drafterf250

**drafterf250** · 2011-08-22, 14:56

hey bill. sorry for the delay. i was outta town for work. i could still use your help though.

y
Dear drafterf250,

redcar92 has just replied to a thread you have subscribed to entitled - help please bad viruses - in the Malware Removal forum of Safer-Networking Forums.

This thread is located at:
http://forums.spybot.info/showthread...6&goto=newpost

Here is the message that has just been posted:
***************
Greetings draterf250,

You do need an antivirus, I would recommend just one of the ones listed below. More than one AV will cause you problems. In my final speech I will have more recommendations
Microsoft Security Essentials at http://www.microsoft.com/security/pc-security/mse.aspx
AVAST from here http://download.cnet.com/Avast-Free-...-10019223.html
AVIRA from here http://download.cnet.com/Avira-AntiV...-10322935.html

*Next*
Download *TFC* (http://oldtimer.geekstogo.com/TFC.exe) to your *desktop*
* Close any open windows.
* Double click the *TFC* icon to run the program
* TFC *will close all open programs itself* in order to run,
* Click the *Start* button to begin the process.
* Allow *TFC* to run uninterrupted.
* The program should not take long to finish it's job
* Once its finished it should automatically *reboot your machine,*
* if it doesn't, manually reboot to ensure a complete clean

*Next*
Please download Malwarebytes' Anti-Malware from *Here* (http://www.besttechie.net/mbam/mbam-setup.exe).
Double Click mbam-setup.exe to install the application.
* Make sure a checkmark is placed next to *Update Malwarebytes' Anti-Malware *and *Launch Malwarebytes' Anti-Malware*, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "*Perform Quick Scan*", then click *Scan*.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that *everything *is checked, and click *Remove Selected*.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire report in your next reply.

Extra Note:
*If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
*

*Next*
Please use Internet Explorer to download and run the following scan: *Eset Online Scanner* (http://www.eset.com/onlinescan/)
* Place a check mark in the box *YES, I accept the Terms Of Use*
* Click the *Start* button.
* Now *click* the *Install* button.
* *Click Start*. The scanner engine will initialize and update.
* *_Do Not place a check mark_* in the box beside *Remove found threats*.
* *Click* the *Scan* button. The scan will now run, please be patient.
* When the scan finishes if there are any infections you will see a *List of found threats*.
* Click *Export to text file*
* *Copy and paste* the contents of the *C:\Program Files\ESET\log.txt* into your next reply.
* If no threats are found there will be no list, this is good, just tell me that no threats were found.

Logs to post:
* *Malwarebyte.txt
* Results of ESET scan
* How is your PC running now.*

***************

There may also be other replies, but you will not receive any more notifications until you visit the forum again.

All the best,
Safer-Networking Forums

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7534

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/22/2011 7:32:40 AM
mbam-log-2011-08-22 (07-32-40).txt

Scan type: Quick scan
Objects scanned: 177697
Time elapsed: 3 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:

---------------------------------------------------------------------------------

C:\Documents and Settings\User\My Documents\Downloads\registrybooster.exe Win32/RegistryBooster application
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\d55140\28.mof.vir Win32/RogueAV.A trojan
C:\System Volume Information\_restore{0EB28527-34FF-4327-913D-8B9F37FA334C}\RP723\A0078961.mof Win32/RogueAV.A trojan
C:\WINDOWS\system32\drivers\etc\hosts.20090306-154100.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20101204-140519.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20101204-140943.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20101204-140945.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20101204-140947.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20101204-140948.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20101204-140949.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20101204-140950.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20101204-140953.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20101204-140955.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20101206-083406.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20101206-083410.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20101206-083411.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20101206-083412.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20101206-083413.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20101206-083414.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20101206-091222.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20101206-091227.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20101206-091228.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20101206-091229.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20101206-091230.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20101206-091231.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20101206-091232.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20101206-091233.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20101206-091234.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20101206-091235.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20101220-095202.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20101220-095205.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20101220-095206.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20101220-095207.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20101220-095208.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20101220-095209.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20101220-095210.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20101220-095211.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20101220-095212.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20101220-095213.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20101229-082523.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20101229-082526.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20101229-082617.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20101229-082618.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20101229-082619.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20101229-082620.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20101229-082621.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20101229-082622.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20101229-082623.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20110802-090732.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20110802-090734.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20110802-090736.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20110802-090737.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20110802-090738.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20110802-090739.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20110802-101422.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20110802-101423.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20110802-101426.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20110802-101427.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20110802-101428.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20110802-101429.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20110802-101430.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20110802-101438.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20110802-101439.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20110802-101440.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20110802-101441.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20110802-101442.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20110802-110355.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20110802-110356.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20110802-110357.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20110802-110358.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20110802-110359.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20110803-131936.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20110803-131937.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20110803-131938.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20110803-131939.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20110803-131940.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20110805-121817.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20110805-121818.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20110805-121819.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20110805-121820.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20110805-121821.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20110805-121822.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20110805-141046.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20110805-141047.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20110805-141048.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20110805-141049.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20110805-141050.backup Win32/Qhost trojan
C:\WINDOWS\system32\drivers\etc\hosts.20110805-141051.backup Win32/Qhost trojan
thanks for your help

**drafterf250** · 2011-08-22, 15:02

pc is pretty still slow

**redcar92** · 2011-08-23, 04:10

Greetings draterf250,
Did you find an anti Virus yet?

ESET showed some files that need to go.

You have 3 on your PC. Here is a good link to some good info on regcleaners.http://miekiemoes.blogspot.com/2008/...eaking_13.html Please let me know if you need assistance removing this one.

Next
Press the WinKey + R to open a run box, then copy/paste the following single-line command into the Run box and click OK:

cmd /c rd /s/q “C:\WINDOWS\system32\drivers\etc\hosts.20*.*"

Let me know when done and if there is any improvement in performance.

**drafterf250** · 2011-08-23, 15:02

hey bill,
i do have microsoft security essentials.
i didnt do the regisrty clean yet or the second operation.
i was worried about deleting the wrong things, so i could use your help.

**redcar92** · 2011-08-28, 20:52

Greetings draterf250,
Good you have an AV and MS Security Essentials is a good one.
I apologize for the confusion. I see that you have a program called Registry Booster on your system. These registry booster and cleaner programs are not all that they are advertised to be, and often can harm your system. It is recommended that you don't use and remove them from your system. Here is some good information about regcleaners and boosters.

ESET showed a few problems still on your system.
It appears that you have or had Uniblue Registry Booster installed and there are traces of it still on your PC. If you wish I can help you remove them.

The Qoobox entry will be removed when we clean up Combofix

The C:\System Volume Information\_restore{0EB28527-34FF-4327-913D-8B9F37FA334C}\RP723\A0078961.mof Win32/RogueAV.A trojan will be removed when we reset restore point.

That leaves us with several files starting with C:\WINDOWS\system32\drivers\etc\hosts
To remove these files please do the following.
Press the WinKey + R to open a run box, then copy/paste the following single-line command into the Run box and click OK:

cmd /c rd /s/q “C:\WINDOWS\system32\drivers\etc\hosts.20*.*"

Let me know when done and if there is any improvement in performance and if you want help with Registry Booster please.

**drafterf250** · 2011-08-29, 20:18

mission complete...my computer runs about the same, just a little slower to start up still. i deleted everything i could with the registry booster and did the copy and paste command.

bill

**redcar92** · 2011-08-30, 02:33

Greetings draterf250,
You say your PC is OK but a little slow. There are many thing besides malware that can slow down your pc. you could start by clicking Start -> Run enter cleanmgr and click OK. Follow the on screen prompts. Check everything except compress files and folders (this slows things down). Next I would recommend this item. Be sure to uncheck any and all checkboxes encountered during installation asking to download other programs. Also it may put another BHO (Browser Helper Object0 on your web browser. Download and run Puran Disk Defragmenter . It does an excellent job. You should google speed up my pc or my pc is slow, there are many excellent sites offering tips to speed up your PC. Don't get suckered into paying for programs. They seldom work well and as I said before stay away from registry boosters and cleaners as they offer minimal help at best and often do damage.

Next
To clear the Java Plug-in cache:
Click Start > Control Panel.
Double-click the Java icon in the control panel.
On the General tab, Click Settings under Temporary Internet Files.
On the Temporary Files Settings screen, Click Delete Files.
check all boxes
Click OK
Reboot the computer.

Next
Your Java appears to be down level.
Navigate to Control Panel then open Add Remove Programs.
Highlight each Java item listed then Remove or Uninstall.
Visit this site to down load and install the latest Java.

Next
Your Adobe appears to be down level
Please visit this site Click on the Adobe Reader icon on the right side and you will be presented with the correct Adobe for your system.
Down load and install this Adobe please.

Next
Double click dds.scr to run the tool.
When done, DDS.txt will open.
Save to your desktop.
Please include the contents of the following in your reply using Copy / Paste:
DDS.txt

**drafterf250** · 2011-08-30, 22:22

here ya go thanks again
dan.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by User at 16:18:45 on 2011-08-30
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1110 [GMT -4:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\D-Link\D-Link DWA-552 Xtreme N Desktop Adapter\acs.exe
svchost.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\D-Link\D-Link DWA-552 Xtreme N Desktop Adapter\wirelesscm.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\AutoCAD 2010\acad.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Common Files\Autodesk Shared\WSCommCntr1.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\PROGRA~1\MICROS~2\Office12\OUTLOOK.EXE
C:\WINDOWS\system32\wscntfy.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uURLSearchHooks: H - No File
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.6209.1142\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [SsAAD.exe] c:\progra~1\sony\sonics~1\SsAAD.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [RegistryBooster] "c:\program files\uniblue\registrybooster\launcher.exe" delay 20000
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\user\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\user\startm~1\programs\startup\vzacce~1.lnk - c:\program files\verizon wireless\vzaccess manager\VZAccess Manager.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-100000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wirele~1.lnk - c:\program files\d-link\d-link dwa-552 xtreme n desktop adapter\wirelesscm.exe
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: nobullhardcore.com
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1207599497640
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
TCP: DhcpNameServer = 68.87.85.98 68.87.64.146
TCP: Interfaces\{350F155D-8F39-4388-91AC-00E3BB947247} : DhcpNameServer = 68.87.85.98 68.87.64.146
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
R1 MpKsl350f4625;MpKsl350f4625;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ddc4e873-3a42-4cbb-964e-94122a73b1ce}\MpKsl350f4625.sys [2011-8-30 28752]
R2 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2008-1-4 607576]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-8-22 366640]
R3 AE1000;Linksys AE1000 Driver;c:\windows\system32\drivers\AE1000XP.sys [2010-6-4 816672]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-8-22 22712]
S1 MpKsl275e986b;MpKsl275e986b;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{1921af4b-8067-4510-8fd8-a470c22a8924}\mpksl275e986b.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{1921af4b-8067-4510-8fd8-a470c22a8924}\MpKsl275e986b.sys [?]
S1 MpKsl2bf0ace2;MpKsl2bf0ace2;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{1921af4b-8067-4510-8fd8-a470c22a8924}\mpksl2bf0ace2.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{1921af4b-8067-4510-8fd8-a470c22a8924}\MpKsl2bf0ace2.sys [?]
S1 MpKsla480b5a2;MpKsla480b5a2;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{6ecf0f30-6e7b-4f25-8784-d43d917da786}\mpksla480b5a2.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{6ecf0f30-6e7b-4f25-8784-d43d917da786}\MpKsla480b5a2.sys [?]
S2 AVGIDSAgent;AVGIDSAgent;"c:\program files\avg\avg10\identity protection\agent\bin\avgidsagent.exe" --> c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [?]
S2 gupdate1c9f4064be4b752;Google Update Service (gupdate1c9f4064be4b752);c:\program files\google\update\GoogleUpdate.exe [2009-6-23 133104]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2010-11-11 517448]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-6-23 133104]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 USB100TX;Linksys EtherFast 10/100 USB Network Adapter;c:\windows\system32\drivers\USB100TX.sys [2008-1-15 26304]
.
=============== File Associations ===============
.
.scr=AutoCADScriptFile
.
=============== Created Last 30 ================
.
2011-08-30 19:49:50 -------- d-----w- c:\documents and settings\all users\application data\McAfee Security Scan
2011-08-30 19:49:48 -------- d-----w- c:\program files\McAfee Security Scan
2011-08-30 19:45:42 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-08-30 19:45:42 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-08-30 19:40:28 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ddc4e873-3a42-4cbb-964e-94122a73b1ce}\MpKsl350f4625.sys
2011-08-30 19:27:12 7152464 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ddc4e873-3a42-4cbb-964e-94122a73b1ce}\mpengine.dll
2011-08-26 12:39:39 180624 ----a-w- c:\windows\system32\Primomonnt.dll
2011-08-24 13:06:47 7152464 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2011-08-24 11:52:35 274288 ----a-w- c:\windows\system32\mucltui.dll
2011-08-24 11:52:35 215920 ----a-w- c:\windows\system32\muweb.dll
2011-08-24 11:52:35 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2011-08-23 12:59:02 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-08-23 12:57:09 -------- d-----w- c:\program files\Microsoft Security Client
2011-08-22 11:39:02 -------- d-----w- c:\program files\ESET
2011-08-22 11:28:06 -------- d-----w- c:\documents and settings\user\application data\Malwarebytes
2011-08-22 11:28:01 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-08-22 11:28:00 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-08-22 11:27:57 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-22 11:27:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-08-11 22:38:00 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-11 22:36:49 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2011-08-08 12:08:51 98816 ----a-w- c:\windows\sed.exe
2011-08-08 12:08:51 518144 ----a-w- c:\windows\SWREG.exe
2011-08-08 12:08:51 256000 ----a-w- c:\windows\PEV.exe
2011-08-08 12:08:51 208896 ----a-w- c:\windows\MBR.exe
2011-08-02 16:59:25 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-02 12:35:29 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2011-08-02 12:30:42 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-08-02 12:30:42 -------- d-----w- c:\windows\system32\wbem\Repository
.
==================== Find3M ====================
.
2011-08-05 15:39:31 131 ----a-w- C:\DeletePrintJobs.cmd
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36:30 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36:30 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36:30 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05:13 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 16:19:21.93 ===============

**redcar92** · 2011-09-06, 15:49

Greetings draterf250,
I can see that you have a web site stored in the "Trusted Zones" section of your log. The only advantage to having a domain stored in your Trusted Zones, is that the domain will not prompt you for any permission before installing software or updates from the "trusted" site.
This also means however, that if a malware exploit comes out where a site can spoof their domain name to match one stored in your Trusted Zones, then you will never know when (or what) they install on your machine.
If you remove this entry, these sites will still be able to install software, but only after receiving permission from you to do so, putting you back in control.
I suggest you remove the following entries:

nobullhardcore.com

You can remove sites from your Trusted Zones via:

IE > Tools > Internet Options > Security tab > Trusted Zone > Sites

Now it is time to clean up our tools a bit.
The following will implement some cleanup procedures as well as reset System Restore points:

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

Next
On your desktop right click on aswMBR.exe and select delete. Do the same for aswMBR.txt
On your desktop right click on deldomains.inf and select delete.

You should keep TFC, Malwarebytes, ESET and ERUNT. Update and run them on a regular basis to keep your pc running malware free.

From the look of your logs are finally, All Clean and the machine seems to be performing as it should. You know how much work and effort you've had to put into getting it back into working order, so hopefully you can impress upon the others who use this machine, to be more careful.

For the future safety of this machine and your data, try to ensure they sit down and read the following threads: (it won't take them very long)

Cracked/Illegal Software

Perils of P2P File Sharing

Think Prevention

If there aren't any more problems, we have some final housekeeping to tend to now.

To help protect your computer in the future I recommend that you follow these steps and look into the following free programs:

* Microsoft Windows Update - http://www.windowsupdate.com
Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

* SpywareBlaster to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.
o SpywareBlaster is a preventative program. It sets flags in the registry to prevent the running of a specific list of bad spyware related ActiveX controls. It will block any bad ActiveX from running in Internet Explorer and Firefox if it's listed in their database (which you should update frequently). To view their database and list of restricted sites, launch the program and click on each of the tabs on the main display page.

* WOT, Web of Trust, As 'Googling' is such an integral part of internet life, this free browser add on warns you about risky websites that try to scam visitors, deliver malware or send spam. It is especially helpful when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
o Green to go
o Yellow for caution
o Red to stop
WOT has an addon available for both Firefox and IE.

* Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer

Please post any questions, concerns or issues now, as this thread will close a few days after the last post.
Thanks for all of your patience and hard work.

**drafterf250** · 2011-09-08, 14:26

well i did that thanks for everything bill and team spybot.....greatly appreciated

Thread: drafterf250

Thread Tools

Display

Posting Permissions