Hello and welcome to TSF.:smile:

Download Combofix and save it to your desktop.

**Note: It is important that it is saved directly to your desktop**

1. Close any open browsers. Disconnect from the internet.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.

• When finished, it will produce a report for you.
• Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

 

Hey Amateur,

Thanks for taking up my case! I ran combofix and hijackthis again. There logs are pasted below:

ComboFix 07-10-27.4 - Owner 2007-10-26 18:03:33.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.517 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\pack.epk
C:\WINDOWS\system32\ufbkibzwuc.dat
C:\WINDOWS\system32\ufbkibzwuc.exe
C:\WINDOWS\system32\ufbkibzwuc_nav.dat
c:\WINDOWS\system32\ufbkibzwuc_navps.dat
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2007-09-27 to 2007-10-27 )))))))))))))))))))))))))))))))
.

2007-10-26 18:02 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-23 20:40 <DIR> d-------- C:\Deckard
2007-10-23 20:32 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-10-23 18:54 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-10-23 18:54 <DIR> d-------- C:\WINDOWS\LastGood
2007-10-07 01:25 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Lavasoft
2007-10-06 23:35 <DIR> d-------- C:\WINDOWS\pss
2007-10-06 23:27 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Grisoft
2007-10-06 23:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-06 23:27 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-10-04 21:43 <DIR> d-------- C:\Program Files\Eraser
2007-10-04 21:43 <DIR> d--h----- C:\Documents and Settings\All Users\Application Data\{74D61F17-FFC2-41AF-96E5-1DCB0631B6D1}

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-27 23:04 --------- d-----w C:\Program Files\Symantec AntiVirus
2007-10-24 00:39 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-07 06:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-07 05:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-10-07 05:20 --------- d-----w C:\Program Files\Winamp
2007-10-07 04:28 --------- d-----w C:\Program Files\DIGStream
2007-10-07 04:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\DIGStream
2007-09-15 15:38 --------- d--h--w C:\Documents and Settings\All Users\Application Data\NeoTemp
2007-09-15 00:44 --------- d-----w C:\Documents and Settings\Owner\Application Data\ppStream
2007-09-15 00:41 --------- d-----w C:\Program Files\Common Files\Synacast
2007-09-15 00:41 --------- d-----w C:\Documents and Settings\Owner\Application Data\PPMate
2007-09-15 00:37 359,808 ----a-w C:\WINDOWS\system32\drivers\TCPIP.SYS.ORIGINAL
2007-09-15 00:37 359,808 ----a-w C:\WINDOWS\system32\drivers\TCPIP.SYS
2007-09-04 01:07 --------- d-----w C:\Documents and Settings\Owner\Application Data\Move Networks
2007-09-01 14:28 --------- d-----w C:\Program Files\iWin
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-07-31 00:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-31 00:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-31 00:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-31 00:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-31 00:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-31 00:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-31 00:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-31 00:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-07-28 21:05 640,336 ----a-w C:\WINDOWS\system32\Eraser.dll
2007-07-28 21:05 292,176 ----a-w C:\WINDOWS\system32\Erasext.dll
2007-07-28 21:05 112,976 ----a-w C:\WINDOWS\system32\Eraserl.exe
2006-01-07 18:18 32 ----a-r C:\Documents and Settings\All Users\hash.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 09:47]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 09:47]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2005-04-25 10:32]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-02-18 09:10]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 14:52]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2005-04-17 11:30]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-04-25 10:32]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-04-25 10:29]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
HotSync Manager.lnk - C:\Program Files\Palm\HOTSYNC.EXE [2004-04-13 16:03:10]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2005-02-18 09:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk
backup=C:\WINDOWS\pss\KODAK Software Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
"C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DIGServices]
C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DIGStream]
C:\Program Files\DIGStream\digstream.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Eraser]
C:\Program Files\Eraser\eraser.exe -hide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
C:\WINDOWS\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
C:\Windows\Creator\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xlagotz]
c:\windows\system32\xlagotz.exe xlagotz

