Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

trojan backdoor rustock, nircmdc, Trojan-Clicker.Win32.Costrat.fn [RES


  • This topic is locked This topic is locked

#1
louuu

louuu

    Member

  • Member
  • PipPipPip
  • 223 posts
please note that item 21 in my hijack this log is a valid entry and is my spector software that allows me to monitor the other computer in my home.

hi, i really need some help as everything has just gone haywire in the last few hours. im running windows vista. first i had a blue screen of death. then upon reboot my spysweeper software kept quarantining something called trojan backdoor rustock. i deleted it from quarantine and it kept coming back. then something caused my norton internet security to turn red and when i checked it, it seems something has turned the firewall off. of course i manually turned it back on. also windows security center has popped up saying i dont have an antivirus installed, but my norton internet security says the antivirus part of it is up and running. lastly, my internet connection which is normally on, has a red x on it as if it was off. but it isnt off as im able to access the internet. when i click it, instead of showing me that i have a local and internet connection like its normally says, now it says connection status unknown, class not registered. then spysweeper came up again saying i had something called nircmdc.cfexe trojan too. and when i ran a kaspersky scan it came up with Trojan-Clicker.Win32.Costrat.fn.

so i tried to access system restore to go back in time before this happened, and i couldnt believe that my last system restore point was 5 days ago! apparently this virus must of somehow stopped my system restore from working 5 days ago. so i tried to use system restore with every available point that was there before this event happened, but each and every time it was not able to successfully complete. finally i was able to use system restore by accessing it in safe mode. so i did a system restore in safe mode and put my computer back about 7 days.

now after using system restore, my internet connection is back to normal. but spysweeper once again found a trojan called trojan backdoor gen. it seems that maybe something somewhere in my computer is causing this trojan/virus to come back. also, some of my email accounts were having trouble with the passwords not being accepted and i had to reconfigure it, but now it works again. so i had spysweeper delete the quarantined trojan it found. it was in location c:\327882r2fwjfw\nircmdc\cfexe. then i ran kaspersky again and it now came back clean. i have since rebooted and i dont think any trojan has come back again.

i just dont know if my system is totally clean. what i did on my own was run combofix, hijack this and kaspersky before i used system restore and those logs are below and as attachements. then after system restore i ran the same 3 logs again and those logs are now attachements. after system restore, it seems like the logs are clean, but i want to be sure theres nothing hiding in my system that can come back. PLEASE HELP!

ComboFix 08-04-20.2 - Lou 2008-04-21 2:21:41.3 - NTFSx86

Running from: C:\Users\Lou\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-03-21 to 2008-04-21 )))))))))))))))))))))))))))))))
.

2008-04-20 22:13 . 2008-04-20 22:13 <DIR> d-------- C:\Rustbfix
2008-04-20 18:08 . 2008-04-20 18:10 358,518,246 --a------ C:\Windows\MEMORY.DMP
2008-04-14 20:38 . 2008-04-14 20:38 <DIR> d-------- C:\Users\All Users\Ubisoft
2008-04-14 20:23 . 2008-04-14 20:23 <DIR> d-------- C:\Program Files\Ubisoft
2008-04-13 20:19 . 2008-04-21 02:10 <DIR> d-------- C:\Program Files\WinAVI Video Converter
2008-04-10 21:19 . 2008-04-10 21:19 55,218 --a------ C:\Windows\zeqbqwp.sys
2008-04-08 20:02 . 2008-02-14 19:19 944,184 --a------ C:\Windows\System32\winload.exe
2008-04-08 20:02 . 2008-02-19 01:10 620,088 --a------ C:\Windows\System32\ci.dll
2008-04-08 20:02 . 2008-02-29 02:39 371,712 --a------ C:\Windows\System32\srcore.dll
2008-04-08 20:02 . 2008-02-29 02:38 313,856 --a------ C:\Windows\System32\rstrui.exe
2008-04-08 20:02 . 2008-02-29 02:39 40,960 --a------ C:\Windows\System32\srclient.dll
2008-04-08 20:02 . 2008-02-29 02:51 19,000 --a------ C:\Windows\System32\kd1394.dll
2008-04-08 20:02 . 2008-02-29 02:38 16,384 --a------ C:\Windows\System32\srdelayed.exe
2008-04-08 20:02 . 2008-02-29 02:34 7,168 --a------ C:\Windows\System32\f3ahvoas.dll
2008-04-08 20:02 . 2008-02-29 02:35 6,656 --a------ C:\Windows\System32\kbd106n.dll
2008-04-08 20:01 . 2008-02-29 00:16 2,027,008 --a------ C:\Windows\System32\win32k.sys
2008-04-08 20:01 . 2008-02-21 00:43 296,448 --a------ C:\Windows\System32\gdi32.dll
2008-04-07 21:48 . 2008-04-07 22:07 524,288 --ahs---- C:\Users\Lou\ntuser.dat{e5fd28cb-0503-11dd-82ef-001d091e4b72}.TMContainer00000000000000000002.regtrans-ms
2008-04-07 21:48 . 2008-04-07 22:07 524,288 --ahs---- C:\Users\Lou\ntuser.dat{e5fd28cb-0503-11dd-82ef-001d091e4b72}.TMContainer00000000000000000001.regtrans-ms
2008-04-07 21:48 . 2008-04-07 22:07 65,536 --ahs---- C:\Users\Lou\ntuser.dat{e5fd28cb-0503-11dd-82ef-001d091e4b72}.TM.blf
2008-04-05 21:59 . 2008-04-05 21:59 <DIR> d-------- C:\Users\Lou\AppData\Roaming\NeroDCTemplates
2008-04-03 16:47 . 2008-04-03 16:47 <DIR> d-------- C:\Program Files\Common Files\Java
2008-04-01 15:26 . 2008-04-01 15:26 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-29 22:32 . 2008-03-29 22:32 <DIR> d-------- C:\Windows\System32\Kaspersky Lab
2008-03-29 22:32 . 2008-03-29 22:32 <DIR> d-------- C:\Users\All Users\Kaspersky Lab
2008-03-27 17:09 . 2008-03-05 15:56 3,786,760 --a------ C:\Windows\System32\D3DX9_37.dll
2008-03-27 17:09 . 2008-03-05 15:56 1,420,824 --a------ C:\Windows\System32\D3DCompiler_37.dll
2008-03-27 17:09 . 2008-03-05 16:03 479,752 --a------ C:\Windows\System32\XAudio2_0.dll
2008-03-27 17:09 . 2008-02-05 23:07 462,864 --a------ C:\Windows\System32\d3dx10_37.dll
2008-03-27 17:09 . 2007-10-22 03:39 267,272 --a------ C:\Windows\System32\xactengine2_10.dll
2008-03-27 17:09 . 2008-03-05 16:03 238,088 --a------ C:\Windows\System32\xactengine3_0.dll
2008-03-27 17:09 . 2008-03-05 16:00 25,608 --a------ C:\Windows\System32\X3DAudio1_3.dll
2008-03-27 17:03 . 2008-04-12 07:48 <DIR> d--h----- C:\Windows\msdownld.tmp
2008-03-27 16:55 . 2008-03-27 16:59 <DIR> d-------- C:\Program Files\FEAR Perseus Mandate
2008-03-27 11:08 . 2008-04-10 21:49 <DIR> d-------- C:\Program Files\SpywareBlaster

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-21 06:11 30,272 ----a-w C:\Windows\system32\drivers\pssdk31.drv
2008-04-21 06:10 --------- d-----w C:\Users\Lou\AppData\Roaming\dvdcss
2008-04-21 06:10 --------- d-----w C:\Users\Lou\AppData\Roaming\.BitTornado
2008-04-21 05:23 --------- d-----w C:\Program Files\RivaTuner v2.06
2008-04-15 00:37 22,328 ----a-w C:\Users\Lou\AppData\Roaming\PnkBstrK.sys
2008-04-15 00:23 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-09 00:45 --------- d-----w C:\Program Files\Windows Mail
2008-04-08 17:02 --------- d-----w C:\Users\Lou\AppData\Roaming\LimeWire
2008-04-08 01:46 --------- d-----w C:\Program Files\MagicISO
2008-04-03 20:48 --------- d-----w C:\Program Files\Java
2008-03-29 17:48 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-27 18:54 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-03-21 00:10 --------- d-----w C:\Program Files\LG Drivers
2008-03-19 21:52 --------- d-----w C:\Program Files\Norton Internet Security
2008-03-07 18:40 13,035 ----a-w C:\Windows\system32\drivers\SymRedir.cat
2008-03-07 18:40 1,358 ----a-w C:\Windows\system32\drivers\SymRedir.inf
2008-03-07 18:39 39,984 ----a-w C:\Windows\system32\drivers\symids.sys
2008-03-07 18:39 37,936 ----a-w C:\Windows\system32\drivers\symndisv.sys
2008-03-07 18:39 27,696 ----a-w C:\Windows\system32\drivers\symredrv.sys
2008-03-07 18:39 191,536 ----a-w C:\Windows\system32\drivers\symtdi.sys
2008-03-07 18:39 145,968 ----a-w C:\Windows\system32\drivers\symfw.sys
2008-03-07 18:39 12,848 ----a-w C:\Windows\system32\drivers\symdns.sys
2008-03-07 01:32 706 ----a-w C:\Windows\system32\drivers\COH_Mon.inf
2008-03-07 01:32 23,904 ----a-w C:\Windows\system32\drivers\COH_Mon.sys
2008-03-07 01:32 10,537 ----a-w C:\Windows\system32\drivers\COH_Mon.cat
2008-02-28 06:38 84,512 ----a-w C:\Users\Lou\AppData\Roaming\GDIPFONTCACHEV1.DAT
2008-02-26 04:04 --------- d-----w C:\Program Files\ffdshow
2008-02-26 03:58 --------- d-----w C:\Users\Lou\AppData\Roaming\Winamp
2008-02-26 03:58 --------- d-----w C:\Program Files\Winamp
2008-02-26 01:54 --------- d-----w C:\Program Files\Common Files\NSV
2008-02-21 00:04 --------- d-----w C:\Program Files\BitPim
2008-02-10 06:13 60,968 ----a-w C:\Users\Lou\GoToAssistDownloadHelper.exe
2008-01-22 19:46 164 ----a-w C:\install.dat
2008-01-16 18:55 174 --sha-w C:\Program Files\desktop.ini
2002-09-11 14:26 63,730 ----a-w C:\Program Files\viewsonicinstruct_xp.pdf
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ChoiceMail"="C:\Program Files\DigiPortal Software\ChoiceMail\ChoiceMail.exe" [2007-10-02 13:23 5230592]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 08:35 125440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 00:59 115816]
"NWEReboot"="" []
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-01-04 21:56 5367664]

C:\Users\Lou\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
RivaTuner.lnk - C:\Program Files\RivaTuner v2.06\RivaTuner.exe [2007-10-30 14:05:00 2650112]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"Disehdx"= {067D4C36-6943-42D1-A670-937A2838BE45} - C:\Windows\system32\dskihdb.dll [2008-01-16 22:37 761856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2008-03-27 14:54 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\Windows\pss\Digital Line Detect.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\Windows\pss\Microsoft Office.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Lou^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
path=C:\Users\Lou\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerReg Scheduler.exe
backup=C:\Windows\pss\PowerReg Scheduler.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Lou^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^RivaTuner.lnk]
path=C:\Users\Lou\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RivaTuner.lnk
backup=C:\Windows\pss\RivaTuner.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
--a------ 2007-06-11 05:25 6731312 C:\Program Files\GRISOFT\AVG Anti-Spyware 7.5\avgas.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2007-01-10 00:59 115816 C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CCUTRAYICON]
--a------ 2007-06-27 11:18 215256 C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2006-11-12 06:48 157592 C:\Program Files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
--a------ 2007-11-15 10:23 202544 C:\Program Files\Dell Support Center\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
--a------ 2007-11-15 10:24 16384 C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
--a------ 2006-11-02 08:35 125440 C:\Windows\ehome\ehTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX3800 Series]
--a------ 2007-01-25 06:00 179200 C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATIACA.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-12-13 20:10 1688872 C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IS CfgWiz]
--a------ 2007-11-26 22:02 456072 C:\Program Files\Common Files\Symantec Shared\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\cltUIStb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2006-10-03 12:37 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
--a------ 2007-12-05 13:30 2295072 C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
--a------ 2007-12-03 15:21 2213160 C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 15:57 153136 C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NMSSupport]
--a------ 2007-06-27 11:14 439512 C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2006-11-02 05:45 44544 C:\Windows\System32\rundll32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIDIA nTune]
C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2006-11-02 05:45 44544 C:\Windows\System32\rundll32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvSvc]
--a------ 2006-11-02 05:45 44544 C:\Windows\System32\rundll32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
--------- 2007-08-31 22:02 128296 C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-02-18 11:36 385024 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RivaTunerStartupDaemon]
--a------ 2007-10-30 14:05 2650112 C:\Program Files\RivaTuner v2.06\RivaTuner.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
--a------ 2007-09-12 04:40 405504 C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
--a------ 2007-08-31 17:46 1460560 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyHunter Security Suite]
--a------ 2008-01-23 15:48 344064 C:\Program Files\Enigma Software Group\SpyHunter\SHStartup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 04:25 144784 C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2008-03-27 14:54 1481968 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec PIF AlertEng]
--a------ 2008-01-29 18:38 583048 C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
--a------ 2006-09-07 13:19 15872 C:\Program Files\Unlocker\UnlockerAssistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2008-01-16 22:38 1006264 C:\Program Files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Mobile Device Center]
%windir%\WindowsMobile\wmdc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--a------ 2006-11-02 08:36 201728 C:\Program Files\Windows Media Player\WMPNSCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{75B9A9E2-CCE5-46EB-B3ED-1DF59A193BA8}"= C:\Program Files\CyberLink\PowerDVD DX\PowerDVD.exe:CyberLink PowerDVD DX
"{8EDE5A09-30DD-49D0-8D37-8A6A5171585E}"= C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe:CyberLink PowerDVD DX Resident Program
"{43FBC295-3EF0-4FC0-9162-B897B0372F90}"= UDP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\TSHWMDTCP.exe:SPCM
"{61EB5C2F-C598-4D27-AAB6-6A2FF946E1FC}"= TCP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\TSHWMDTCP.exe:SPCM
"{4866BEB9-CAA9-420C-8FDC-FB495D64B0C6}"= UDP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe:Intel® Remoting Service
"{ABD3D71D-0241-42CE-BBE8-330BAB6F9799}"= TCP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe:Intel® Remoting Service
"{C32D4FDC-5C12-44D6-8676-4455AB00F13B}"= UDP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe:Intel® Viiv™ Media Server
"{1E78DFEA-6E93-4EF4-A7D9-64439256B51C}"= TCP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe:Intel® Viiv™ Media Server
"{F161FF10-733C-43BD-81C3-237FCE4A03C3}"= TCP:Profile=Private|Profile=Public|9442:127.0.0.1:Intel® Viiv™ Media Server Discovery
"{6514FDF2-C619-40E0-9DE4-0218407DBD53}"= TCP:Profile=Private|Profile=Public|1900:LocalSubnet:LocalSubnet:Intel® Viiv™ Media Server UPnP Discovery
"{052B1593-3434-46F4-B214-E38138044FD4}"= Disabled:UDP:C:\Program Files\Adobe\Photoshop Elements 6.0\AdobePhotoshopElementsMediaServer.exe:Adobe Photoshop Elements Media Server
"{5F47FA16-C29E-4C22-B82C-CDC0B767B9BB}"= Disabled:TCP:C:\Program Files\Adobe\Photoshop Elements 6.0\AdobePhotoshopElementsMediaServer.exe:Adobe Photoshop Elements Media Server
"TCP Query User{F3150310-EBBA-4510-8495-06B2F24E2386}C:\\program files\\digiportal software\\choicemail\\choicemail.exe"= UDP:C:\program files\digiportal software\choicemail\choicemail.exe:ChoiceMail
"UDP Query User{46F5846B-4F82-495B-828C-63414E5D447B}C:\\program files\\digiportal software\\choicemail\\choicemail.exe"= TCP:C:\program files\digiportal software\choicemail\choicemail.exe:ChoiceMail
"{0994AFAE-7D6F-40E2-A4E3-AB9D9F932A27}"= UDP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{D7004304-D273-46E2-BABD-5F4337514114}"= TCP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{FC5DFF16-509E-4692-848F-1D7CA01E68D5}"= UDP:C:\Program Files\Electronic Arts\Crytek\Crysis\Bin32\Crysis.exe:Crysis_32
"{A827BA85-F1EB-4177-B4A5-97435E7CBD7B}"= TCP:C:\Program Files\Electronic Arts\Crytek\Crysis\Bin32\Crysis.exe:Crysis_32
"{7A9C5780-1252-4B16-BBC7-7F94AC9C97EC}"= UDP:C:\Program Files\Electronic Arts\Crytek\Crysis\Bin32\CrysisDedicatedServer.exe:CrysisDedicatedServer_32
"{D8FE101E-99A0-4805-BE69-40AD5A9796AA}"= TCP:C:\Program Files\Electronic Arts\Crytek\Crysis\Bin32\CrysisDedicatedServer.exe:CrysisDedicatedServer_32
"{13B2C350-B43A-4C6F-BADF-AB8E5D446EAC}"= UDP:C:\Windows\System32\PnkBstrA.exe:PnkBstrA
"{66722616-712E-423C-93D2-179ACA53E78E}"= TCP:C:\Windows\System32\PnkBstrA.exe:PnkBstrA
"{BAAFAA4B-06FC-446B-8047-10ADD1172357}"= UDP:C:\Windows\System32\PnkBstrB.exe:PnkBstrB
"{2A057F64-63D3-4745-A231-297CE58439FC}"= TCP:C:\Windows\System32\PnkBstrB.exe:PnkBstrB
"{875C9587-B5FF-4E43-B7A4-C9D1B34AD730}"= UDP:C:\Program Files\Ubisoft\Tom Clancy's Rainbow Six Vegas 2\Binaries\R6Vegas2_Game.exe:Tom Clancy's Rainbow Six Vegas 2
"{774C35A8-8A39-4A5C-BA53-6CD9E9F9F029}"= TCP:C:\Program Files\Ubisoft\Tom Clancy's Rainbow Six Vegas 2\Binaries\R6Vegas2_Game.exe:Tom Clancy's Rainbow Six Vegas 2
"{91931C20-4978-4867-8D39-33C2FBCA2731}"= UDP:C:\Program Files\Ubisoft\Tom Clancy's Rainbow Six Vegas 2\Binaries\R6Vegas2_Launcher.exe:Tom Clancy's Rainbow Six Vegas 2 Update
"{98314473-9A67-4AB3-84E0-E40A5E1DC1C0}"= TCP:C:\Program Files\Ubisoft\Tom Clancy's Rainbow Six Vegas 2\Binaries\R6Vegas2_Launcher.exe:Tom Clancy's Rainbow Six Vegas 2 Update

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr

*Newly Created Service* - CATCHME
*Newly Created Service* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder
"2008-04-21 01:50:04 C:\Windows\Tasks\Casper Scheduled Copy of Disk 1 to Disk 2.job"
- C:\Program Files\Future Systems Solutions\Casper 4.0\CASPER.EXE?/COPY 1 2 /SIZE:57544704;24165872640;725930311680 /FS:FAT;NTFS;NTFS /VS:0x519C8406 /VT:0x2D4B48CE /uid:C58A96F3FDB1424E87047621A0D3D09C /AUTOSTART /Y
"2008-04-15 01:32:08 C:\Windows\Tasks\Norton Internet Security - Run Full System Scan - Lou.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeB/TASK:
"2008-04-01 04:30:02 C:\Windows\Tasks\wrSpySweeper_LC8EBE7589FC648EC93F760D755E3512A.job"
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe>/ScheduleSweep=wrSpySweeper_LC8EBE7589FC648EC93F760D755E3512A
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.ex
- C:\
.
**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
Completion time: 2008-04-21 2:25:53
ComboFix-quarantined-files.txt 2008-04-21 06:25:50

Pre-Run: 410,215,337,984 bytes free
Post-Run: 410,725,031,936 bytes free

261 --- E O F --- 2008-04-09 00:19:42



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:29:11 AM, on 2008-04-21
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\RivaTuner v2.06\RivaTuner.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\Explorer.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://cgi.verizon.n...mp;bm=ho_search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ChoiceMail] "C:\Program Files\DigiPortal Software\ChoiceMail\ChoiceMail.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User '?')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User '?')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User '?')
O4 - HKUS\S-1-5-21-2570524930-4131161030-1994012012-1000\..\Run: [Sidebar] "C:\Program Files\Windows Sidebar\Sidebar.exe" /detectMem (User '?')
O4 - HKUS\S-1-5-21-2570524930-4131161030-1994012012-1001\..\Run: [ChoiceMail] "C:\Program Files\DigiPortal Software\ChoiceMail\ChoiceMail.exe" (User '?')
O4 - S-1-5-21-2570524930-4131161030-1994012012-1001 Startup: RivaTuner.lnk = C:\Program Files\RivaTuner v2.06\RivaTuner.exe (User '?')
O4 - Startup: RivaTuner.lnk = C:\Program Files\RivaTuner v2.06\RivaTuner.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.appl...ex/qtplugin.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebo...toUploader5.cab
O16 - DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} (WMI Class) - https://support.dell...r/SysProExe.CAB
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O21 - SSODL: Disehdx - {067D4C36-6943-42D1-A670-937A2838BE45} - C:\Windows\system32\dskihdb.dll
O23 - Service: Intel® Alert Service (AlertService) - Intel® Corporation - C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Intel® DHTrace Controller (DHTRACE) - Intel® Corporation - C:\Program Files\Common Files\Intel\IntelDH\bin\DHTraceController.exe
O23 - Service: DQLWinService - Unknown owner - C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: Intel® Software Services Manager (ISSM) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Intel® Viiv™ Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
O23 - Service: Intel® Application Tracker (MCLServiceATL) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Intel® NMSCore (NMSCore) - Intel® Corporation - C:\Program Files\Common Files\Intel\IntelDH\NMS\NMSCore\NMSCore.exe
O23 - Service: Intel® Quality Manager (QualityManager) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\qualitymanager.exe
O23 - Service: Intel® Remoting Service (Remote UI Service) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: Choice Mail (svcChoiceMail) - DigiPortal Software, Inc. - C:\Program Files\DigiPortal Software\ChoiceMail\\CMServer.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 9275 bytes


2008-04-21 6:15:13 AM
Operating System: Microsoft Windows Vista Home Edition, (Build 6000)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 21/04/2008
Kaspersky Anti-Virus database records: 718179

the kaspersky log made this post too long, so below was the virus line found by kaspersky and ive attached the actual log as an attachment.

C:\Windows\zeqbqwp.sys Infected: Trojan-Clicker.Win32.Costrat.fn skipped

Attached Files


Edited by louuu, 23 April 2008 - 09:43 PM.

  • 0

Advertisements


#2
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

CLICK THIS TO LINK TO BE SURE YOU CAN VIEW HIDDEN FILES

Please go here:
The Spy Killer Forum
  • Click on "New Topic"
  • Put your name, e-mail address, and this as the title: "C:\Windows\system32\dskihdb.dll"
  • Put a link to this topic in the description box.
  • Then next to the file box, at the bottom, click the browse button, then navigate to this file:


    • C:\Windows\system32\dskihdb.dll

  • Click Open.
  • Click Post.
Thank you!




1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O21 - SSODL: Disehdx - {067D4C36-6943-42D1-A670-937A2838BE45} - C:\Windows\system32\dskihdb.dll


2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.



1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\Windows\system32\dskihdb.dll
C:\Windows\zeqbqwp.sys

Folder::

Registry::

Driver::


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall






Reboot and post a new HijackThis log
  • 0

#3
louuu

louuu

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 223 posts
hi and thanks for your help. 2 questions first: i think you didnt see in my first line of my post where i said item 21 in my hijack this log is a valid entry. its my spector software program which allows me to monitor the other computer in my home. ive had it for years, and again, its a valid program. so i think you do not want me to delete it. also, when i do the other steps, should i post the new hijack this log here in this forum or at the spykiller forum? please reply, thanks.
  • 0

#4
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Yea missed that

Just do this then

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.



1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\Windows\zeqbqwp.sys

Folder::

Registry::

Driver::


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

  • 0

#5
louuu

louuu

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 223 posts
ok, i did all the steps you asked me to do. when i did it, spysweeper came up and said it quarantined a trojan called trojan-backdoor.gen located at c:\327882rfwjfw\nircmdc/cfexe. i believe this is the same one it quarantined and i deleted last time, so it seems that somehow its coming back by itself. right now its sitting in the quarantine and i havent done anything with it until you tell me what to do. below is the new hijack this log and combofix log. even thought i put a check mark on the item you asked me to on hijackthis, it seems its still there in the log. ill wait for your next nstructions, thank you so much for your help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:04:06 PM, on 2008-04-24
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\DigiPortal Software\ChoiceMail\ChoiceMail.exe
C:\Program Files\DigiPortal Software\ChoiceMail\ChoiceMail.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\RivaTuner v2.06\RivaTuner.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Mail\WinMail.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://cgi.verizon.n...mp;bm=ho_search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [ChoiceMail] "C:\Program Files\DigiPortal Software\ChoiceMail\ChoiceMail.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-2570524930-4131161030-1994012012-1000\..\Run: [Sidebar] "C:\Program Files\Windows Sidebar\Sidebar.exe" /detectMem (User 'IUSR_NMPR')
O4 - HKUS\S-1-5-21-2570524930-4131161030-1994012012-500\..\Run: [WindowsWelcomeCenter] "rundll32.exe" oobefldr.dll,ShowWelcomeCenter (User 'Administrator')
O4 - Startup: RivaTuner.lnk = C:\Program Files\RivaTuner v2.06\RivaTuner.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.appl...ex/qtplugin.cab
O16 - DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} (WMI Class) - https://support.dell...r/SysProExe.CAB
O16 - DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} (Java Plug-in 1.6.0) -
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O21 - SSODL: Disehdx - {067D4C36-6943-42D1-A670-937A2838BE45} - C:\Windows\system32\dskihdb.dll
O23 - Service: Intel® Alert Service (AlertService) - Intel® Corporation - C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Intel® DHTrace Controller (DHTRACE) - Intel® Corporation - C:\Program Files\Common Files\Intel\IntelDH\bin\DHTraceController.exe
O23 - Service: DQLWinService - Unknown owner - C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: Intel® Software Services Manager (ISSM) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Intel® Viiv™ Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
O23 - Service: Intel® Application Tracker (MCLServiceATL) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Intel® NMSCore (NMSCore) - Intel® Corporation - C:\Program Files\Common Files\Intel\IntelDH\NMS\NMSCore\NMSCore.exe
O23 - Service: Intel® Quality Manager (QualityManager) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\qualitymanager.exe
O23 - Service: Intel® Remoting Service (Remote UI Service) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: Choice Mail (svcChoiceMail) - DigiPortal Software, Inc. - C:\Program Files\DigiPortal Software\ChoiceMail\\CMServer.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 9501 bytes

ComboFix 08-04-20.2 - Lou 2008-04-24 16:48:00.4 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.2033 [GMT -4:00]
Running from: C:\Users\Lou\Desktop\ComboFix.exe
Command switches used :: C:\Users\Lou\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Windows\zeqbqwp.sys
.

((((((((((((((((((((((((( Files Created from 2008-03-24 to 2008-04-24 )))))))))))))))))))))))))))))))
.

2008-04-23 10:40 . 2008-04-23 10:41 <DIR> d-------- C:\Rustbfix
2008-04-13 20:19 . 2008-04-21 08:10 <DIR> d-------- C:\Program Files\WinAVI Video Converter
2008-04-08 23:14 . 2008-04-08 23:14 54,156 --ah----- C:\Windows\QTFont.qfn
2008-04-08 23:14 . 2008-04-08 23:14 1,409 --a------ C:\Windows\QTFont.for
2008-04-08 20:02 . 2008-02-14 19:19 944,184 --a------ C:\Windows\System32\winload.exe
2008-04-08 20:02 . 2008-02-19 01:10 620,088 --a------ C:\Windows\System32\ci.dll
2008-04-08 20:02 . 2008-02-29 02:39 371,712 --a------ C:\Windows\System32\srcore.dll
2008-04-08 20:02 . 2008-02-29 02:38 313,856 --a------ C:\Windows\System32\rstrui.exe
2008-04-08 20:02 . 2008-02-29 02:39 40,960 --a------ C:\Windows\System32\srclient.dll
2008-04-08 20:02 . 2008-02-29 02:51 19,000 --a------ C:\Windows\System32\kd1394.dll
2008-04-08 20:02 . 2008-02-29 02:38 16,384 --a------ C:\Windows\System32\srdelayed.exe
2008-04-08 20:02 . 2008-02-29 02:34 7,168 --a------ C:\Windows\System32\f3ahvoas.dll
2008-04-08 20:02 . 2008-02-29 02:35 6,656 --a------ C:\Windows\System32\kbd106n.dll
2008-04-08 20:01 . 2008-02-29 00:16 2,027,008 --a------ C:\Windows\System32\win32k.sys
2008-04-08 20:01 . 2008-02-21 00:43 296,448 --a------ C:\Windows\System32\gdi32.dll
2008-04-07 21:48 . 2008-04-07 22:07 524,288 --ahs---- C:\Users\Lou\ntuser.dat{e5fd28cb-0503-11dd-82ef-001d091e4b72}.TMContainer00000000000000000002.regtrans-ms
2008-04-07 21:48 . 2008-04-07 22:07 524,288 --ahs---- C:\Users\Lou\ntuser.dat{e5fd28cb-0503-11dd-82ef-001d091e4b72}.TMContainer00000000000000000001.regtrans-ms
2008-04-07 21:48 . 2008-04-07 22:07 65,536 --ahs---- C:\Users\Lou\ntuser.dat{e5fd28cb-0503-11dd-82ef-001d091e4b72}.TM.blf
2008-04-05 21:59 . 2008-04-05 21:59 <DIR> d-------- C:\Users\Lou\AppData\Roaming\NeroDCTemplates
2008-04-03 16:47 . 2008-04-03 16:47 <DIR> d-------- C:\Program Files\Common Files\Java
2008-04-01 15:26 . 2008-04-01 15:26 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-29 22:32 . 2008-03-29 22:32 <DIR> d-------- C:\Windows\System32\Kaspersky Lab
2008-03-29 22:32 . 2008-03-29 22:32 <DIR> d-------- C:\Users\All Users\Kaspersky Lab
2008-03-27 17:09 . 2008-03-05 15:56 3,786,760 --a------ C:\Windows\System32\D3DX9_37.dll
2008-03-27 17:09 . 2008-03-05 15:56 1,420,824 --a------ C:\Windows\System32\D3DCompiler_37.dll
2008-03-27 17:09 . 2008-03-05 16:03 479,752 --a------ C:\Windows\System32\XAudio2_0.dll
2008-03-27 17:09 . 2008-02-05 23:07 462,864 --a------ C:\Windows\System32\d3dx10_37.dll
2008-03-27 17:09 . 2007-10-22 03:39 267,272 --a------ C:\Windows\System32\xactengine2_10.dll
2008-03-27 17:09 . 2008-03-05 16:03 238,088 --a------ C:\Windows\System32\xactengine3_0.dll
2008-03-27 17:09 . 2008-03-05 16:00 25,608 --a------ C:\Windows\System32\X3DAudio1_3.dll
2008-03-27 17:03 . 2008-04-12 07:48 <DIR> d--h----- C:\Windows\msdownld.tmp
2008-03-27 16:55 . 2008-03-27 16:59 <DIR> d-------- C:\Program Files\FEAR Perseus Mandate
2008-03-27 11:08 . 2008-04-10 21:49 <DIR> d-------- C:\Program Files\SpywareBlaster

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-24 20:11 30,272 ----a-w C:\Windows\system32\drivers\pssdk31.drv
2008-04-21 11:32 --------- d-----w C:\Users\Lou\AppData\Roaming\dvdcss
2008-04-21 11:32 --------- d-----w C:\Users\Lou\AppData\Roaming\.BitTornado
2008-04-21 11:06 --------- d-----w C:\Program Files\RivaTuner v2.06
2008-04-15 00:23 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-09 00:45 --------- d-----w C:\Program Files\Windows Mail
2008-04-08 17:02 --------- d-----w C:\Users\Lou\AppData\Roaming\LimeWire
2008-04-08 01:46 --------- d-----w C:\Program Files\MagicISO
2008-04-03 20:48 --------- d-----w C:\Program Files\Java
2008-03-29 17:48 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-27 18:54 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-03-21 00:10 --------- d-----w C:\Program Files\LG Drivers
2008-03-19 21:52 --------- d-----w C:\Program Files\Norton Internet Security
2008-03-07 18:40 13,035 ----a-w C:\Windows\system32\drivers\SymRedir.cat
2008-03-07 18:40 1,358 ----a-w C:\Windows\system32\drivers\SymRedir.inf
2008-03-07 18:39 39,984 ----a-w C:\Windows\system32\drivers\symids.sys
2008-03-07 18:39 37,936 ----a-w C:\Windows\system32\drivers\symndisv.sys
2008-03-07 18:39 27,696 ----a-w C:\Windows\system32\drivers\symredrv.sys
2008-03-07 18:39 191,536 ----a-w C:\Windows\system32\drivers\symtdi.sys
2008-03-07 18:39 145,968 ----a-w C:\Windows\system32\drivers\symfw.sys
2008-03-07 18:39 12,848 ----a-w C:\Windows\system32\drivers\symdns.sys
2008-03-07 01:32 706 ----a-w C:\Windows\system32\drivers\COH_Mon.inf
2008-03-07 01:32 23,904 ----a-w C:\Windows\system32\drivers\COH_Mon.sys
2008-03-07 01:32 10,537 ----a-w C:\Windows\system32\drivers\COH_Mon.cat
2008-02-28 06:38 84,512 ----a-w C:\Users\Lou\AppData\Roaming\GDIPFONTCACHEV1.DAT
2008-02-26 04:04 --------- d-----w C:\Program Files\ffdshow
2008-02-26 03:58 --------- d-----w C:\Users\Lou\AppData\Roaming\Winamp
2008-02-26 03:58 --------- d-----w C:\Program Files\Winamp
2008-02-26 01:54 --------- d-----w C:\Program Files\Common Files\NSV
2008-02-10 06:13 60,968 ----a-w C:\Users\Lou\GoToAssistDownloadHelper.exe
2008-01-26 06:30 22,328 ----a-w C:\Users\Lou\AppData\Roaming\PnkBstrK.sys
2008-01-16 18:55 174 --sha-w C:\Program Files\desktop.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ChoiceMail"="C:\Program Files\DigiPortal Software\ChoiceMail\ChoiceMail.exe" [2007-10-02 13:23 5230592]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 08:35 125440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 00:59 115816]
"NWEReboot"="" []
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-01-04 21:56 5367664]

C:\Users\Lou\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
RivaTuner.lnk - C:\Program Files\RivaTuner v2.06\RivaTuner.exe [2007-10-30 14:05:00 2650112]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"Disehdx"= {067D4C36-6943-42D1-A670-937A2838BE45} - C:\Windows\system32\dskihdb.dll [2008-01-16 22:37 761856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2008-03-27 14:54 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\Windows\pss\Digital Line Detect.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\Windows\pss\Microsoft Office.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Lou^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
path=C:\Users\Lou\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerReg Scheduler.exe
backup=C:\Windows\pss\PowerReg Scheduler.exe.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
--a------ 2007-06-11 05:25 6731312 C:\Program Files\GRISOFT\AVG Anti-Spyware 7.5\avgas.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CCUTRAYICON]
--a------ 2007-06-27 11:18 215256 C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2006-11-12 06:48 157592 C:\Program Files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
--a------ 2007-11-15 10:23 202544 C:\Program Files\Dell Support Center\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
--a------ 2007-11-15 10:24 16384 C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX3800 Series]
--a------ 2007-01-25 06:00 179200 C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATIACA.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-12-13 20:10 1688872 C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IS CfgWiz]
--a------ 2007-11-26 22:02 456072 C:\Program Files\Common Files\Symantec Shared\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\cltUIStb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2006-10-03 12:37 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
--a------ 2007-12-05 13:30 2295072 C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
--a------ 2007-12-03 15:21 2213160 C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 15:57 153136 C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NMSSupport]
--a------ 2007-06-27 11:14 439512 C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2006-11-02 05:45 44544 C:\Windows\System32\rundll32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIDIA nTune]
C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2006-11-02 05:45 44544 C:\Windows\System32\rundll32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvSvc]
--a------ 2006-11-02 05:45 44544 C:\Windows\System32\rundll32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
--------- 2007-08-31 22:02 128296 C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-02-18 11:36 385024 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RivaTunerStartupDaemon]
--a------ 2007-10-30 14:05 2650112 C:\Program Files\RivaTuner v2.06\RivaTuner.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
--a------ 2007-09-12 04:40 405504 C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
--a------ 2007-08-31 17:46 1460560 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyHunter Security Suite]
--a------ 2008-01-23 15:48 344064 C:\Program Files\Enigma Software Group\SpyHunter\SHStartup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 04:25 144784 C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2008-03-27 14:54 1481968 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec PIF AlertEng]
--a------ 2008-01-29 18:38 583048 C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
--a------ 2006-09-07 13:19 15872 C:\Program Files\Unlocker\UnlockerAssistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2008-01-16 22:38 1006264 C:\Program Files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Mobile Device Center]
%windir%\WindowsMobile\wmdc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--a------ 2006-11-02 08:36 201728 C:\Program Files\Windows Media Player\WMPNSCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{75B9A9E2-CCE5-46EB-B3ED-1DF59A193BA8}"= C:\Program Files\CyberLink\PowerDVD DX\PowerDVD.exe:CyberLink PowerDVD DX
"{8EDE5A09-30DD-49D0-8D37-8A6A5171585E}"= C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe:CyberLink PowerDVD DX Resident Program
"{43FBC295-3EF0-4FC0-9162-B897B0372F90}"= UDP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\TSHWMDTCP.exe:SPCM
"{61EB5C2F-C598-4D27-AAB6-6A2FF946E1FC}"= TCP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\TSHWMDTCP.exe:SPCM
"{4866BEB9-CAA9-420C-8FDC-FB495D64B0C6}"= UDP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe:Intel® Remoting Service
"{ABD3D71D-0241-42CE-BBE8-330BAB6F9799}"= TCP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe:Intel® Remoting Service
"{C32D4FDC-5C12-44D6-8676-4455AB00F13B}"= UDP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe:Intel® Viiv™ Media Server
"{1E78DFEA-6E93-4EF4-A7D9-64439256B51C}"= TCP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe:Intel® Viiv™ Media Server
"{F161FF10-733C-43BD-81C3-237FCE4A03C3}"= TCP:Profile=Private|Profile=Public|9442:127.0.0.1:Intel® Viiv™ Media Server Discovery
"{6514FDF2-C619-40E0-9DE4-0218407DBD53}"= TCP:Profile=Private|Profile=Public|1900:LocalSubnet:LocalSubnet:Intel® Viiv™ Media Server UPnP Discovery
"{052B1593-3434-46F4-B214-E38138044FD4}"= Disabled:UDP:C:\Program Files\Adobe\Photoshop Elements 6.0\AdobePhotoshopElementsMediaServer.exe:Adobe Photoshop Elements Media Server
"{5F47FA16-C29E-4C22-B82C-CDC0B767B9BB}"= Disabled:TCP:C:\Program Files\Adobe\Photoshop Elements 6.0\AdobePhotoshopElementsMediaServer.exe:Adobe Photoshop Elements Media Server
"TCP Query User{F3150310-EBBA-4510-8495-06B2F24E2386}C:\\program files\\digiportal software\\choicemail\\choicemail.exe"= UDP:C:\program files\digiportal software\choicemail\choicemail.exe:ChoiceMail
"UDP Query User{46F5846B-4F82-495B-828C-63414E5D447B}C:\\program files\\digiportal software\\choicemail\\choicemail.exe"= TCP:C:\program files\digiportal software\choicemail\choicemail.exe:ChoiceMail
"{0994AFAE-7D6F-40E2-A4E3-AB9D9F932A27}"= UDP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{D7004304-D273-46E2-BABD-5F4337514114}"= TCP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{FC5DFF16-509E-4692-848F-1D7CA01E68D5}"= UDP:C:\Program Files\Electronic Arts\Crytek\Crysis\Bin32\Crysis.exe:Crysis_32
"{A827BA85-F1EB-4177-B4A5-97435E7CBD7B}"= TCP:C:\Program Files\Electronic Arts\Crytek\Crysis\Bin32\Crysis.exe:Crysis_32
"{7A9C5780-1252-4B16-BBC7-7F94AC9C97EC}"= UDP:C:\Program Files\Electronic Arts\Crytek\Crysis\Bin32\CrysisDedicatedServer.exe:CrysisDedicatedServer_32
"{D8FE101E-99A0-4805-BE69-40AD5A9796AA}"= TCP:C:\Program Files\Electronic Arts\Crytek\Crysis\Bin32\CrysisDedicatedServer.exe:CrysisDedicatedServer_32
"{13B2C350-B43A-4C6F-BADF-AB8E5D446EAC}"= UDP:C:\Windows\System32\PnkBstrA.exe:PnkBstrA
"{66722616-712E-423C-93D2-179ACA53E78E}"= TCP:C:\Windows\System32\PnkBstrA.exe:PnkBstrA
"{BAAFAA4B-06FC-446B-8047-10ADD1172357}"= UDP:C:\Windows\System32\PnkBstrB.exe:PnkBstrB
"{2A057F64-63D3-4745-A231-297CE58439FC}"= TCP:C:\Windows\System32\PnkBstrB.exe:PnkBstrB

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R1 IDSvix86;Symantec Intrusion Prevention Driver;C:\PROGRA~2\Symantec\DEFINI~1\SymcData\idsdefs\20080423.002\IDSvix86.sys [2008-02-13 12:18]
R2 {1E444BE9-B8EC-4ce6-8C2B-6536FB7F4FB7};{1E444BE9-B8EC-4ce6-8C2B-6536FB7F4FB7};C:\Program Files\CyberLink\PowerDVD DX\000.fcl [2007-08-31 22:07]
R2 DQLWinService;DQLWinService;"C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe" [2007-02-12 12:46]
R2 NMSCore;Intel® NMSCore;"C:\Program Files\Common Files\Intel\IntelDH\NMS\NMSCore\NMSCore.exe" [2007-06-27 11:14]
R2 nmsunidr;UniDriver for NMS;C:\Windows\system32\DRIVERS\nmsunidr.sys [2007-02-18 21:34]
R2 QualityManager;Intel® Quality Manager;"C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\qualitymanager.exe" [2007-06-27 11:17]
R2 RapiMgr;Windows Mobile-based device connectivity;C:\Windows\system32\svchost.exe [2006-11-02 05:45]
R2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter);C:\Program Files\Dell Support Center\bin\sprtsvc.exe [2007-11-15 10:23]
R2 svcChoiceMail;Choice Mail;C:\Program Files\DigiPortal Software\ChoiceMail\\CMServer.exe [2007-10-02 13:23]
R2 WcesComm;Windows Mobile-2003-based device connectivity;C:\Windows\system32\svchost.exe [2006-11-02 05:45]
R2 XAudio;XAudio;C:\Windows\system32\DRIVERS\xaudio.sys [2006-08-04 20:39]
R3 IntelDH;IntelDH Driver;C:\Windows\system32\Drivers\IntelDH.sys [2008-01-16 15:28]
R3 LazerUsb;Lumanate Lazer USB;C:\Windows\system32\DRIVERS\LazerUsb.sys [2007-10-16 21:19]
R3 PsSdk31;PsSdk31;C:\Windows\system32\Drivers\pssdk31.drv [2008-04-24 16:11]
R3 SYMNDISV;SYMNDISV;C:\Windows\system32\Drivers\SYMNDISV.SYS [2008-03-07 14:39]
S3 DHTRACE;Intel® DHTrace Controller;C:\Program Files\Common Files\Intel\IntelDH\bin\DHTraceController.exe [2007-06-27 11:15]
S3 R300;R300;C:\Windows\system32\DRIVERS\atikmdag.sys [2006-11-02 03:36]
S4 GoToAssist;GoToAssist;"C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe" Start=service []
S4 SpyHunter3 Service;SpyHunter3 Service;"C:\Program Files\Enigma Software Group\SpyHunter\SHService.exe" [2008-01-23 15:48]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr

*Newly Created Service* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder
"2008-04-07 04:21:32 C:\Windows\Tasks\Casper Scheduled Copy of Disk 1 to Disk 2.job"
- C:\Program Files\Future Systems Solutions\Casper 4.0\CASPER.EXE?/COPY 1 2 /SIZE:57544704;24165872640;725930311680 /FS:FAT;NTFS;NTFS /VS:0x519C8406 /VT:0x2D4B48CE /uid:C58A96F3FDB1424E87047621A0D3D09C /AUTOSTART /Y
"2008-04-23 14:37:23 C:\Windows\Tasks\Norton Internet Security - Run Full System Scan - Lou.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeB/TASK:
"2008-04-01 04:30:02 C:\Windows\Tasks\wrSpySweeper_LC8EBE7589FC648EC93F760D755E3512A.job"
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe>/ScheduleSweep=wrSpySweeper_LC8EBE7589FC648EC93F760D755E3512A
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.ex
- C:\
.
**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
Completion time: 2008-04-24 16:52:46
ComboFix-quarantined-files.txt 2008-04-24 20:52:42

Pre-Run: 501,038,452,736 bytes free
Post-Run: 501,275,238,400 bytes free

273 --- E O F --- 2008-04-09 00:19:42
  • 0

#6
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
That is related to ComboFix

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan. Check all the boxes and click Start Scan
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


Also tell me how your PC is running
  • 0

#7
louuu

louuu

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 223 posts
ok, im now running the scan and will post the results when its done. i wanted to ask you why hijack this didnt work on deleting R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank when i put a checkmark next to it when you asked. it was still there again on the log i posted to you. is this something dangerous to me or something i should worry about?
  • 0

#8
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Nope nothing to worry about

Go on with the MBAM step
  • 0

#9
louuu

louuu

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 223 posts
ok, heres the log you requested. it came back clean. also, as far as my computer, its been running fine. if you read my last entry, i tried to clean my computer before anyone replied via this geekstogo forum. i think i did a pretty good job, but i want to be sure there was nothng else i missed. ill wait to hear back from you, thanks.

Malwarebytes' Anti-Malware 1.11
Database version: 679

Scan type: Full Scan (C:\|)
Objects scanned: 175768
Time elapsed: 59 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
  • 0

#10
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Your logs are clean ! We need to do a few things

Follow these steps to uninstall Combofix and tools used in the removal of malware
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    Posted Image



pYou now need to update your Java and remove your older versions.

Please follow these steps to remove older version Java components.

* Click Start > Control Panel.
* Click Add/Remove Programs.
* Check any item with Java Runtime Environment (JRE) in the name.
* Click the Remove or Change/Remove button.

Download the latest version of Java Runtime Environment (JRE), and install it to your computer from
here



Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
SpywareBlaster protects against bad ActiveX
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here

* SpywareGuard offers realtime protection from spyware installation attempts.

Make Internet Explorer more secure
  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here

Thank you for your patience, and performing all of the procedures requested.
  • 0

#11
louuu

louuu

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 223 posts
thanks for your help and im glad my logs are clean. im getting pretty good at trying to clean up my own computer problems as i keep learning from you guys each and everytime i use you. i just sent you $6.43 us dollars, which is good to buy yourself 2 beers on me. not sure that the money transfer rate is for euros, but hopefully you can get 2 beers there like i can here. the paypal money came from my paypal email, which is lou.ebay, so this way you know it came from me. thanks again for your help, take care.
  • 0

#12
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP