Generic.qhost.of42122b

Weaze · December 2007

On Monday Bitdefender popped up message saying -c:\WINDOWS32\drivers\etc\hosts infected with Generic.qhost.OF42122B.It stated Bitdefender had blocked virus and computer not infected.

Since then I haven't been able to update Bitdefender and when I open Internet Explore four tabs open with web sites I haven't requested.Google should open as it's my homepage.I'm presuming that my PC is actually infected with this virus and Bitdefender is unable to get rid of it.

I'm running Windows XP and Bitdefender Internet Security V10.I have tried repairing Bitdefender in Add Remove Programmes but I still can't update it.

The computer is now performing very badly and Internet Explorer keeps freezing.

Do you have any suggestions on how to fix this problem?

Unknown · December 2007

Hello,

please attach your hosts file (usually located in C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS) in a password protected archive.

alexcrist · December 2007

Hello Weaze,

Please download HijackThis!, make a scan with it and post here the log.

Cris.

Weaze · December 2007

Dear Maurius

I have tried several times to find my hosts file without success.I get an error message saying-"A device attached to the system is not functioning"and the page apppears blank.In the next attempt, an error message saying-"There was an error opening this document.General failure"and page appears blank then freezes for several minutes.

Kind Regards

Weaze

Weaze · December 2007

Hi Cris

I ran a scan with HijackThis and got this message during scan-

"For some reason your system denied access to the hosts file.If any hijacked domains are in this file, HijackThis may not be able to fix this.If that happens you need to edit the file yourself.To do this click start,run and type notepadC:\WINDOWS\System32\drivers\etc\hosts and press enter.Find the lines HijackThis reports and delete them.Save the file as 'hosts[with quotes]and reboot."

I tried to edit the file myself as per this message but got another message- "A device attached to the system is not functioning" and a blank notepad page appeared.

Here is the log of the scan

ogfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:04:21 AM, on 20/12/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe

C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe

C:\WINDOWS\OPTIONS\CABS\pxqvxjq\lsass.exe

C:\windows\system\hpsysdrv.exe

C:\Windows\system32\HpSrvUI.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

C:\WINDOWS\system32\usb.exe

C:\Program Files\Softwin\BitDefender10\bdmcon.exe

C:\Program Files\Softwin\BitDefender10\bdagent.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

C:\Program Files\Internet Content Filter\SafeEyes.exe

C:\Program Files\QuickTime\qttask.exe

C:\PROGRA~1\INTERN~2\mum.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Softwin\BitDefender10\vsserv.exe

C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtWLan.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://abc.net.au/rn

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

F3 - REG:win.ini: load=C:\WINDOWS\OPTIONS\CABS\pxqvxjq\lsass.exe

F3 - REG:win.ini: run=C:\WINDOWS\OPTIONS\CABS\pxqvxjq\lsass.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: (no name) - {8F26EAA1-D8B4-41A2-994F-704AEEE25536} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll

O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)

O3 - Toolbar: Safe &Eyes Toolbar - {430DDB4F-38CC-4E91-AF33-4157334EC937} - C:\Program Files\Internet Content Filter\setoolbar.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [hp Silent Service] C:\Windows\system32\HpSrvUI.exe

O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [uSB] C:\WINDOWS\system32\usb.exe

O4 - HKLM\..\Run: [bDMCon] "C:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg

O4 - HKLM\..\Run: [bDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [iCF] "C:\Program Files\Internet Content Filter\SafeEyes.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [internodeUsage] C:\PROGRA~1\INTERN~2\mum.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [OrangeShark] C:\PROGRA~1\ORANGE~1\OSharkUpdater.exe

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - Startup: lsass.lnk = ?

O4 - Startup: PowerReg Scheduler V3.exe

O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = ?

O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm

O8 - Extra context menu item: &Search - ?p=ZSzed001YYAU_ZNxuk101YYAU

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL

O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\WINDOWS\System32\shdocvw.dll

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: icf.dll

O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab

O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab46479.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab

O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/insta...staller_gmn.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney Internet Group Hardware Control) - https://disneyblast.go.com/v3/setup/activex...wareControl.cab

O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/ActiveLaunc...iveLauncher.cab

O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab

O16 - DPF: {3DA5D23B-EFE1-4181-ADB7-7D457567AACA} (TGOnlineCtrl Class) - http://zone.msn.com/bingame/pacz/default/pandaonline.cab

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...72/mcinsctl.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://thegooseisout.spaces.live.com//Phot...ad/MsnPUpld.cab

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/161fc01c68a644d12b05/...ip/RdxIE601.cab

O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab

O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} (CPlayFirstDinerDash2Control Object) - http://zone.msn.com/bingame/dsh2/default/D...h2.1.0.0.68.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://www.gamenow.com.au/res/exent/classes/exentCtl.ocx

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1144018855890

O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab

O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/amun/default/mjolauncher.cab

O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/bingame/zpagames/GAME_UNO1.cab50727.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/AppD...ap/PhtPkMSN.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab

O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundl...ArcadeRdxIE.cab

O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - https://disney.go.com/games/downloads/gamem...GameManager.cab

O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/bingame/feed/default/SproutLauncher.cab

O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/bingame/cnma/default/ct.cab

O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab

O16 - DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} (CPlayFirstDinerDashControl Object) - http://zone.msn.com/bingame/dash/default/D...sh.1.0.0.89.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://sympatico.zone.msn.com/bingame/popcaploader_v10.cab

O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab

O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab

O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.microsoft.com/search/lobby/searchsettings.cab

O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup...er/imloader.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{DFDC5CA2-FEE7-4A82-9D47-E06F01EAA1CD}: Domain = qld.bigpond.net.au

O17 - HKLM\System\CCS\Services\Tcpip\..\{DFDC5CA2-FEE7-4A82-9D47-E06F01EAA1CD}: NameServer = 192.231.203.132,192.231.203.3

O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

O23 - Service: SAVScan - Unknown owner - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe (file missing)

O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe

O23 - Service: BitDefender Communicator (XCOMM) - Softwin - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Owner/LOCALS~1/APPLIC~1/IM/Runtime/EMOTIC~1/POINSE~1.GIF

--

End of file - 15321 bytes

Kind Regards

Weaze

alexcrist · December 2007

I ran a scan with HijackThis and got this message during scan-

"For some reason your system denied access to the hosts file.If any hijacked domains are in this file, HijackThis may not be able to fix this.If that happens you need to edit the file yourself.To do this click start,run and type notepadC:\WINDOWS\System32\drivers\etc\hosts and press enter.Find the lines HijackThis reports and delete them.Save the file as 'hosts[with quotes]and reboot."

I tried to edit the file myself as per this message but got another message- "A device attached to the system is not functioning" and a blank notepad page appeared.

Hi Weaze,

At the first look at your log, there are some malware executables injected in some very important places. I'll take careful look to see exactly what needs fixig.

I'm sorry I didn't tell you from the beginning, but you shouldn't try to fix ANYTHING if you don't know what you're doing! HijackThis! doesn't have a signature-based detection. It reports suspicious settings, but those settings can be legit. And fixing legit settings might even break your system! So, even if it's a little late to say this: DON'T try to fix anything! I'll tell you what to fix in my next post.

Cris.

alexcrist · December 2007

Hello Weazer,

Before fixing any of the lines below, I want to ask you a favor: please find the following files, put them in a ZIP file protected by the password infected and attach it to your next post. They are malware and, apparently, BitDefender doesn't know them yet. If you attach them, detection can be added and next time you'll be protected:

C:\WINDOWS\OPTIONS\CABS\pxqvxjq\lsass.exe

C:\WINDOWS\system32\usb.exe

Now, let's get to fixing problems

Fix the following lines:

F3 - REG:win.ini: load=C:\WINDOWS\OPTIONS\CABS\pxqvxjq\lsass.exe
F3 - REG:win.ini: run=C:\WINDOWS\OPTIONS\CABS\pxqvxjq\lsass.exe
O2 - BHO: (no name) - {8F26EAA1-D8B4-41A2-994F-70 4AEEE25536} - (no file)
O4 - HKLM\..\Run: [USB] C:\WINDOWS\system32\usb.exe
O4 - Startup: lsass.lnk = ?
O8 - Extra context menu item: &Search - ?p=ZSzed0 01YYAU_ZNxuk101YYAU
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/161fc01c68a644d12b05/...ip/RdxIE601.cab

Also, the following lines are at least suspicious:

O4 - Startup: PowerReg Scheduler V3.exe

Searching for this on Goolge reveals some sites that state this application is adware (which displays different pop-ups). If you know it, you can just ignore it. Otherwise, I would suggest to submit it for analysis.

To do this:

- search you computer for that file (I don't know exactly where it is. It might be in C:\Windows\System32, but I don't guarantee)

- put it in a ZIP file, protected by the password infected and attach the archive here.

- a Virus Analyst will take a look at it. If the result is that this is really adware, I suggest you to select and fix this line. Also, detection will be added to BitDefender

O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/ActiveLaunc...iveLauncher.cab

Also, searching for this points out that WildTangent installs a spyware on your PC in order to see what games you play and your hardware configuration. They state that the information this spyware gathers is used to improve their games.

It's your choice if you fix this line. If you like the WildTangent games, and you play them, then leave this line as it is.

Please post if this solves your problem.

Cris.

EDIT: About your BitDefender Update problem... please follow the advices above and then post a new HijackThis! log. Then we'll see how to fix the Update issue.

Weaze · December 2007

Hi Cris

I have tried to find- C:\WINDOWS\OPTIONS\CABS\pxqvxjq\lsass.exe but can't find it on my system.I ran an adware scan yesterday so I'm wondering if it's been quarantined there.I found the other file you wanted me to send you but have had trouble trying to password protect it.I keep getting a message that there is no disc space and it won't let me put a password on it.All this has taken hours as the system is so slow.

By fixing files I'm presuming you mean to delete them?I'm not a whizz with the computer so treat me as a computer idiot :rolleyes:

I've also noticed that every time I restart the computer I get the same virus detected message that I described in my first post.Also I can't update Ad-aware either.When I try to do online virus scan the internet won't connect to those scan web addresses.I've tried McAfee,Panda and Norton.

Would you like me to keep trying to send you those files?

Do you mean for me to fix those files by deleting them?

I'm typing this on another computer as infected computer is so slow.

Thankyou for your patience and help.I greatly appreciate it as I know how busy you must be.

Kind Regards

Weaze.

alexcrist · December 2007

Hello Weaze,

You cannot access any antivirus web-site, because they are blocked by the malware you have on your system. This can only be fixed after you disable the malware. So let's take it step-by-step.

The file that you didn't find has to be there, because it shows in the previous HijackThis! log as running (and missing files can't be running).

However (I forgot to say before), the file might be hidden. Please check out this topic: http://forum.bitdefender.com/index.php?showtopic=3573

If you still can't find the file, then it might have been removed. In this case, please post a new HijackThis! log.

About the other file (usb.exe, right?). I'm having some doubts that this file has anything to do with the infection. As far as I found out, it might be very well a legit file, related to your USB drivers (but also it could be a malware). If you can't archive it, copy it somewhere else, then remove it's extension (if you can't see the extension, check out the link I posted above to make it visible) and attach it to a PM and send it to me. Leave the original file where it is for now, because I'm sure you don't want to break your USB ports.

By fixing the lines I mean that you open HijakcThis!, select the lines (put a mark in front of them, in the checkbox) and click Fix selected. But don't fix anything, before you find the files. Fixing those lines also deletes the files, and we need the infected files so the BD Virus Analysts can add detection and future infections can be prevented from the begining.

Cris.

Niels · December 2007

Dear Weaze

To be able to visit the security sites again you can use this tool. You can download it here. Unzip it double click on HostsXpert and press on restore MS Hosts File press on ok. Try to update adaware again and reboot your pc into safe mode by pressing several times on the F8 button before the windows loading screen choose safe mode log in with your account and perform a complete scan.

Best regards

Niels

Weaze · December 2007

Hi Cris

I fixed these files-

F3 - REG:win.ini: load=C:\WINDOWS\OPTIONS\CABS\pxqvxjq\lsass.exe

F3 - REG:win.ini: run=C:\WINDOWS\OPTIONS\CABS\pxqvxjq\lsass.exe

O2 - BHO: (no name) - {8F26EAA1-D8B4-41A2-994F-70 4AEEE25536} - (no file)

O4 - Startup: lsass.lnk = ?

O8 - Extra context menu item: &Search - ?p=ZSzed0 01YYAU_ZNxuk101YYAU

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/161fc01c68a644d12b05/...ip/RdxIE601.cab

O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/ActiveLaunc...iveLauncher.cab

I tried again to send you these files

C:\WINDOWS\OPTIONS\CABS\pxqvxjq\lsass.exe

C:\WINDOWS\system32\usb.exe

but I'm sorry I couldn't.When I tried to attach password I got error message-"Cannot create output file."I spent many a long hour trying to do this.

Niels, I used HostsXpert and unfortunately got error message-"Error:Cannot open file C:\WINDOWS\system3Drivers\Etc\hosts

I ensured the hidden files were made visible as per Cris's post on this topic.

My system is running a lot faster, I'm no longer getting strange web sites popping up in internet explorer.Bitdefender is still displaying this message on start up-"c:\WINDOWS32\drivers\etc\hosts infected with Generic.qhost.OF42122B.It stated Bitdefender had blocked virus and computer not infected."I still can't update Bitdefender or AdAware.

Here is the log file for another HijackThis Scan after I fixed the files you suggested.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:09:02 AM, on 22/12/2007