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

R2 CdaD10BA;CdaD10BA;\??\C:\WINDOWS\system32\drivers\CdaD10BA.SYS
S3 sscdbus;SAMSUNG USB Composite Device driver (WDM);C:\WINDOWS\system32\DRIVERS\sscdbus.sys
S3 sscdmdfl;SAMSUNG CDMA Modem Filter;C:\WINDOWS\system32\DRIVERS\sscdmdfl.sys
S3 sscdmdm;SAMSUNG CDMA Modem Drivers;C:\WINDOWS\system32\DRIVERS\sscdmdm.sys

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2007-10-27 23:07:07 C:\WINDOWS\Tasks\Symantec NetDetect.job"
.
**************************************************************************

catchme 0.3.1239 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-27 18:09:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-27 18:10:20
.
--- E O F ---


-------------------------------------------------------------------------------

Deckard's System Scanner v20071014.68
Run by Owner on 2007-10-27 18:14:35
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:15:34 PM, on 10/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/haphazard/raptisoftgameloader.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/puzzlepirates/miniclipGameLoader.dll
O16 - DPF: {2B55B5F0-9D95-48CF-96A1-FEAF74CEC150} (portLoader Class) - http://a248.g.akamai.net/7/248/9286/200309241629/ps.theport.com/xmlplayer/eng2/download.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://mapg.fmd.emory.edu/mgvinstall/mgaxctrl.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://170.140.206.14/activex/AxisCamControl.ocx
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - http://203.200.233.172/Media/visitorchat/TLIEFlash.CAB
O16 - DPF: {97BB6657-DC7F-4489-9067-51FAB9D8857E} (CWebLaunchCtl Object) - https://support.gateway.com/eSupport/static/weblaunch/weblaunch2.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} (Autodesk DWF Viewer Control) - http://www.autodesk.com/global/dwfviewer/installer/DwfViewerSetup.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game05.zylom.com/activex/zylomgamesplayer.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v6.cab
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 9717 bytes

-- Files created between 2007-09-27 and 2007-10-27 -----------------------------

2007-10-27 18:15:27 0 d-------- C:\Program Files\Trend Micro
2007-10-23 20:32:48 0 d-------- C:\Program Files\SpywareBlaster
2007-10-23 18:54:03 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-10-23 18:54:01 0 d-------- C:\WINDOWS\LastGood
2007-10-07 01:25:13 0 d-------- C:\Documents and Settings\Owner\Application Data\Lavasoft
2007-10-06 23:35:45 0 d-------- C:\WINDOWS\pss
2007-10-06 23:27:36 0 d-------- C:\Documents and Settings\Owner\Application Data\Grisoft
2007-10-06 23:27:19 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-04 21:43:58 0 d--h----- C:\Documents and Settings\All Users\Application Data\{74D61F17-FFC2-41AF-96E5-1DCB0631B6D1}
2007-10-04 21:43:56 0 d-------- C:\Program Files\Eraser


-- Find3M Report ---------------------------------------------------------------

2007-10-27 18:04:33 0 d-------- C:\Program Files\Symantec AntiVirus
2007-10-23 19:39:23 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-10-07 00:20:55 0 d-------- C:\Program Files\Winamp
2007-10-06 23:28:21 0 d-------- C:\Program Files\DIGStream
2007-09-24 19:26:56 1156 --a------ C:\WINDOWS\mozver.dat
2007-09-14 19:44:52 0 d-------- C:\Documents and Settings\Owner\Application Data\ppStream
2007-09-14 19:41:38 0 d-------- C:\Documents and Settings\Owner\Application Data\PPMate
2007-09-14 19:41:32 0 d-------- C:\Program Files\Common Files
2007-09-14 19:41:32 0 d-------- C:\Program Files\Common Files\Synacast
2007-09-03 20:07:45 0 d-------- C:\Documents and Settings\Owner\Application Data\Move Networks
2007-09-01 09:28:44 0 d-------- C:\Program Files\iWin


