PDA

View Full Version : drafterf250


drafterf250
2011-08-02, 17:04
:confused:


Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected host, nothing done)
4-open-davinci.com=74.125.45.100

Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected host, nothing done)
securitysoftwarepayments.com=74.125.45.100

Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected host, nothing done)
privatesecuredpayments.com=74.125.45.100

Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected host, nothing done)
secure.privatesecuredpayments.com=74.125.45.100

Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected host, nothing done)
getantivirusplusnow.com=74.125.45.100

Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected host, nothing done)
secure-plus-payments.com=74.125.45.100

Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected host, nothing done)
www.getantivirusplusnow.com=74.125.45.100

Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected host, nothing done)
www.secure-plus-payments.com=74.125.45.100

Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected host, nothing done)
www.getavplusnow.com=74.125.45.100

Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected host, nothing done)
safebrowsing-cache.google.com=74.125.45.100

Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected host, nothing done)
urs.microsoft.com=74.125.45.100

Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected host, nothing done)
www.securesoftwarebill.com=74.125.45.100

Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected host, nothing done)
secure.paysecuresystem.com=74.125.45.100

Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected host, nothing done)
paysoftbillsolution.com=74.125.45.100

Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected host, nothing done)
protected.maxisoftwaremart.com=74.125.45.100

Microsoft.Windows.RedirectedHosts: [SBI $B89FBA81] Redirected host (Redirected host, nothing done)
www.securesoftwarebill.com=74.125.45.100

Microsoft.Windows.RedirectedHosts: [SBI $19781685] Redirected host (Redirected host, nothing done)
secure.paysecuresystem.com=74.125.45.100

Microsoft.Windows.RedirectedHosts: [SBI $CEFF52BA] Redirected host (Redirected host, nothing done)
paysoftbillsolution.com=74.125.45.100

FastClick: Tracking cookie (Internet Explorer: User) (Cookie, fixed)


MediaPlex: Tracking cookie (Internet Explorer: User) (Cookie, fixed)


DoubleClick: Tracking cookie (Internet Explorer: User) (Cookie, fixed)



--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2008-01-28 SDDelFile.exe (1.0.2.4)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2008-01-28 SDWinSec.exe (1.0.0.11)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2010-12-04 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-11-04 advcheck.dll (1.6.5.20)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2008-09-15 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2008-10-22 Tools.dll (2.1.6.8)
2009-01-16 UninsSrv.dll (1.0.0.0)
2010-06-29 Includes\Adware.sbi (*)
2010-11-30 Includes\AdwareC.sbi (*)
2010-08-13 Includes\Cookies.sbi (*)
2010-09-22 Includes\Dialer.sbi (*)
2010-11-30 Includes\DialerC.sbi (*)
2010-01-25 Includes\HeavyDuty.sbi (*)
2010-11-30 Includes\Hijackers.sbi (*)
2010-11-30 Includes\HijackersC.sbi (*)
2010-09-15 Includes\iPhone.sbi (*)
2010-08-02 Includes\Keyloggers.sbi (*)
2010-11-30 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2010-09-13 Includes\Malware.sbi (*)
2010-12-01 Includes\MalwareC.sbi (*)
2010-05-18 Includes\PUPS.sbi (*)
2010-10-12 Includes\PUPSC.sbi (*)
2010-01-25 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2010-11-30 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2010-06-29 Includes\Spyware.sbi (*)
2010-11-30 Includes\SpywareC.sbi (*)
2010-03-08 Includes\Tracks.uti
2010-11-02 Includes\Trojans.sbi (*)
2010-11-30 Includes\TrojansC-02.sbi (*)
2010-11-30 Includes\TrojansC-03.sbi (*)
2010-11-30 Includes\TrojansC-04.sbi (*)
2010-11-30 Includes\TrojansC-05.sbi (*)
2010-11-30 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll



---------------------------------------------------------------


.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by User at 10:40:11 on 2011-08-02
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1474 [GMT -4:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\D-Link\D-Link DWA-552 Xtreme N Desktop Adapter\acs.exe
svchost.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\D-Link\D-Link DWA-552 Xtreme N Desktop Adapter\wirelesscm.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Skype\Toolbars\Shared\SkypeNames.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyServer = http=127.0.0.1:25452
uURLSearchHooks: H - No File
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program

files\avg\avg10\toolbar\IEToolbar.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat

7.0\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet

explorer\SkypeIEPlugin.dll
BHO: {24b6d841-e285-4a47-b680-7b4dcef3ad36} - c:\windows\system32\doguvuvo.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware

doctor\bdt\PCTBrowserDefender.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: {43e41b68-058a-a29a-3dc4-b411719dab24}: {42bad917-114b-4cd3-a92a-a85086b14e34} - c:\windows\system32\wynbvi.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google

toolbar\GoogleToolbar_32.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat

7.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program

files\google\googletoolbarnotifier\5.6.6209.1142\swg.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware

doctor\bdt\PCTBrowserDefender.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [SsAAD.exe] c:\progra~1\sony\sonics~1\SsAAD.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Smart Engine] "c:\documents and settings\all users\application data\d55140\SMd55_2222.exe" /s /d
uRun: [RegistryBooster] "c:\program files\uniblue\registrybooster\launcher.exe" delay 20000
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10l_ActiveX.exe -update activex
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
uExplorerRun: [svcho] c:\windows\svcho.exe
StartupFolder: c:\docume~1\user\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\user\startm~1\programs\startup\vzacce~1.lnk - c:\program files\verizon wireless\vzaccess

manager\VZAccess Manager.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk -

c:\windows\installer\{ac76ba86-1033-0000-7760-100000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft

office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wirele~1.lnk - c:\program files\d-link\d-link dwa-552 xtreme n

desktop adapter\wirelesscm.exe
uPolicies-explorer: DisallowRun = 1 (0x1)
uPolicies-disallowrun: 0 = msseces.exe
uPolicies-disallowrun: 1 = MSASCui.exe
uPolicies-disallowrun: 2 = ekrn.exe
uPolicies-disallowrun: 3 = egui.exe
uPolicies-disallowrun: 4 = avgnt.exe
uPolicies-disallowrun: 5 = avcenter.exe
uPolicies-disallowrun: 6 = avscan.exe
uPolicies-disallowrun: 7 = avgfrw.exe
uPolicies-disallowrun: 8 = avgui.exe
uPolicies-disallowrun: 9 = avgtray.exe
uPolicies-disallowrun: 10 = avgscanx.exe
uPolicies-disallowrun: 11 = avgcfgex.exe
uPolicies-disallowrun: 12 = avgemc.exe
uPolicies-disallowrun: 13 = avgchsvx.exe
uPolicies-disallowrun: 14 = avgcmgr.exe
uPolicies-disallowrun: 15 = avgwdsvc.exe
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat

7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat

7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google

toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program

files\java\jre1.6.0_05\bin\ssv.dll
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program

files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program

files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} -

c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: nobullhardcore.com
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} -

hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1207599497640
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
TCP: DhcpNameServer = 68.87.85.98 68.87.64.146
TCP: Interfaces\{350F155D-8F39-4388-91AC-00E3BB947247} : DhcpNameServer = 68.87.85.98 68.87.64.146
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\windows\system32\ wynbvi.dll c:\windows\system32\
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: SSODL - - No File
LSA: Notification Packages = scecli c:\windows\system32\hibunevo.dll
IFEO: image file execution options - svchost.exe
IFEO: a.exe - svchost.exe
IFEO: aAvgApi.exe - svchost.exe
IFEO: AAWTray.exe - svchost.exe
IFEO: About.exe - svchost.exe
.
Note: multiple IFEO entries found. Please refer to Attach.txt
Hosts: 127.0.0.1 www.spywareinfo.com
Hosts: 195.245.119.131 browser-security.microsoft.com
Hosts: 74.125.45.100 4-open-davinci.com
Hosts: 74.125.45.100 securitysoftwarepayments.com
Hosts: 74.125.45.100 privatesecuredpayments.com
.
Note: multiple HOSTS entries found. Please refer to Attach.txt
.
============= SERVICES / DRIVERS ===============
.
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-11-11 217032]
R2 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2008-1-4 607576]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe

[2010-11-11 112592]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-8-25

24652]
R3 AE1000;Linksys AE1000 Driver;c:\windows\system32\drivers\AE1000XP.sys [2010-6-4 816672]
S2 AVGIDSAgent;AVGIDSAgent;"c:\program files\avg\avg10\identity protection\agent\bin\avgidsagent.exe" --> c:\program

files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [?]
S2 gupdate1c9f4064be4b752;Google Update Service (gupdate1c9f4064be4b752);c:\program files\google\update\GoogleUpdate.exe

[2009-6-23 133104]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2010-11-11

517448]
S3 USB100TX;Linksys EtherFast 10/100 USB Network Adapter;c:\windows\system32\drivers\USB100TX.sys [2008-1-15 26304]
.
=============== File Associations ===============
.
.scr=AutoCADScriptFile
.
=============== Created Last 30 ================
.
2011-08-02 12:35:29 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2011-08-02 12:30:42 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-08-02 12:30:42 -------- d-----w- c:\windows\system32\wbem\Repository
.
==================== Find3M ====================
.
2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 10:41:00.68 ===============
redcar92
2011-08-04, 02:13
Hello Drafterf250 and welcome to the Safernetworking Form.
I'm RedCar92 and my name is Bill, I'll be glad to help you with your computer problems.

Please observe these rules while we work: Read the entire procedure It is important to perform ALL actions in sequence. If you don't know, stop and ask! Don't keep going on. Please reply to this thread. Do not start a new topic. Stick with me till you're given the all clear. Malware removal can be stressful but we will clean it. Remember, absence of symptoms does not mean the infection is all gone. Don't attempt to clean your computer with any tools other than the ones I ask you to use during the cleanup process.

Please be advised, as I am still in training, all my replies to you will be checked for accuracy by one of our experts to ensure that I am giving you the best possible advise, this will be a team effort.
This may cause a delay, but I will do my best to keep it as short as possible.

Please bear with me, I will post back to you as soon as I can.

IMPORTANT NOTE : Please do not delete anything unless instructed to.
DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperative and could require a full reinstall of your OS, losing all your programs and data.

Stay with this topic until I give you the all clean post.
drafterf250
2011-08-04, 14:05
thanks Bill. Good luck i look forward to hearing from you:bigthumb:
redcar92
2011-08-05, 03:52
Greetings draterf250,
Your computer appears to have been infected by a key-logger trojan. These programs have the ability to steal passwords and other information from your system. If you use your computer for sensitive purposes such as internet banking then I recommend you take the following steps immediately:


Use another, uninfected computer to change all your internet passwords, especially ones with financial implications such as banks, paypal, ebay, etc. You should also change the passwords for any other site you use.
Call your bank(s), credit card company or any other institution which may be affected and advise them that your login/password or credit card information may have been stolen and ask what steps to take with regard to your account.
Consider what other private information could possibly have been taken from your computer and take appropriate steps


Next

Please download aswMBR (http://public.avast.com/~gmerek/aswMBR.exe) ( 511KB ) to your desktop.
Double click the aswMBR.exe icon to run it
Click the Scan button to start the scan
On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.


Log to post
aswMBR.txt
drafterf250
2011-08-05, 14:27
thanks again bill, -dan


aswMBR version 0.9.8.978 Copyright(c) 2011 AVAST Software
Run date: 2011-08-05 08:22:25
-----------------------------
08:22:25.312 OS Version: Windows 5.1.2600 Service Pack 3
08:22:25.312 Number of processors: 2 586 0xF06
08:22:25.312 ComputerName: PAVILION-A1740N UserName: User
08:22:25.890 Initialize success
08:22:49.312 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-5
08:22:49.312 Disk 0 Vendor: ST3320820AS 3.AHG Size: 305245MB BusType: 3
08:22:51.328 Disk 0 MBR read successfully
08:22:51.328 Disk 0 MBR scan
08:22:51.328 Disk 0 Windows XP default MBR code
08:22:51.328 Disk 0 scanning sectors +625137345
08:22:51.406 Disk 0 scanning C:\WINDOWS\system32\drivers
08:22:59.437 Service scanning
08:23:00.687 Modules scanning
08:23:03.765 Disk 0 trace - called modules:
08:23:03.796 ntoskrnl.exe CLASSPNP.SYS disk.sys PCTCore.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
08:23:03.796 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a6c7ab8]
08:23:03.796 3 CLASSPNP.SYS[f7657fd7] -> nt!IofCallDriver -> [0x8a66d920]
08:23:03.796 5 PCTCore.sys[f7463ac6] -> nt!IofCallDriver -> \Device\00000061[0x8a6ce9e8]
08:23:03.796 7 ACPI.sys[f758e620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-5[0x8a672940]
08:23:03.796 Scan finished successfully
08:23:30.968 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\User\Desktop\MBR.dat"
08:23:30.984 The log file has been saved successfully to "C:\Documents and Settings\User\Desktop\aswMBR.txt"
redcar92
2011-08-06, 02:26
Greetings Dan,

***Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.***
Download Combofix from any of the links below. Save it to your desktop.

