IE is hacked..

[grr]

But we're getting off-topic here. It does show the hosts file in the logs, and that's the major thing we have to look for to see if Hosts File has been comprised.

I also asked him to provide the host file.

Lets c what comes our way...btw he is loosing hope badly

[leofelix]

/OT

@ hellnoire: you are right. My apologies.
What a bloody idiot I am:-)

http://www.bleepingcomputer.com/tutorials/tutorial42.html#O1Diag

I'm getting more and more distracted

Well, let's wait the HOSTS file of Grr's friend

/end OT

[Edit to add]

You can also download the program HostsXpert which gives you the ability to restore the default host file back onto your machine. To do so, download the HostsXpert program and run it. When it opens, click on the Restore Original Hosts button and then exit HostsXpert.

[grr]

Friends attached r the logs for ComboFix & Hijack Hunter

Please advice..

He forgot to provide host file, i asked him again...

[leofelix]

@ Grr
I'm not a Combofix expert, however I'm checking both the logs.

In the meanwhile tell your friend to uninstall immediately Ip Hider since it has been re-tested and a security expert, Steve Burn MVP, discovered that
a) It doesn't hide at all your Ip
b) slown down Internet Explorer
c) it sends sensitive informations to their servers, in other words it acts like an adware

source

Your friend should also uninstall Real Player and replace it with Real alternative

Please provide the HOSTS file log soon as requested, thank you


[EDIT to add] There is no need to ask for HOSTS file since it is displayed by HiJack Hunter log.. it is full of strings which probably have been added by SpyBot Search & Destroy HOSTS immunization, but I cannot verify.

Please tell your friend to :
a) undo SyBot search and destroy HOSTS immunization
b) replace his/her HOSTS file with a clean one (he/she can use HostExpert for such purpose)
c) Download HitMan Pro 3.5 (30 days fully working trial) and perform a scan.
Make me know the results please, thank you

[grr]

Thanks again leofelix.

I'm asking my friend to do following:

1. uninstall Ip Hider
2. uninstall Real Player and replace it with Real alternative
3. undo SyBot search and destroy HOSTS immunization

Could u tell me how, as even I don't know how to do this

4. replace his/her HOSTS file with a clean one (he/she can use HostExpert for such purpose)
exactly how...

5. Install HitMan Pro 3.5 and perform a scan.

There is no need to ask for HOSTS file since it is displayed by HiJack Hunter log.. it is full of strings which probably have been added by SpyBot Search & Destroy HOSTS immunization, but I cannot verify.

Yes Spybot adds a lot of entries...

Also attached is new Hijackthis log, before performing any of the above.

[leofelix]

Your are welcome grr:

In order to restore/clean the HOSTS file see post http://forum.raymond.cc/165782-post22.html :

You can also download the program HostsXpert which gives you the ability to restore the default host file back onto your machine. To do so, download the HostsXpert program and run it. When it opens, click on the Restore Original Hosts button and then exit HostsXpert.

I have just checked the new HJT log

this is suspicious:

O4 - HKLM\..\RunOnce: [CleanSetup] cmd /C rmdir /S /Q "C:\Documents and Settings\Free User\Local Settings\temp\nro.tmp\"

nro.tmp should belong to nero but is not in the right path. Please upload it to Virtustotal.com (even a temp file can be an executable).
Then post the results, please.

Teatimer module belongs to Spybot Search & Destroy but is buggy and might cause crashes and conflicts

O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

Open SpyBot and disable Teatimer, then reboot.

Your friend has installed a lot of softwares to hide Ip Address which actually do not work and slown down IE (i.e HotsPot Shield), not to mention uTorrent and 3 useless toolbars like: MSN Toolbar, yahoo toolbar and google toolbar.
He/she should uninstall those undesiderable softwares (he can at least keep only one toolbar).

Please do not forget to run a scan with HiTman Pro 3.5 (cloud based software with no realtime protection which uses 4 antivirus engines: NOD32, Gdata, A-squared 4.5 and PREVX 3.0)

I also would suggest your friend to use sandboxie (shareware/freeware) 'cause of his/her habits

;-)