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [11/05/2004 09:47 AM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [11/05/2004 09:47 AM]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [04/25/2005 10:32 AM]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [02/18/2005 09:10 AM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [04/08/2005 02:52 PM]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [04/17/2005 11:30 AM]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [04/25/2005 10:32 AM]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [04/25/2005 10:29 AM]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 04:25 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:00 PM]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
HotSync Manager.lnk - C:\Program Files\Palm\HOTSYNC.EXE [4/13/2004 4:03:10 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 02/18/2005 09:08 AM 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk
backup=C:\WINDOWS\pss\KODAK Software Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
"C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DIGServices]
C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DIGStream]
C:\Program Files\DIGStream\digstream.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Eraser]
C:\Program Files\Eraser\eraser.exe -hide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
C:\WINDOWS\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
C:\Windows\Creator\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xlagotz]
c:\windows\system32\xlagotz.exe xlagotz

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

*Newly Created Service* - CATCHME



-- End of Deckard's System Scanner: finished at 2007-10-27 18:16:10 ------------

Please let me know what the next steps are.

Thanks!

 

Hi,

Have the popups stopped?

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

• Click Start>Run, type in appwiz.cpl and press Enter.
• Remove all entries of Runtime Environment (J2SE or JRE) that are listed.
• Now reboot your computer.
• Download the latest version of Java Runtime Environment, and install it to your computer.

===============================

I noticed that you are using ppStream which is a file sharing program. I would like to warn you that the nature of P2P filesharing is so that even if one is using a "clean" program, many of the files downloaded from non-documented sources have the potential of being infected. So, regardless of whether one is using a "clean" program, one may still be prone to infection by malware because more than half of all files available for download from peer-to-peer networks have been deliberately infected with some form of malware. I recommend that you remove it from your system via Add/Remove Programs in Control Panel.

========================================

Scan with HijackThis and put a checkmark against the following entries:

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/haphazard/ra...gameloader.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/puzzlepirate...GameLoader.dll
O16 - DPF: {2B55B5F0-9D95-48CF-96A1-FEAF74CEC150} (portLoader Class) - http://a248.g.akamai.net/7/248/9286/...2/download.cab

Close all browsers/windows other than HijackThis and click on "fix checked".

========================================

Open notepad (it must be notepad, not wordpad, or it won't work) and copy/paste the text in the quotebox below into it:

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xlagotz]

DirLook::
C:\Documents and Settings\All Users\Application Data\NeoTemp

Save this as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply and a fresh HijackThis log please. (use owner.exe)

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

 

hey Amateur,

The popups seem to have disappeared! Thanks!

I removed the Java runtime environments and downloaded the updated software for the same.

I tried to find ppstream in the add/remove programs list but could not locate it. I also did a search for ppstream in my files on my drives but could not find it. Is the software stored under a different name? I do not use it so I would like to remove it.

I have followed your directions and am pasting the 2 requested logs below:

Combofix
ComboFix 07-10-27.4 - Owner 2007-10-28 10:02:13.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.544 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\cfscript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-09-28 to 2007-10-28 )))))))))))))))))))))))))))))))
.

2007-10-27 18:15 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-26 18:02 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-23 20:40 <DIR> d-------- C:\Deckard
2007-10-23 20:32 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-10-23 18:54 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-10-07 01:25 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Lavasoft
2007-10-06 23:35 <DIR> d-------- C:\WINDOWS\pss
2007-10-06 23:27 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Grisoft
2007-10-06 23:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-06 23:27 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-10-04 21:43 <DIR> d-------- C:\Program Files\Eraser
2007-10-04 21:43 <DIR> d--h----- C:\Documents and Settings\All Users\Application Data\{74D61F17-FFC2-41AF-96E5-1DCB0631B6D1}

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-28 14:52 --------- d-----w C:\Program Files\Java
2007-10-28 14:50 --------- d-----w C:\Program Files\Symantec AntiVirus
2007-10-24 00:39 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-07 06:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-07 05:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-10-07 05:20 --------- d-----w C:\Program Files\Winamp
2007-10-07 04:28 --------- d-----w C:\Program Files\DIGStream
2007-10-07 04:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\DIGStream
2007-09-15 15:38 --------- d--h--w C:\Documents and Settings\All Users\Application Data\NeoTemp
2007-09-15 00:44 --------- d-----w C:\Documents and Settings\Owner\Application Data\ppStream
2007-09-15 00:41 --------- d-----w C:\Program Files\Common Files\Synacast
2007-09-15 00:41 --------- d-----w C:\Documents and Settings\Owner\Application Data\PPMate
2007-09-15 00:37 359,808 ----a-w C:\WINDOWS\system32\drivers\TCPIP.SYS.ORIGINAL
2007-09-15 00:37 359,808 ----a-w C:\WINDOWS\system32\drivers\TCPIP.SYS
2007-09-04 01:07 --------- d-----w C:\Documents and Settings\Owner\Application Data\Move Networks
2007-09-01 14:28 --------- d-----w C:\Program Files\iWin
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-07-31 00:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-31 00:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-31 00:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-31 00:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-31 00:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-31 00:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-31 00:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-31 00:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-07-28 21:05 640,336 ----a-w C:\WINDOWS\system32\Eraser.dll
2007-07-28 21:05 292,176 ----a-w C:\WINDOWS\system32\Erasext.dll
2007-07-28 21:05 112,976 ----a-w C:\WINDOWS\system32\Eraserl.exe
2006-01-07 18:18 32 ----a-r C:\Documents and Settings\All Users\hash.dat
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Documents and Settings\All Users\Application Data\NeoTemp ----

2007-09-15 10:41 640 --a------ C:\Documents and Settings\All Users\Application Data\NeoTemp\2280043\2280043046\22800430460h.nsdh
2007-09-15 10:41 2816512 --a------ C:\Documents and Settings\All Users\Application Data\NeoTemp\2280043\2280043046\22800430465.nsd
2007-09-15 10:41 2816512 --a------ C:\Documents and Settings\All Users\Application Data\NeoTemp\2280043\2280043046\22800430464.nsd
2007-09-15 10:40 2816512 --a------ C:\Documents and Settings\All Users\Application Data\NeoTemp\2280043\2280043046\22800430463.nsd
2007-09-15 10:40 2816512 --a------ C:\Documents and Settings\All Users\Application Data\NeoTemp\2280043\2280043046\22800430462.nsd
2007-09-15 10:39 2816512 --a------ C:\Documents and Settings\All Users\Application Data\NeoTemp\2280043\2280043046\22800430461.nsd
2007-09-15 10:39 2816234 --a------ C:\Documents and Settings\All Users\Application Data\NeoTemp\2280043\2280043046\22800430460.nsd


((((((((((((((((((((((((((((( snapshot@2007-10-27_18.09.23.99 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-07-12 06:22:00 135,168 ----a-w C:\WINDOWS\system32\java.exe
+ 2007-09-25 03:30:28 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2007-07-12 06:22:04 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2007-09-25 03:30:30 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2007-07-12 07:22:38 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2007-09-25 04:31:42 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 09:47]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 09:47]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2005-04-25 10:32]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-02-18 09:10]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 14:52]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2005-04-17 11:30]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-04-25 10:32]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-04-25 10:29]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
HotSync Manager.lnk - C:\Program Files\Palm\HOTSYNC.EXE [2004-04-13 16:03:10]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2005-02-18 09:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk
backup=C:\WINDOWS\pss\KODAK Software Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DIGServices]
C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DIGStream]
C:\Program Files\DIGStream\digstream.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Eraser]
C:\Program Files\Eraser\eraser.exe -hide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
C:\WINDOWS\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
C:\Windows\Creator\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

R2 CdaD10BA;CdaD10BA;\??\C:\WINDOWS\system32\drivers\CdaD10BA.SYS
S3 sscdbus;SAMSUNG USB Composite Device driver (WDM);C:\WINDOWS\system32\DRIVERS\sscdbus.sys
S3 sscdmdfl;SAMSUNG CDMA Modem Filter;C:\WINDOWS\system32\DRIVERS\sscdmdfl.sys
S3 sscdmdm;SAMSUNG CDMA Modem Drivers;C:\WINDOWS\system32\DRIVERS\sscdmdm.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-10-27 23:10:14 C:\WINDOWS\Tasks\Symantec NetDetect.job"
.
**************************************************************************

catchme 0.3.1239 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-28 10:05:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-28 10:07:10
C:\ComboFix2.txt ... 2007-10-27 18:10
.
--- E O F ---