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)

http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.


Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


http://i1176.photobucket.com/albums/x337/redcar92/WTT/CF/CFRCNeeded.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://i1176.photobucket.com/albums/x337/redcar92/WTT/CF/CF2.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
drafterf250
2011-08-08, 14:22
here ya go thanks bill hope we are getting it:bigthumb:




ComboFix 11-08-07.03 - User 08/08/2011 8:11.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1480 [GMT -4:00]
Running from: c:\documents and settings\User\My Documents\Downloads\ComboFix.exe
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\d55140
c:\documents and settings\All Users\Application Data\d55140\28.mof
c:\documents and settings\All Users\Application Data\d55140\BackUp\Adobe Acrobat Speed Launcher.lnk
c:\documents and settings\All Users\Application Data\d55140\BackUp\VZAccess Manager.lnk
c:\documents and settings\All Users\Application Data\d55140\BackUp\Wireless Connection Manager.lnk
c:\documents and settings\All Users\Application Data\d55140\d55140a73553c34b04daa34c59974255.ocx
c:\documents and settings\All Users\Application Data\d55140\gkhggonsgotmd2p45e7tm9q01u8z6w.dll
c:\documents and settings\All Users\Application Data\d55140\SME.ico
c:\documents and settings\User\Application Data\Smart Engine
c:\documents and settings\User\Application Data\Smart Engine\Instructions.ini
c:\documents and settings\User\Recent\ANTIGEN.dll
c:\documents and settings\User\Recent\ANTIGEN.drv
c:\documents and settings\User\Recent\ANTIGEN.exe
c:\documents and settings\User\Recent\ANTIGEN.sys
c:\documents and settings\User\Recent\ANTIGEN.tmp
c:\documents and settings\User\Recent\cb.dll
c:\documents and settings\User\Recent\cb.drv
c:\documents and settings\User\Recent\cb.exe
c:\documents and settings\User\Recent\cb.sys
c:\documents and settings\User\Recent\cb.tmp
c:\documents and settings\User\Recent\cid.dll
c:\documents and settings\User\Recent\cid.drv
c:\documents and settings\User\Recent\cid.exe
c:\documents and settings\User\Recent\cid.sys
c:\documents and settings\User\Recent\cid.tmp
c:\documents and settings\User\Recent\CLSV.dll
c:\documents and settings\User\Recent\CLSV.drv
c:\documents and settings\User\Recent\CLSV.exe
c:\documents and settings\User\Recent\CLSV.sys
c:\documents and settings\User\Recent\CLSV.tmp
c:\documents and settings\User\Recent\DBOLE.dll
c:\documents and settings\User\Recent\DBOLE.drv
c:\documents and settings\User\Recent\DBOLE.exe
c:\documents and settings\User\Recent\DBOLE.sys
c:\documents and settings\User\Recent\DBOLE.tmp
c:\documents and settings\User\Recent\ddv.dll
c:\documents and settings\User\Recent\ddv.drv
c:\documents and settings\User\Recent\ddv.exe
c:\documents and settings\User\Recent\ddv.sys
c:\documents and settings\User\Recent\ddv.tmp
c:\documents and settings\User\Recent\delfile.dll
c:\documents and settings\User\Recent\delfile.drv
c:\documents and settings\User\Recent\delfile.exe
c:\documents and settings\User\Recent\delfile.sys
c:\documents and settings\User\Recent\delfile.tmp
c:\documents and settings\User\Recent\dudl.dll
c:\documents and settings\User\Recent\dudl.drv
c:\documents and settings\User\Recent\dudl.exe
c:\documents and settings\User\Recent\dudl.sys
c:\documents and settings\User\Recent\dudl.tmp
c:\documents and settings\User\Recent\eb.dll
c:\documents and settings\User\Recent\eb.drv
c:\documents and settings\User\Recent\eb.exe
c:\documents and settings\User\Recent\eb.sys
c:\documents and settings\User\Recent\eb.tmp
c:\documents and settings\User\Recent\energy.dll
c:\documents and settings\User\Recent\energy.drv
c:\documents and settings\User\Recent\energy.exe
c:\documents and settings\User\Recent\energy.sys
c:\documents and settings\User\Recent\energy.tmp
c:\documents and settings\User\Recent\exec.dll
c:\documents and settings\User\Recent\exec.drv
c:\documents and settings\User\Recent\exec.exe
c:\documents and settings\User\Recent\exec.sys
c:\documents and settings\User\Recent\exec.tmp
c:\documents and settings\User\Recent\fan.dll
c:\documents and settings\User\Recent\fan.drv
c:\documents and settings\User\Recent\fan.exe
c:\documents and settings\User\Recent\fan.sys
c:\documents and settings\User\Recent\fan.tmp
c:\documents and settings\User\Recent\fix.dll
c:\documents and settings\User\Recent\fix.drv
c:\documents and settings\User\Recent\fix.exe
c:\documents and settings\User\Recent\fix.sys
c:\documents and settings\User\Recent\fix.tmp
c:\documents and settings\User\Recent\FS.dll
c:\documents and settings\User\Recent\FS.drv
c:\documents and settings\User\Recent\FS.exe
c:\documents and settings\User\Recent\FS.sys
c:\documents and settings\User\Recent\FS.tmp
c:\documents and settings\User\Recent\FW.dll
c:\documents and settings\User\Recent\FW.drv
c:\documents and settings\User\Recent\FW.exe
c:\documents and settings\User\Recent\FW.sys
c:\documents and settings\User\Recent\FW.tmp
c:\documents and settings\User\Recent\gid.dll
c:\documents and settings\User\Recent\gid.drv
c:\documents and settings\User\Recent\gid.exe
c:\documents and settings\User\Recent\gid.sys
c:\documents and settings\User\Recent\gid.tmp
c:\documents and settings\User\Recent\grid.dll
c:\documents and settings\User\Recent\grid.drv
c:\documents and settings\User\Recent\grid.exe
c:\documents and settings\User\Recent\grid.sys
c:\documents and settings\User\Recent\grid.tmp
c:\documents and settings\User\Recent\hymt.dll
c:\documents and settings\User\Recent\hymt.drv
c:\documents and settings\User\Recent\hymt.exe
c:\documents and settings\User\Recent\hymt.sys
c:\documents and settings\User\Recent\hymt.tmp
c:\documents and settings\User\Recent\kernel32.dll
c:\documents and settings\User\Recent\kernel32.drv
c:\documents and settings\User\Recent\kernel32.exe
c:\documents and settings\User\Recent\kernel32.sys
c:\documents and settings\User\Recent\kernel32.tmp
c:\documents and settings\User\Recent\pal.dll
c:\documents and settings\User\Recent\pal.drv
c:\documents and settings\User\Recent\pal.exe
c:\documents and settings\User\Recent\pal.sys
c:\documents and settings\User\Recent\pal.tmp
c:\documents and settings\User\Recent\PassportApplicationComplete.pdf
c:\documents and settings\User\Recent\PE.dll
c:\documents and settings\User\Recent\PE.drv
c:\documents and settings\User\Recent\PE.exe
c:\documents and settings\User\Recent\PE.sys
c:\documents and settings\User\Recent\PE.tmp
c:\documents and settings\User\Recent\ppal.dll
c:\documents and settings\User\Recent\ppal.drv
c:\documents and settings\User\Recent\ppal.exe
c:\documents and settings\User\Recent\ppal.sys
c:\documents and settings\User\Recent\ppal.tmp
c:\documents and settings\User\Recent\runddl.dll
c:\documents and settings\User\Recent\runddl.drv
c:\documents and settings\User\Recent\runddl.exe
c:\documents and settings\User\Recent\runddl.sys
c:\documents and settings\User\Recent\runddl.tmp
c:\documents and settings\User\Recent\runddlkey.dll
c:\documents and settings\User\Recent\runddlkey.drv
c:\documents and settings\User\Recent\runddlkey.exe
c:\documents and settings\User\Recent\runddlkey.sys
c:\documents and settings\User\Recent\runddlkey.tmp
c:\documents and settings\User\Recent\SICKBOY.dll
c:\documents and settings\User\Recent\SICKBOY.drv
c:\documents and settings\User\Recent\SICKBOY.exe
c:\documents and settings\User\Recent\SICKBOY.sys
c:\documents and settings\User\Recent\SICKBOY.tmp
c:\documents and settings\User\Recent\sld.dll
c:\documents and settings\User\Recent\sld.drv
c:\documents and settings\User\Recent\sld.exe
c:\documents and settings\User\Recent\sld.sys
c:\documents and settings\User\Recent\sld.tmp
c:\documents and settings\User\Recent\SM.dll
c:\documents and settings\User\Recent\SM.drv
c:\documents and settings\User\Recent\SM.exe
c:\documents and settings\User\Recent\SM.sys
c:\documents and settings\User\Recent\SM.tmp
c:\documents and settings\User\Recent\snl2w.dll
c:\documents and settings\User\Recent\snl2w.drv
c:\documents and settings\User\Recent\snl2w.exe
c:\documents and settings\User\Recent\snl2w.sys
c:\documents and settings\User\Recent\snl2w.tmp
c:\documents and settings\User\Recent\std.dll
c:\documents and settings\User\Recent\std.drv
c:\documents and settings\User\Recent\std.exe
c:\documents and settings\User\Recent\std.sys
c:\documents and settings\User\Recent\std.tmp
c:\documents and settings\User\Recent\tempdoc.dll
c:\documents and settings\User\Recent\tempdoc.drv
c:\documents and settings\User\Recent\tempdoc.exe
c:\documents and settings\User\Recent\tempdoc.sys
c:\documents and settings\User\Recent\tempdoc.tmp
c:\documents and settings\User\Recent\tjd.dll
c:\documents and settings\User\Recent\tjd.drv
c:\documents and settings\User\Recent\tjd.exe
c:\documents and settings\User\Recent\tjd.sys
c:\documents and settings\User\Recent\tjd.tmp
c:\documents and settings\User\Start Menu\Smart Engine.lnk
c:\documents and settings\User\WINDOWS
c:\program files\Common Files\System\Uninstall
c:\program files\Common Files\System\Uninstall\Uninstall A360.lnk
.
.
((((((((((((((((((((((((( Files Created from 2011-07-08 to 2011-08-08 )))))))))))))))))))))))))))))))
.
.
2011-08-02 16:59 . 2011-08-02 16:59 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-02 13:50 . 2011-08-02 13:50 -------- d-----w- c:\program files\ERUNT
2011-08-02 12:35 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2011-08-02 12:30 . 2011-08-02 12:30 -------- d-----w- c:\windows\system32\wbem\Repository
2011-08-02 12:30 . 2011-08-02 12:30 -------- d-----w- c:\program files\Microsoft.NET
2011-08-02 12:27 . 2011-08-02 12:27 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Google
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-05 15:39 . 2010-11-05 17:53 131 ----a-w- C:\DeletePrintJobs.cmd
2011-06-02 14:02 . 2006-02-28 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2010-10-06 16:31 2475336 ----a-w- c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [2010-10-06 2475336]
.
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [2010-10-06 2475336]
.
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SsAAD.exe"="c:\progra~1\Sony\SONICS~1\SsAAD.exe" [2006-05-08 81920]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-06-26 25604904]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-03 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-15 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-15 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-15 131072]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"RTHDCPL"="RTHDCPL.EXE" [2009-02-03 18085888]
.
c:\documents and settings\User\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
VZAccess Manager.lnk - c:\program files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe [N/A]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2009-7-15 25214]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Wireless Connection Manager.lnk - c:\program files\D-Link\D-Link DWA-552 Xtreme N Desktop Adapter\wirelesscm.exe [2008-6-16 13357056]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0lsdelete\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-02-22 08:25 144784 ----a-w- c:\program files\Java\jre1.6.0_05\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2008-06-03 21:56 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"TapiSrv"=3 (0x3)
"MSCSPTISRV"=3 (0x3)
"MDM"=2 (0x2)
"iPod Service"=3 (0x3)
"ImapiService"=3 (0x3)
"helpsvc"=2 (0x2)
"gusvc"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [8/25/2008 5:48 PM 24652]
R3 AE1000;Linksys AE1000 Driver;c:\windows\system32\drivers\AE1000XP.sys [6/4/2010 11:48 PM 816672]
S2 AVGIDSAgent;AVGIDSAgent;"c:\program files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe" --> c:\program files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [?]
S2 gupdate1c9f4064be4b752;Google Update Service (gupdate1c9f4064be4b752);c:\program files\Google\Update\GoogleUpdate.exe [6/23/2009 9:27 AM 133104]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG10\Toolbar\ToolbarBroker.exe [11/11/2010 12:34 PM 517448]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [6/23/2009 9:27 AM 133104]
S3 USB100TX;Linksys EtherFast 10/100 USB Network Adapter;c:\windows\system32\drivers\USB100TX.sys [1/15/2008 4:46 AM 26304]
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-23 13:26]
.
2011-08-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-23 13:26]
.
2011-07-27 c:\windows\Tasks\ParetoLogic Registration.job
- c:\program files\Common Files\ParetoLogic\UUS2\UUS.dll [2009-01-13 14:59]
.
2011-07-28 c:\windows\Tasks\ParetoLogic Update Version2.job
- c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2009-01-13 14:59]
.
2011-08-08 c:\windows\Tasks\User_Feed_Synchronization-{78C678BB-7F92-432A-8AAA-6CC8E07EC16D}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = http=127.0.0.1:25452
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
Trusted Zone: nobullhardcore.com
TCP: DhcpNameServer = 68.87.85.98 68.87.64.146
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll
.
.
------- File Associations -------
.
.scr=AutoCADScriptFile
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{24b6d841-e285-4a47-b680-7b4dcef3ad36} - c:\windows\system32\doguvuvo.dll
BHO-{42bad917-114b-4cd3-a92a-a85086b14e34} - c:\windows\system32\wynbvi.dll
HKCU-Run-Smart Engine - c:\documents and settings\All Users\Application Data\d55140\SMd55_2222.exe
HKCU-Run-RegistryBooster - c:\program files\Uniblue\RegistryBooster\launcher.exe
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe
MSConfigStartUp-Aim6 - c:\program files\AIM6\aim6.exe
MSConfigStartUp-AppleSyncNotifier - c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-08 08:17
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(580)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\program files\D-Link\D-Link DWA-552 Xtreme N Desktop Adapter\acs.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\igfxsrvc.exe
c:\program files\Adobe\Acrobat 7.0\Acrobat\Acrobat_sl.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2011-08-08 08:21:15 - machine was rebooted
ComboFix-quarantined-files.txt 2011-08-08 12:21
.
Pre-Run: 267,306,745,856 bytes free
Post-Run: 267,323,154,432 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - F1D9A4FF7A526320F43977A360F28ED0
redcar92
2011-08-09, 00:57
Greetings draterf250,


Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open notepad and copy/paste the text in the quotebox below into it:




File::
c:\windows\system32\hibunevo.dll
DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:25452
Folder::
Registry::
Driver::


Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe


http://i1176.photobucket.com/albums/x337/redcar92/WTT/CF/CFscript.png

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Next
Your hosts file seems to be infected. Please do the following,
Download the HostsXpert 4.3 - Hosts File Manager (http://www.funkytoad.com/download/HostsXpert.zip).

Unzip HostsXpert 4.2.0.0 - Hosts File Manager to a convenient folder such as C:\HostsXpert
Click HostsXpert.exe to Run HostsXpert - Hosts File Manager from its new home
Click: Make ReadOnly .
Click Restore Microsoft's Hosts file and then click OK.
Click the X to exit the program.
Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.



Log to post:


Combofix.txt
How is your PC behaving now.
drafterf250
2011-08-09, 14:07
ComboFix 11-08-08.03 - User 08/09/2011 8:00.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1538 [GMT -4:00]
Running from: c:\documents and settings\User\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\User\My Documents\Downloads\CFScript.txt
.
FILE ::
"c:\windows\system32\hibunevo.dll"
.
.
((((((((((((((((((((((((( Files Created from 2011-07-09 to 2011-08-09 )))))))))))))))))))))))))))))))
.
.
2011-08-02 16:59 . 2011-08-02 16:59 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-02 13:50 . 2011-08-02 13:50 -------- d-----w- c:\program files\ERUNT
2011-08-02 12:35 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2011-08-02 12:30 . 2011-08-02 12:30 -------- d-----w- c:\windows\system32\wbem\Repository
2011-08-02 12:30 . 2011-08-02 12:30 -------- d-----w- c:\program files\Microsoft.NET
2011-08-02 12:27 . 2011-08-02 12:27 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Google
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-05 15:39 . 2010-11-05 17:53 131 ----a-w- C:\DeletePrintJobs.cmd
2011-06-02 14:02 . 2006-02-28 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2011-08-08_12.17.41 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-08-09 11:43 . 2011-08-09 11:43 352256 c:\windows\ERDNT\AutoBackup\8-9-2011\Users\00000002\UsrClass.dat
+ 2011-08-09 11:43 . 2005-10-20 16:02 163328 c:\windows\ERDNT\AutoBackup\8-9-2011\ERDNT.EXE
+ 2011-08-09 11:43 . 2011-08-09 11:43 10387456 c:\windows\ERDNT\AutoBackup\8-9-2011\Users\00000001\ntuser.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2010-10-06 16:31 2475336 ----a-w- c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [2010-10-06 2475336]
.
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [2010-10-06 2475336]
.
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SsAAD.exe"="c:\progra~1\Sony\SONICS~1\SsAAD.exe" [2006-05-08 81920]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-06-26 25604904]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-03 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-15 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-15 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-15 131072]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"RTHDCPL"="RTHDCPL.EXE" [2009-02-03 18085888]
.
c:\documents and settings\User\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
VZAccess Manager.lnk - c:\program files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe [N/A]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2009-7-15 25214]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Wireless Connection Manager.lnk - c:\program files\D-Link\D-Link DWA-552 Xtreme N Desktop Adapter\wirelesscm.exe [2008-6-16 13357056]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0lsdelete\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-02-22 08:25 144784 ----a-w- c:\program files\Java\jre1.6.0_05\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2008-06-03 21:56 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"TapiSrv"=3 (0x3)
"MSCSPTISRV"=3 (0x3)
"MDM"=2 (0x2)
"iPod Service"=3 (0x3)
"ImapiService"=3 (0x3)
"helpsvc"=2 (0x2)
"gusvc"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [8/25/2008 5:48 PM 24652]
R3 AE1000;Linksys AE1000 Driver;c:\windows\system32\drivers\AE1000XP.sys [6/4/2010 11:48 PM 816672]
S2 AVGIDSAgent;AVGIDSAgent;"c:\program files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe" --> c:\program files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [?]
S2 gupdate1c9f4064be4b752;Google Update Service (gupdate1c9f4064be4b752);c:\program files\Google\Update\GoogleUpdate.exe [6/23/2009 9:27 AM 133104]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG10\Toolbar\ToolbarBroker.exe [11/11/2010 12:34 PM 517448]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [6/23/2009 9:27 AM 133104]
S3 USB100TX;Linksys EtherFast 10/100 USB Network Adapter;c:\windows\system32\drivers\USB100TX.sys [1/15/2008 4:46 AM 26304]
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-23 13:26]
.
2011-08-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-23 13:26]
.
2011-07-27 c:\windows\Tasks\ParetoLogic Registration.job
- c:\program files\Common Files\ParetoLogic\UUS2\UUS.dll [2009-01-13 14:59]
.
2011-07-28 c:\windows\Tasks\ParetoLogic Update Version2.job
- c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2009-01-13 14:59]
.
2011-08-09 c:\windows\Tasks\User_Feed_Synchronization-{78C678BB-7F92-432A-8AAA-6CC8E07EC16D}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
Trusted Zone: nobullhardcore.com
TCP: DhcpNameServer = 68.87.85.98 68.87.64.146
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-09 08:05
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3716)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-08-09 08:07:18
ComboFix-quarantined-files.txt 2011-08-09 12:07
ComboFix2.txt 2011-08-08 12:21
.
Pre-Run: 267,379,179,520 bytes free
Post-Run: 267,360,559,104 bytes free
.
- - End Of File - - 3F063E7BE74CCD5DACDF3691C45A674E
drafterf250
2011-08-09, 14:13
hi bill,

i did the combo fix, it went well. i got an error when i ran host experts(ERROR: Cannot create file C:\WINDOWS\system 32\DRIVERS\etc. otherwise it is running well. Also i need an antivirus i believe. Thanks again for everything
drafterf250
2011-08-22, 14:56
hey bill. sorry for the delay. i was outta town for work. i could still use your help though.

y
Dear drafterf250,

redcar92 has just replied to a thread you have subscribed to entitled - help please bad viruses - in the Malware Removal forum of Safer-Networking Forums.

This thread is located at:
http://forums.spybot.info/showthread.php?t=63516&goto=newpost

Here is the message that has just been posted:
***************
Greetings draterf250,

You do need an antivirus, I would recommend just one of the ones listed below. More than one AV will cause you problems. In my final speech I will have more recommendations
Microsoft Security Essentials at http://www.microsoft.com/security/pc-security/mse.aspx
AVAST from here http://download.cnet.com/Avast-Free-Antivirus/3000-2239_4-10019223.html
AVIRA from here http://download.cnet.com/Avira-AntiVir-Personal-Free-Antivirus/3000-2239_4-10322935.html

*Next*
Download *TFC* (http://oldtimer.geekstogo.com/TFC.exe) to your *desktop*
* Close any open windows.
* Double click the *TFC* icon to run the program
* TFC *will close all open programs itself* in order to run,
* Click the *Start* button to begin the process.
* Allow *TFC* to run uninterrupted.
* The program should not take long to finish it's job
* Once its finished it should automatically *reboot your machine,*
* if it doesn't, manually reboot to ensure a complete clean


*Next*
Please download Malwarebytes' Anti-Malware from *Here* (http://www.besttechie.net/mbam/mbam-setup.exe).
Double Click mbam-setup.exe to install the application.
* Make sure a checkmark is placed next to *Update Malwarebytes' Anti-Malware *and *Launch Malwarebytes' Anti-Malware*, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "*Perform Quick Scan*", then click *Scan*.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that *everything *is checked, and click *Remove Selected*.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire report in your next reply.

Extra Note:
*If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
*

*Next*
Please use Internet Explorer to download and run the following scan: *Eset Online Scanner* (http://www.eset.com/onlinescan/)
* Place a check mark in the box *YES, I accept the Terms Of Use*
* Click the *Start* button.
* Now *click* the *Install* button.
* *Click Start*. The scanner engine will initialize and update.
* *_Do Not place a check mark_* in the box beside *Remove found threats*.
* *Click* the *Scan* button. The scan will now run, please be patient.
* When the scan finishes if there are any infections you will see a *List of found threats*.
* Click *Export to text file*
* *Copy and paste* the contents of the *C:\Program Files\ESET\log.txt* into your next reply.
* If no threats are found there will be no list, this is good, just tell me that no threats were found.


Logs to post:
* *Malwarebyte.txt
* Results of ESET scan
* How is your PC running now.*


***************


There may also be other replies, but you will not receive any more notifications until you visit the forum again.

All the best,
Safer-Networking Forums


Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7534

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/22/2011 7:32:40 AM
mbam-log-2011-08-22 (07-32-40).txt

Scan type: Quick scan
Objects scanned: 177697
Time elapsed: 3 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:

---------------------------------------------------------------------------------

C:\Documents and Settings\User\My Documents\Downloads\registrybooster.exe Win32/RegistryBooster application
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\d55140\28.mof.vir Win32/RogueAV.A trojan
C:\System Volume Information\_restore{0EB28527-34FF-4327-913D-8B9F37FA334C}\RP723\A0078961.mof Win32/RogueAV.A trojan
C:\WINDOWS\system32\drivers\etc\hosts.20090306-154100.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20101204-140519.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20101204-140943.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20101204-140945.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20101204-140947.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20101204-140948.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20101204-140949.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20101204-140950.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20101204-140953.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20101204-140955.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20101206-083406.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20101206-083410.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20101206-083411.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20101206-083412.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20101206-083413.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20101206-083414.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20101206-091222.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20101206-091227.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20101206-091228.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20101206-091229.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20101206-091230.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20101206-091231.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20101206-091232.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20101206-091233.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20101206-091234.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20101206-091235.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20101220-095202.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20101220-095205.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20101220-095206.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20101220-095207.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20101220-095208.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20101220-095209.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20101220-095210.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20101220-095211.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20101220-095212.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20101220-095213.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20101229-082523.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20101229-082526.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20101229-082617.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20101229-082618.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20101229-082619.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20101229-082620.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20101229-082621.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20101229-082622.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20101229-082623.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20110802-090732.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20110802-090734.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20110802-090736.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20110802-090737.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20110802-090738.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20110802-090739.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20110802-101422.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20110802-101423.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20110802-101426.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20110802-101427.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20110802-101428.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20110802-101429.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20110802-101430.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20110802-101438.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20110802-101439.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20110802-101440.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20110802-101441.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20110802-101442.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20110802-110355.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20110802-110356.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20110802-110357.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20110802-110358.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20110802-110359.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20110803-131936.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20110803-131937.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20110803-131938.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20110803-131939.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20110803-131940.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20110805-121817.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20110805-121818.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20110805-121819.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20110805-121820.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20110805-121821.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20110805-121822.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20110805-141046.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20110805-141047.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20110805-141048.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20110805-141049.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20110805-141050.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20110805-141051.backup Win32/Qhost trojan
thanks for your help
drafterf250
2011-08-22, 15:02
pc is pretty still slow:thanks:
redcar92
2011-08-23, 04:10
Greetings draterf250,
Did you find an anti Virus yet?

ESET showed some files that need to go.

You have 3 on your PC. Here is a good link to some good info on regcleaners.http://miekiemoes.blogspot.com/2008/02/registry-cleaners-and-system-tweaking_13.html Please let me know if you need assistance removing this one.

Next
Press the WinKey + R to open a run box, then copy/paste the following single-line command into the Run box and click OK:

cmd /c rd /s/q “C:\WINDOWS\system32\drivers\etc\hosts.20*.*"

Let me know when done and if there is any improvement in performance.
drafterf250
2011-08-23, 15:02
hey bill,
i do have microsoft security essentials.
i didnt do the regisrty clean yet or the second operation.
i was worried about deleting the wrong things, so i could use your help.:thanks:
redcar92
2011-08-28, 20:52
Greetings draterf250,
Good you have an AV and MS Security Essentials is a good one.
I apologize for the confusion. I see that you have a program called Registry Booster on your system. These registry booster and cleaner programs are not all that they are advertised to be, and often can harm your system. It is recommended that you don't use and remove them from your system. Here (http://miekiemoes.blogspot.com/2008/02/registry-cleaners-and-system-tweaking_13.html) is some good information about regcleaners and boosters.

ESET showed a few problems still on your system.
It appears that you have or had Uniblue Registry Booster installed and there are traces of it still on your PC. If you wish I can help you remove them.

The Qoobox entry will be removed when we clean up Combofix

The C:\System Volume Information\_restore{0EB28527-34FF-4327-913D-8B9F37FA334C}\RP723\A0078961.mof Win32/RogueAV.A trojan will be removed when we reset restore point.

That leaves us with several files starting with C:\WINDOWS\system32\drivers\etc\hosts
To remove these files please do the following.
Press the WinKey + R to open a run box, then copy/paste the following single-line command into the Run box and click OK:

cmd /c rd /s/q “C:\WINDOWS\system32\drivers\etc\hosts.20*.*"

Let me know when done and if there is any improvement in performance and if you want help with Registry Booster please.
drafterf250
2011-08-29, 20:18
mission complete...my computer runs about the same, just a little slower to start up still. i deleted everything i could with the registry booster and did the copy and paste command. :thanks: bill
redcar92
2011-08-30, 02:33
Greetings draterf250,
You say your PC is OK but a little slow. There are many thing besides malware that can slow down your pc. you could start by clicking Start -> Run enter cleanmgr and click OK. Follow the on screen prompts. Check everything except compress files and folders (this slows things down). Next I would recommend this item. Be sure to uncheck any and all checkboxes encountered during installation asking to download other programs. Also it may put another BHO (Browser Helper Object0 on your web browser. Download and run Puran Disk Defragmenter (http://www.puransoftware.com/Puran-Defrag-Download.html) . It does an excellent job. You should google speed up my pc or my pc is slow, there are many excellent sites offering tips to speed up your PC. Don't get suckered into paying for programs. They seldom work well and as I said before stay away from registry boosters and cleaners as they offer minimal help at best and often do damage.

Next
To clear the Java Plug-in cache:
Click Start > Control Panel.
Double-click the Java icon in the control panel.
On the General tab, Click Settings under Temporary Internet Files.
On the Temporary Files Settings screen, Click Delete Files.
check all boxes
Click OK
Reboot the computer.

Next
Your Java appears to be down level.
Navigate to Control Panel then open Add Remove Programs.
Highlight each Java item listed then Remove or Uninstall.
Visit this site (http://www.java.com/en/download/index.jsp) to down load and install the latest Java.

Next
Your Adobe appears to be down level
Please visit this site (http://www.adobe.com/downloads/) Click on the Adobe Reader icon on the right side and you will be presented with the correct Adobe for your system.
Down load and install this Adobe please.

Next
Double click dds.scr to run the tool.
When done, DDS.txt will open.
Save to your desktop.
Please include the contents of the following in your reply using Copy / Paste:
DDS.txt
drafterf250
2011-08-30, 22:22
here ya go thanks again
dan.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by User at 16:18:45 on 2011-08-30
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1110 [GMT -4:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\D-Link\D-Link DWA-552 Xtreme N Desktop Adapter\acs.exe
svchost.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\D-Link\D-Link DWA-552 Xtreme N Desktop Adapter\wirelesscm.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\AutoCAD 2010\acad.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Common Files\Autodesk Shared\WSCommCntr1.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\PROGRA~1\MICROS~2\Office12\OUTLOOK.EXE
C:\WINDOWS\system32\wscntfy.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uURLSearchHooks: H - No File
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.6209.1142\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [SsAAD.exe] c:\progra~1\sony\sonics~1\SsAAD.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [RegistryBooster] "c:\program files\uniblue\registrybooster\launcher.exe" delay 20000
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\user\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\user\startm~1\programs\startup\vzacce~1.lnk - c:\program files\verizon wireless\vzaccess manager\VZAccess Manager.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-100000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wirele~1.lnk - c:\program files\d-link\d-link dwa-552 xtreme n desktop adapter\wirelesscm.exe
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: nobullhardcore.com
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1207599497640
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
TCP: DhcpNameServer = 68.87.85.98 68.87.64.146
TCP: Interfaces\{350F155D-8F39-4388-91AC-00E3BB947247} : DhcpNameServer = 68.87.85.98 68.87.64.146
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
R1 MpKsl350f4625;MpKsl350f4625;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ddc4e873-3a42-4cbb-964e-94122a73b1ce}\MpKsl350f4625.sys [2011-8-30 28752]
R2 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2008-1-4 607576]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-8-22 366640]
R3 AE1000;Linksys AE1000 Driver;c:\windows\system32\drivers\AE1000XP.sys [2010-6-4 816672]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-8-22 22712]
S1 MpKsl275e986b;MpKsl275e986b;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{1921af4b-8067-4510-8fd8-a470c22a8924}\mpksl275e986b.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{1921af4b-8067-4510-8fd8-a470c22a8924}\MpKsl275e986b.sys [?]
S1 MpKsl2bf0ace2;MpKsl2bf0ace2;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{1921af4b-8067-4510-8fd8-a470c22a8924}\mpksl2bf0ace2.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{1921af4b-8067-4510-8fd8-a470c22a8924}\MpKsl2bf0ace2.sys [?]
S1 MpKsla480b5a2;MpKsla480b5a2;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{6ecf0f30-6e7b-4f25-8784-d43d917da786}\mpksla480b5a2.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{6ecf0f30-6e7b-4f25-8784-d43d917da786}\MpKsla480b5a2.sys [?]
S2 AVGIDSAgent;AVGIDSAgent;"c:\program files\avg\avg10\identity protection\agent\bin\avgidsagent.exe" --> c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [?]
S2 gupdate1c9f4064be4b752;Google Update Service (gupdate1c9f4064be4b752);c:\program files\google\update\GoogleUpdate.exe [2009-6-23 133104]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2010-11-11 517448]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-6-23 133104]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 USB100TX;Linksys EtherFast 10/100 USB Network Adapter;c:\windows\system32\drivers\USB100TX.sys [2008-1-15 26304]
.
=============== File Associations ===============
.
.scr=AutoCADScriptFile
.
=============== Created Last 30 ================
.
2011-08-30 19:49:50 -------- d-----w- c:\documents and settings\all users\application data\McAfee Security Scan
2011-08-30 19:49:48 -------- d-----w- c:\program files\McAfee Security Scan
2011-08-30 19:45:42 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-08-30 19:45:42 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-08-30 19:40:28 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ddc4e873-3a42-4cbb-964e-94122a73b1ce}\MpKsl350f4625.sys
2011-08-30 19:27:12 7152464 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ddc4e873-3a42-4cbb-964e-94122a73b1ce}\mpengine.dll
2011-08-26 12:39:39 180624 ----a-w- c:\windows\system32\Primomonnt.dll
2011-08-24 13:06:47 7152464 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2011-08-24 11:52:35 274288 ----a-w- c:\windows\system32\mucltui.dll
2011-08-24 11:52:35 215920 ----a-w- c:\windows\system32\muweb.dll
2011-08-24 11:52:35 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2011-08-23 12:59:02 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-08-23 12:57:09 -------- d-----w- c:\program files\Microsoft Security Client
2011-08-22 11:39:02 -------- d-----w- c:\program files\ESET
2011-08-22 11:28:06 -------- d-----w- c:\documents and settings\user\application data\Malwarebytes
2011-08-22 11:28:01 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-08-22 11:28:00 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-08-22 11:27:57 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-22 11:27:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-08-11 22:38:00 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-11 22:36:49 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2011-08-08 12:08:51 98816 ----a-w- c:\windows\sed.exe
2011-08-08 12:08:51 518144 ----a-w- c:\windows\SWREG.exe
2011-08-08 12:08:51 256000 ----a-w- c:\windows\PEV.exe
2011-08-08 12:08:51 208896 ----a-w- c:\windows\MBR.exe
2011-08-02 16:59:25 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-02 12:35:29 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2011-08-02 12:30:42 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-08-02 12:30:42 -------- d-----w- c:\windows\system32\wbem\Repository
.
==================== Find3M ====================
.
2011-08-05 15:39:31 131 ----a-w- C:\DeletePrintJobs.cmd
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36:30 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36:30 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36:30 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05:13 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 16:19:21.93 ===============
redcar92
2011-09-06, 15:49
Greetings draterf250,
I can see that you have a web site stored in the "Trusted Zones" section of your log. The only advantage to having a domain stored in your Trusted Zones, is that the domain will not prompt you for any permission before installing software or updates from the "trusted" site.
This also means however, that if a malware exploit comes out where a site can spoof their domain name to match one stored in your Trusted Zones, then you will never know when (or what) they install on your machine.
If you remove this entry, these sites will still be able to install software, but only after receiving permission from you to do so, putting you back in control.
I suggest you remove the following entries:

nobullhardcore.com

You can remove sites from your Trusted Zones via:

IE > Tools > Internet Options > Security tab > Trusted Zone > Sites

Now it is time to clean up our tools a bit.
The following will implement some cleanup procedures as well as reset System Restore points:


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.


Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

Next
On your desktop right click on aswMBR.exe and select delete. Do the same for aswMBR.txt
On your desktop right click on deldomains.inf and select delete.

You should keep TFC, Malwarebytes, ESET and ERUNT. Update and run them on a regular basis to keep your pc running malware free.

From the look of your logs are finally, All Clean and the machine seems to be performing as it should. You know how much work and effort you've had to put into getting it back into working order, so hopefully you can impress upon the others who use this machine, to be more careful.

For the future safety of this machine and your data, try to ensure they sit down and read the following threads: (it won't take them very long)

Cracked/Illegal Software (http://www.techsupportforum.com/f50/cracked-illegal-software-248501.html)

Perils of P2P File Sharing (http://www.techsupportforum.com/f50/perils-of-p2p-file-sharing-305923.html)

Think Prevention (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html)

If there aren't any more problems, we have some final housekeeping to tend to now.

To help protect your computer in the future I recommend that you follow these steps and look into the following free programs:

* Microsoft Windows Update - http://www.windowsupdate.com (http://www.windowsupdate.com/)
Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

* SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html) to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.
o SpywareBlaster is a preventative program. It sets flags in the registry to prevent the running of a specific list of bad spyware related ActiveX controls. It will block any bad ActiveX from running in Internet Explorer and Firefox if it's listed in their database (which you should update frequently). To view their database and list of restricted sites, launch the program and click on each of the tabs on the main display page.

* WOT (http://www.mywot.com/), Web of Trust, As 'Googling' is such an integral part of internet life, this free browser add on warns you about risky websites that try to scam visitors, deliver malware or send spam. It is especially helpful when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
o Green to go
o Yellow for caution
o Red to stop
WOT has an addon available for both Firefox and IE.


* Scan here http://secunia.com/software_inspector/ (http://secunia.com/software_inspector/)for out of date & vulnerable common applications on your computer

Please post any questions, concerns or issues now, as this thread will close a few days after the last post.
Thanks for all of your patience and hard work.
drafterf250
2011-09-08, 14:26
well i did that thanks for everything bill and team spybot.....greatly appreciated:thanks::D::D::D: