hosts: 66.159.20.52 www2.smutserver.com
O1 - Hosts: 66.159.20.52 www16.smutserver.com
O1 - Hosts: 66.159.20.52 www3.smutserver.com
O1 - Hosts: 66.159.20.52 www4.smutserver.com
O1 - Hosts: 66.159.20.52 www5.smutserver.com
O1 - Hosts: 66.159.20.52 www6.smutserver.com
O1 - Hosts: 66.159.20.52 www7.smutserver.com
O1 - Hosts: 66.159.20.52 www8.smutserver.com
O1 - Hosts: 66.159.20.52 www9.smutserver.com
O1 - Hosts: 66.159.20.52 www10.smutserver.com
O1 - Hosts: 66.159.20.52 www11.smutserver.com
O1 - Hosts: 66.159.20.52 www12.smutserver
O4 - HKLM\..\Run: [windows update] iexplore.exe
O4 - HKLM\..\Run: [AAS] c:\winnt\system32\drivers\etc\check.bat
O4 - HKLM\..\Run: [csrss service] c:\winnt\system32\drivers\etc\csrss.exe
O4 - HKLM\..\Run: [secure] c:\winnt\system32\drivers\etc\secure.exe
O4 - HKLM\..\Run: [lsass service] c:\winnt\system32\drivers\etc\hidden32.exe c:\winnt\system32\drivers\etc\lsass.exe c:\winnt\system32\drivers\etc\ir.dll
O4 - HKLM\..\RunServices: [windows update] iexplore.exe
O4 - HKCU\..\Run: [windows update] iexplore.exe
this one is optional but really not needed:
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
close all browser windows and hit fix checked.
download the process explorer from here:reboot into safe mode and run hijack this once more. see if that rogue iexplore is running. unlike task manager the process explorer shows the path of the file. highlight the C:\WINDOWS\System32\iexplore.exe, if present and fix it with hijack this.Code:http://www.sysinternals.com/ntw2k/freeware/procexp.shtml
then delete the file: C:\WINDOWS\System32\iexplore.exe.
as for that strange winnt folder, you can check the files individually here:
but somehow, i doubt you will still need any part of that trojan.Code:http://www.kaspersky.com/scanforvirus
the only difference in your log is the lack of those winnt files in your active processes so perhaps, you will be successful this time.
reboot into normal mode and post a fresh log.
Reply With Quote
Bookmarks