------------------------------------------------------------

Hijack This

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:08:38 AM, on 10/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://mapg.fmd.emory.edu/mgvinstall/mgaxctrl.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://170.140.206.14/activex/AxisCamControl.ocx
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - http://203.200.233.172/Media/visitorchat/TLIEFlash.CAB
O16 - DPF: {97BB6657-DC7F-4489-9067-51FAB9D8857E} (CWebLaunchCtl Object) - https://support.gateway.com/eSupport/static/weblaunch/weblaunch2.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} (Autodesk DWF Viewer Control) - http://www.autodesk.com/global/dwfviewer/installer/DwfViewerSetup.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game05.zylom.com/activex/zylomgamesplayer.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v6.cab
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 9452 bytes

-----------------------------------------------------------------

Thanks for all your help!

 

Hi,

The popups seem to have disappeared!

Good. Well done.

removed the Java runtime environments and downloaded the updated software for the same.

Yes, I see that you have the latest java, but there is one folder for an old version of java that you can delete while you're deleting the ppStream folders.

Go to My Computer> Tools> Folder Options> View>"Uncheck" Hide protected operating system files. Click Apply>OK.

** These files are hidden to stop you or anybody else accidentally removing something important.
It is advisable to hide them again after you're done. **

Then, using Windows Explorer (right click on Start, click on Explore) to locate, delete the following folders:

C:\Documents and Settings\Owner\Application Data\ppStream
C:\Documents and Settings\Owner\Application Data\PPMate
C:\Program Files\Java\jre1.6.0_02

Let me know if you run into any problem deleting them.

======================

Let's have an online scan too to see if there are any leftovers or anything hiding.

Perform an online scan using Internet Explorer with Panda ActiveScan

• Click on
  located at the bottom of the page.
• A "pop up" window will appear. Please ensure that your pop up blocker doesn't block it
• Enter your e-mail address, country, and state & click "Free Online Scan" The download of the 8 MB Panda's ActiveX control will take place

Begin the scan by selecting

• If it finds any malware, it will offer you a report.
• Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
• Click on
  then click
  and post back the contents please.

Please post back the Panda scan results.

 

Amateur,

I ran Panda Scan again. It found 27 cookies, which were flagged. It also found 5 hacking tools, which are basically NirCmd references. I have pasted the log below.


Incident Status Location

Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\98fee8uy.default\cookies.txt[.bs.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\98fee8uy.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\98fee8uy.default\cookies.txt[.go.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\98fee8uy.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\98fee8uy.default\cookies.txt[.zedo.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\98fee8uy.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\98fee8uy.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\98fee8uy.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\98fee8uy.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\98fee8uy.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\98fee8uy.default\cookies.txt[.advertising.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\98fee8uy.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\98fee8uy.default\cookies.txt[.ehg-dig.hitbox.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\98fee8uy.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\98fee8uy.default\cookies.txt[statse.webtrendslive.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\98fee8uy.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\98fee8uy.default\cookies.txt[.adrevolver.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\98fee8uy.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\98fee8uy.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\98fee8uy.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\98fee8uy.default\cookies.txt[.bluestreak.com/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\98fee8uy.default\cookies.txt[.trafficmp.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Owner\Cookies\owner@2o7[1].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Owner\Cookies\owner@ads.pointroll[1].txt
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Owner\Cookies\owner@bluestreak[1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Owner\Cookies\owner@go[1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Owner\Cookies\owner@go[2].txt
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Owner\Desktop\hijack this\ComboFix.exe[nircmd.exe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Owner\Desktop\hijack this\ComboFix.exe[nircmd.cfexe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\98fee8uy.default\Cache\7ED6F4AAd01[nircmd.exe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\98fee8uy.default\Cache\7ED6F4AAd01[nircmd.cfexe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\NirCmd.exe

 

Hi,

Those cookies flagged by Panda are normal. Advertisers use these for statistical analysis and to target ads that you would be more likely to click on. They're not dangerous in and of themselves, per se, but are definitely a good idea to remove periodically. You can use the following tool to clean your cookies on a regular basis.

Download ATF Cleaner by Atribune and save it to your Desktop.
Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
The rest are optional - if you want to remove the lot, check "Select All".

Finally click Empty Selected. When you get the "Done Cleaning" message, click OK.

If you use the Firefox or Opera browsers, you can use this program as a quick way to tidy those up as well.

Firefox :
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Opera :
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

When you have finished, click on the Exit button in the Main menu.

For Technical Support, double-click the e-mail address located at the bottom of each menu

=================================

NirCmd is part of Combofix which we are going to remove in a short while. Scanners like Panda cannot differentiate between good and bad use of these files, therefore flag them. You don't need to worry about it and as I said earlier, we'll remove it anyway.

=================================

• Click Start then Run
• Now type Combofix /u in the runbox and click OK. Notice the space between the x and the /u
  
  
  
  
  This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore to prevent reinfection from old restore points.

Here are some steps to make your surfing more secure in future:

Make your Internet Explorer more secure - This can be done by following these simple instructions:

From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialise and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

Avoid illegal sites, because that's where most malware is present.

* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. Because a lot of free software can bundle other software, including spyware.

Keep your antivirus-program up-to-date and do regular scans with it. Please make sure that you have only one active antivirus program on your system.

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site http://windowsupdate.microsoft.com/ to get the critical updates.

If you are running Microsoft, or any portion thereof, go to the Microsoft's Office Update site http://office.microsoft.com/officeupdate/maincatalog.aspx?lc=en-us and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.

Keep your pestware-scanners up-to-date and do regular scans with them.

To keep your computer free of Spyware, Adware, Hijackers etc., download and install the following free pestware-scanners (if you haven't installed them already):
AdAwareA tutorial on installing & using this product can be found here: http://www.bleepingcomputer.com/forums/tutorial43.html
Spybot A tutorial on installing & using this product can be found here: http://www.bleepingcomputer.com/forums/tutorial43.html
Windows Defender here

The following free realtime pestscanners prevent a number of malware-variants from entering your computer, in the first place:

SpywareBlaster A tutorial on installing & using this product can be found here: http://www.bleepingcomputer.com/forums/tutorial49.html
SpywareGuard here

If you haven't got one, already, install a firewall and keep it up-to-date. Please make sure that you have only one active firewall on your system.

A firewall will prevent unauthorized contact between your computer and internet. A tutorial on Firewalls and a listing of some available ones can be found here:
http://forum.malwareremoval.com/viewtopic.php?p=56#56
http://www.bleepingcomputer.com/forums/tutorial60.html

Test your firewall here to make sure that it's working properly

Install these programs, to make surfing with Internet Explorer safer:

A popup-blocker, e.g. Google Toolbar here: A popup-blocker prevents popup-windows from opening, when you come along a websites that uses them, during internet-surfing. To provide privacy, select disable advanced features when installing.

IE-SPYAD This utility adds a long list of known bad sites to Internet Explorer's Restricted Sites zone. This prevents those sites from executing their malicious programs on your computer. A tutorial on installing this product can be found here: http://www.spywarewarrior.com/uiuc/resource.htm

SiteHound by Firetrust introduces the SiteHound Toolbar - the safe way to browse the Internet. With SiteHound, when you browse the Internet, you're shown a warning page every time you go to a site which is a known scam, potentially loads viruses or spyware on to your computer, has questionable content or anything you would not consider reasonable.
This product can be downloaded from here: here:

Install and use an alternative browser to surf on the internet.

Because Internet Explorer is the most-used browser on the planet, most of the hijackers, adware and spyware are made to abuse your computer thru Internet Explorer.
Here are some good alternative browsers:
Mozilla Suite here
Mozilla Firefox here
Opera here
Netscape here
Important: You can not uninstall Internet Explorer.
First of all, it's part of Windows and you'll need it to download and install Windows Updates.
Secondly, There are some sites that are only accessable with Internet Explorer, e.g. most of the Online Malware-scanners.

But above all, keep all your software UP-TO-DATE at all time!!

A colleague of ours has excellent information and tips on the prevention of malware here and more on improving speed/system performance after malware removal here .

If you want to fight back the Malware Writers, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.

Happy Surfing!

:smile:

 

Thanks for all your help!

 

You're welcome. Glad we could help. Stay safe! :wave: