Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help - Remove Virus - Popads123 And Zedo - Thanks !


  • Please log in to reply
11 replies to this topic

#1 skothelpoo9

skothelpoo9

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:17 PM

Posted 08 June 2008 - 07:22 PM

I apparently have a virus called -
Popads123, which automatically leads to Zedo.

I was on IE when the problem started (I also have Firefox)
but the ads pop through Firefox.

The problem is simple, but incredibly annoying;

Firefox starts without me opening it - and displays an ad
I close the window and a new one opens 1 min later.

When the new browser window first opens,
the URL says, <http://popads123.com.....>.

Then the URL changes automatically to,
<http://c5.zedo.com.....>.

Then it changes again to,
a random AD company's URL - dating service, or whatever

I have cleaned out all Temp internet files and Cookies

I have run Ad-Aware, Symantec, Windows Defender, and Spybot.

Pretty disappointed that NONE of the 4 computer scans deleted the problem.

I also followed some instructions on the internet
on how to get rid of popads 123 and zedo
It said to Start Run- regedit and look for CORE, in the System 32 files,
but "Core" did not exist after following the instructions.

So,
I downloaded and ran, "Trend Micro Hijack This" v2.0.2 -
and I have the log.
I'll post the log below. (see below the Kaspery log)

NOTE: I TRIED TO RUN Deckard's 3 TIMES
BUT IT STALLED EACH TIME AND SAID MS HAS ENCOUNTERED A PROBLEM

thanks for anyone’s help,

FIRST - Here's the Kaspersky Log;

KASPERSKY ONLINE SCANNER REPORT
Sunday, June 08, 2008 4:57:15 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 8/06/2008
Kaspersky Anti-Virus database records: 840603


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target Critical Areas
C:WINDOWS
C:DOCUME~1homeLOCALS~1Temp

Scan Statistics
Total number of scanned objects 17001
Number of viruses found 2
Number of infected objects 5
Number of suspicious objects 0
Duration of the scan process 00:14:28

Infected Object Name Virus Name Last Action
C:WINDOWSDebugPASSWD.LOG Object is locked skipped

C:WINDOWSSchedLgU.Txt Object is locked skipped

C:WINDOWSSoftwareDistributionReportingEvents.log Object is locked skipped

C:WINDOWSsystem32000050.exe/data0002 Infected: Trojan-Downloader.Win32.PurityScan.gb skipped

C:WINDOWSsystem32000050.exe NSIS: infected - 1 skipped

C:WINDOWSsystem32000060.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.AdBand.af skipped

C:WINDOWSsystem32000060.exe/stream Infected: not-a-virus:AdWare.Win32.AdBand.af skipped

C:WINDOWSsystem32000060.exe NSIS: infected - 2 skipped

C:WINDOWSsystem32CatRoot2edb.log Object is locked skipped

C:WINDOWSsystem32CatRoot2tmp.edb Object is locked skipped

C:WINDOWSsystem32configAppEvent.Evt Object is locked skipped

C:WINDOWSsystem32configdefault Object is locked skipped

C:WINDOWSsystem32configdefault.LOG Object is locked skipped

C:WINDOWSsystem32configInternet.evt Object is locked skipped

C:WINDOWSsystem32configSAM Object is locked skipped

C:WINDOWSsystem32configSAM.LOG Object is locked skipped

C:WINDOWSsystem32configSecEvent.Evt Object is locked skipped

C:WINDOWSsystem32configSECURITY Object is locked skipped

C:WINDOWSsystem32configSECURITY.LOG Object is locked skipped

C:WINDOWSsystem32configsoftware Object is locked skipped

C:WINDOWSsystem32configsoftware.LOG Object is locked skipped

C:WINDOWSsystem32configSysEvent.Evt Object is locked skipped

C:WINDOWSsystem32configsystem Object is locked skipped

C:WINDOWSsystem32configsystem.LOG Object is locked skipped

C:WINDOWSsystem32h323log.txt Object is locked skipped

C:WINDOWSsystem32LogFilesWUDFWUDFTrace.etl Object is locked skipped

C:WINDOWSsystem32wbemRepositoryFSINDEX.BTR Object is locked skipped

C:WINDOWSsystem32wbemRepositoryFSINDEX.MAP Object is locked skipped

C:WINDOWSsystem32wbemRepositoryFSMAPPING.VER Object is locked skipped

C:WINDOWSsystem32wbemRepositoryFSMAPPING1.MAP Object is locked skipped

C:WINDOWSsystem32wbemRepositoryFSMAPPING2.MAP Object is locked skipped

C:WINDOWSsystem32wbemRepositoryFSOBJECTS.DATA Object is locked skipped

C:WINDOWSsystem32wbemRepositoryFSOBJECTS.MAP Object is locked skipped

C:WINDOWSWindowsUpdate.log Object is locked skipped

C:DOCUME~1homeLOCALS~1Temp~DF4831.tmp Object is locked skipped

C:DOCUME~1homeLOCALS~1Temp~DF562A.tmp Object is locked skipped

Scan process completed.
END Kaspery Log.


NEXT,
here is the Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 2:08:30 PM, on 6/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32csrss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSsystem32svchost.exe
C:Program FilesWindows DefenderMsMpEng.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:Program FilesCommon FilesSymantec SharedccSetMgr.exe
C:WINDOWSExplorer.EXE
C:Program FilesCommon FilesSymantec SharedccEvtMgr.exe
C:Program FilesCommon FilesSymantec SharedSPBBCSPBBCSvc.exe
C:Program FilesLavasoftAd-Aware 2007aawservice.exe
C:WINDOWSsystem32spoolsv.exe
C:Program FilesSymantec AntiVirusDefWatch.exe
C:Program FilesSymantec AntiVirusRtvscan.exe
C:WINDOWSSystem32alg.exe
C:WINDOWSsystem32hkcmd.exe
C:WINDOWSsystem32igfxpers.exe
C:Program FilesCommon FilesSymantec SharedccApp.exe
C:PROGRA~1SYMANT~1VPTray.exe
C:Program FilesWindows DefenderMSASCui.exe
C:Documents and SettingshomeApplication DataMicrosoftdtsc14256.exe
C:Program FilesQdrModuleQdrModule17.exe
C:Program FilesSymantec AntiVirusDoScan.exe
C:Documents and SettingshomeApplication DataMicrosoftdtsc14256.exe
C:Documents and SettingshomeApplication DataMicrosoftdtsc14256.exe
C:Documents and SettingshomeApplication DataMicrosoftdtsc14256.exe
C:WINDOWSsystem32wuauclt.exe
C:Program FilesTrend MicroHijackThisHijackThis.exe
C:WINDOWSSystem32wbemwmiprvse.exe

R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://dealers.cars.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:Program FilesCommon FilesAdobeAcrobatActiveXAcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:PROGRA~1SPYBOT~1SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:Program FilesJavajre1.6.0_05binssv.dll
O2 - BHO: Microsoft copyright - {FFFFFFFF-BBBB-4146-86FD-A722E8AB3489} - sockins32.dll (file missing)
O4 - HKLM..Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM..Run: [HotKeysCmds] C:WINDOWSsystem32hkcmd.exe
O4 - HKLM..Run: [Persistence] C:WINDOWSsystem32igfxpers.exe
O4 - HKLM..Run: [ccApp] "C:Program FilesCommon FilesSymantec SharedccApp.exe"
O4 - HKLM..Run: [vptray] C:PROGRA~1SYMANT~1VPTray.exe
O4 - HKLM..Run: [Windows Defender] "C:Program FilesWindows DefenderMSASCui.exe" -hide
O4 - HKLM..Run: [BVRPLiveUpdate] C:Program FilesAvanquest updateEngineSetup.exe -s /PATCH,/SRCUPDATEC:DOCUME~1ALLUSE~1APPLIC~1BVRPSO~1MOTORO~1LIVEUP~1LISTOF~1.DAT
O4 - HKCU..Run: [Microsoft Windows Installer] C:Documents and SettingshomeApplication DataMicrosoftdtsc14256.exe
O4 - HKCU..Run: [QdrModule17] "C:Program FilesQdrModuleQdrModule17.exe"
O4 - HKUSS-1-5-18..Run: [DWQueuedReporting] "C:PROGRA~1COMMON~1MICROS~1DWdwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS.DEFAULT..Run: [DWQueuedReporting] "C:PROGRA~1COMMON~1MICROS~1DWdwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~1MICROS~2OFFICE11EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.6.0_05binssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.6.0_05binssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:PROGRA~1MICROS~2OFFICE11REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:PROGRA~1SPYBOT~1SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:PROGRA~1SPYBOT~1SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {298BFFEE-662D-11D5-ADAF-00E0810232D7} (lgbplay Class) - https://video.manheim.com/lib/LiveSound.dll
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O21 - SSODL: WebProxy - {66186F05-BBBB-4a39-864F-72D84615C679} - sockins32.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:Program FilesLavasoftAd-Aware 2007aawservice.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:WINDOWSMicrosoft.NETFrameworkv1.1.4322aspnet_state.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:Program FilesSymantec AntiVirusDefWatch.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:PROGRA~1SymantecLIVEUP~1LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:Program FilesSymantec AntiVirusSavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedSNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedSPBBCSPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:Program FilesSymantec AntiVirusRtvscan.exe

--
End of file - 6516 bytes

Merged posts. Deactivated links in initial post. ~ OB

I was able to complete the Deckards log
There were 2 logs
Here's the first;

Deckard's System Scanner v20071014.68
Run by User on 2008-06-08 19:24:28
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------



-- Last 5 Restore Point(s) --
157: 2008-06-09 00:01:25 UTC - RP192 - Deckard's System Scanner Restore Point
156: 2008-06-08 20:30:42 UTC - RP191 - Ad-Aware Restore Point 2008-06-08 13:30:38
155: 2008-06-08 18:04:58 UTC - RP190 - Restore Operation
154: 2008-06-08 17:58:07 UTC - RP189 - Restore Operation
153: 2008-06-08 17:48:12 UTC - RP188 - Windows Defender Checkpoint


-- First Restore Point --
1: 2008-03-11 02:24:22 UTC - RP36 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as User.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:25:14 PM, on 6/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32csrss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSsystem32svchost.exe
C:Program FilesWindows DefenderMsMpEng.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSExplorer.EXE
C:Program FilesCommon FilesSymantec SharedccSetMgr.exe
C:Program FilesCommon FilesSymantec SharedccEvtMgr.exe
C:Program FilesCommon FilesSymantec SharedSPBBCSPBBCSvc.exe
C:Program FilesLavasoftAd-Aware 2007aawservice.exe
C:WINDOWSsystem32spoolsv.exe
C:Program FilesSymantec AntiVirusDefWatch.exe
C:Program FilesSymantec AntiVirusRtvscan.exe
C:WINDOWSSystem32alg.exe
C:WINDOWSsystem32hkcmd.exe
C:WINDOWSsystem32igfxpers.exe
C:Program FilesCommon FilesSymantec SharedccApp.exe
C:PROGRA~1SYMANT~1VPTray.exe
C:Program FilesWindows DefenderMSASCui.exe
C:Documents and SettingshomeApplication DataMicrosoftdtsc14256.exe
C:Program FilesQdrModuleQdrModule17.exe
C:Documents and SettingshomeApplication DataMicrosoftdtsc14256.exe
C:Documents and SettingshomeApplication DataMicrosoftdtsc14256.exe
C:Documents and SettingshomeApplication DataMicrosoftdtsc14256.exe
C:Documents and SettingshomeApplication DataMicrosoftdtsc14256.exe
C:Documents and SettingshomeApplication DataMicrosoftdtsc14256.exe
C:Documents and SettingshomeApplication DataMicrosoftdtsc14256.exe
C:WINDOWSsystem32wuauclt.exe
C:WINDOWSSystem32wbemwmiprvse.exe
C:Documents and SettingshomeDesktopdss.exe
?C:WINDOWSsystem32WBEMWMIADAP.EXE
C:WINDOWSSystem32wbemwmiprvse.exe
C:PROGRA~1TRENDM~1HIJACK~1User.exe

R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://dealers.cars.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:Program FilesCommon FilesAdobeAcrobatActiveXAcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:PROGRA~1SPYBOT~1SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:Program FilesJavajre1.6.0_05binssv.dll
O2 - BHO: Microsoft copyright - {FFFFFFFF-BBBB-4146-86FD-A722E8AB3489} - sockins32.dll (file missing)
O4 - HKLM..Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM..Run: [HotKeysCmds] C:WINDOWSsystem32hkcmd.exe
O4 - HKLM..Run: [Persistence] C:WINDOWSsystem32igfxpers.exe
O4 - HKLM..Run: [ccApp] "C:Program FilesCommon FilesSymantec SharedccApp.exe"
O4 - HKLM..Run: [vptray] C:PROGRA~1SYMANT~1VPTray.exe
O4 - HKLM..Run: [Windows Defender] "C:Program FilesWindows DefenderMSASCui.exe" -hide
O4 - HKLM..Run: [BVRPLiveUpdate] C:Program FilesAvanquest updateEngineSetup.exe -s /PATCH,/SRCUPDATEC:DOCUME~1ALLUSE~1APPLIC~1BVRPSO~1MOTORO~1LIVEUP~1LISTOF~1.DAT
O4 - HKCU..Run: [Microsoft Windows Installer] C:Documents and SettingshomeApplication DataMicrosoftdtsc14256.exe
O4 - HKCU..Run: [QdrModule17] "C:Program FilesQdrModuleQdrModule17.exe"
O4 - HKUSS-1-5-18..Run: [DWQueuedReporting] "C:PROGRA~1COMMON~1MICROS~1DWdwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS.DEFAULT..Run: [DWQueuedReporting] "C:PROGRA~1COMMON~1MICROS~1DWdwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~1MICROS~2OFFICE11EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.6.0_05binssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.6.0_05binssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:PROGRA~1MICROS~2OFFICE11REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:PROGRA~1SPYBOT~1SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:PROGRA~1SPYBOT~1SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {298BFFEE-662D-11D5-ADAF-00E0810232D7} (lgbplay Class) - https://video.manheim.com/lib/LiveSound.dll
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O21 - SSODL: WebProxy - {66186F05-BBBB-4a39-864F-72D84615C679} - sockins32.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:Program FilesLavasoftAd-Aware 2007aawservice.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:WINDOWSMicrosoft.NETFrameworkv1.1.4322aspnet_state.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:Program FilesSymantec AntiVirusDefWatch.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:PROGRA~1SymantecLIVEUP~1LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:Program FilesSymantec AntiVirusSavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedSNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedSPBBCSPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:Program FilesSymantec AntiVirusRtvscan.exe

--
End of file - 6802 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S3 mqdmbus (Motorola DM Composite Driver (WDM)) - c:windowssystem32driversmqdmbus.sys <Not Verified; MCCI; Motorola DM Composite Driver>
S3 mqdmmdfl (Motorola USB Modem (Filter)) - c:windowssystem32driversmqdmmdfl.sys <Not Verified; MCCI; Motorola USB Modem Filter>
S3 mqdmmdm (Motorola USB Modem) - c:windowssystem32driversmqdmmdm.sys <Not Verified; MCCI; Motorola USB Modem>
S3 mqdmserd (Motorola USB Diag) - c:windowssystem32driversmqdmserd.sys <Not Verified; MCCI; Motorola USB Diag>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S3 aspnet_state (ASP.NET State Service) - c:windowsmicrosoft.netframeworkv1.1.4322aspnet_state.exe (file missing)


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E96F-E325-11CE-BFC1-08002BE10318}
Description: PS/2 Compatible Mouse
Device ID: ACPIPNP0F134&EDE93E0&0
Manufacturer: Microsoft
Name: PS/2 Compatible Mouse
PNP Device ID: ACPIPNP0F134&EDE93E0&0
Service: i8042prt


-- Scheduled Tasks -------------------------------------------------------------

2008-06-08 19:23:55 330 --ah----- C:WINDOWSTasksMP Scheduled Scan.job


-- Files created between 2008-05-08 and 2008-06-08 -----------------------------

2008-06-08 18:03:42 0 d-------- C:kav
2008-06-08 13:56:10 0 d-------- C:Program FilesTrend Micro
2008-06-08 11:34:12 0 d-------- C:Documents and SettingsAll UsersApplication DataKaspersky Lab
2008-06-08 11:34:11 0 d-------- C:WINDOWSsystem32Kaspersky Lab
2008-06-08 09:28:57 0 d-------- C:Program FilesQdrModule
2008-06-08 09:28:57 0 d-------- C:Program FilesISM
2008-06-08 09:28:45 0 d-------- C:Program FilesuTorrent
2008-06-07 00:58:21 229535 --a------ C:WINDOWSsystem32000050.exe
2008-06-07 00:57:58 226613 --a------ C:WINDOWSsystem32000060.exe
2008-06-06 17:01:46 70144 --a------ C:WINDOWSsystem32000090.exe
2008-06-03 09:47:44 1203 --a------ C:WINDOWSmozver.dat
2008-05-16 09:33:51 7201 --a------ C:Documents and Settingshome1210955631-(null)
2008-05-16 09:31:13 0 d-------- C:Program FilesAvanquest update
2008-05-16 09:29:50 0 d-------- C:Program FilesMotorola Phone Tools
2008-05-16 09:29:50 0 d-------- C:Documents and SettingsAll UsersApplication DataBVRP Software
2008-05-16 09:29:44 5936 --a------ C:WINDOWSsystem32driversmqdmwhnt.sys <Not Verified; MCCI; Motorola DM Composite Driver>
2008-05-16 09:29:44 5936 --a------ C:WINDOWSsystem32driversmqdmwh.sys <Not Verified; MCCI; Motorola DM Composite Driver>
2008-05-16 09:29:44 79328 --a------ C:WINDOWSsystem32driversmqdmserd.sys <Not Verified; MCCI; Motorola USB Diag>
2008-05-16 09:29:44 92064 --a------ C:WINDOWSsystem32driversmqdmmdm.sys <Not Verified; MCCI; Motorola USB Modem>
2008-05-16 09:29:44 9232 --a------ C:WINDOWSsystem32driversmqdmmdfl.sys <Not Verified; MCCI; Motorola USB Modem Filter>
2008-05-16 09:29:44 6208 --a------ C:WINDOWSsystem32driversmqdmcmnt.sys <Not Verified; MCCI; Motorola USB DIAG>
2008-05-16 09:29:44 6208 --a------ C:WINDOWSsystem32driversmqdmcm.sys <Not Verified; MCCI; Motorola USB DIAG>
2008-05-16 09:29:44 66656 --a------ C:WINDOWSsystem32driversmqdmbus.sys <Not Verified; MCCI; Motorola DM Composite Driver>
2008-05-16 09:29:44 22768 --a------ C:Documents and Settingshomeusbsermpt.sys <Not Verified; Microsoft Corporation; Microsoft® Windows ® 2000 Operating System>
2008-05-16 09:29:44 5936 --a------ C:Documents and Settingshomemqdmwhnt.sys <Not Verified; MCCI; Motorola DM Composite Driver>
2008-05-16 09:29:44 79328 --a------ C:Documents and Settingshomemqdmserd.sys <Not Verified; MCCI; Motorola USB Diag>
2008-05-16 09:29:44 92064 --a------ C:Documents and Settingshomemqdmmdm.sys <Not Verified; MCCI; Motorola USB Modem>
2008-05-16 09:29:44 9232 --a------ C:Documents and Settingshomemqdmmdfl.sys <Not Verified; MCCI; Motorola USB Modem Filter>
2008-05-16 09:29:44 4048 --a------ C:Documents and Settingshomemqdmcr.sys <Not Verified; MCCI; Motorola USB DIAG>
2008-05-16 09:29:44 6208 --a------ C:Documents and Settingshomemqdmcmnt.sys <Not Verified; MCCI; Motorola USB DIAG>
2008-05-16 09:29:44 66656 --a------ C:Documents and Settingshomemqdmbus.sys <Not Verified; MCCI; Motorola DM Composite Driver>


-- Find3M Report ---------------------------------------------------------------

2008-06-08 19:21:28 0 d-------- C:Program FilesSymantec AntiVirus
2008-06-08 09:28:51 0 d-------- C:Program FilesCommon Files
2008-06-06 17:01:46 70144 --a------ C:WINDOWSsystem32userinit.exe
2008-05-16 09:31:13 0 d--h----- C:Program FilesInstallShield Installation Information
2008-05-16 09:27:00 0 d-------- C:Program FilesCommon FilesInstallShield
2008-05-15 22:36:24 0 d-------- C:Documents and SettingshomeApplication DataLimeWire
2008-04-30 07:52:58 0 d-------- C:Program FilesWinamp
2008-04-24 23:50:11 0 d-------- C:Program FilesMicrosoft CAPICOM 2.1.0.2
2008-04-24 23:35:33 0 d-------- C:Program FilesMSXML 6.0
2008-04-24 23:25:13 0 d-------- C:Program FilesKelley Blue Book
2008-04-24 23:25:13 0 d-------- C:Program FilesCall Corder 3
2008-04-24 22:35:55 0 d-------- C:Program FilesMSBuild
2008-04-24 22:31:30 0 d-------- C:Program FilesReference Assemblies
2008-04-19 23:12:27 0 d-------- C:Program FilesJava
2008-04-19 23:11:44 0 d-------- C:Program FilesCommon FilesJava
2008-03-31 21:55:24 81920 --a------ C:WINDOWSsystem32lgbaudio.dll <Not Verified; Live Global Bid; lgbaudio Module>
2008-03-31 21:55:23 159744 --a------ C:WINDOWSsystem32lgbskin.dll <Not Verified; ; skin Dynamic Link Library>
2008-03-31 21:55:20 86016 --a------ C:WINDOWSsystem32lgbsysinfo.dll
2008-03-31 21:55:20 1043456 --a------ C:WINDOWSsystem32lgbpd.exe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE~Browser Helper Objects{FFFFFFFF-BBBB-4146-86FD-A722E8AB3489}]

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [01/07/2005 02:07 PM C:WINDOWSsystem32HdAShCut.exe]
"HotKeysCmds"="C:WINDOWSsystem32hkcmd.exe" [01/13/2007 07:47 AM]
"Persistence"="C:WINDOWSsystem32igfxpers.exe" [01/13/2007 07:46 AM]
"ccApp"="C:Program FilesCommon FilesSymantec SharedccApp.exe" [07/19/2006 08:26 PM]
"vptray"="C:PROGRA~1SYMANT~1VPTray.exe" [09/27/2006 09:33 PM]
"Windows Defender"="C:Program FilesWindows DefenderMSASCui.exe" [11/03/2006 08:20 PM]
"BVRPLiveUpdate"="C:Program FilesAvanquest updateEngineSetup.exe" []

[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
"Microsoft Windows Installer"="C:Documents and SettingshomeApplication DataMicrosoftdtsc14256.exe" [06/08/2008 09:28 AM]
"QdrModule17"="C:Program FilesQdrModuleQdrModule17.exe" [05/29/2008 03:25 AM]

[HKEY_USERS.defaultsoftwaremicrosoftwindowscurrentversionrun]
"DWQueuedReporting"="C:PROGRA~1COMMON~1MICROS~1DWdwtrig20.exe" -t

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionShellServiceObjectDelayLoad]
"WebProxy"= {66186F05-BBBB-4a39-864F-72D84615C679} - sockins32.dll [ ]

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalaawservice]
@="Service"

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalvds]
@="Service"

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimal{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupfolderC:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:Documents and SettingsAll UsersStart MenuProgramsStartupMicrosoft Office.lnk
backup=C:WINDOWSpssMicrosoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregAdobe Reader Speed Launcher]
"C:Program FilesAdobeReader 8.0ReaderReader_sl.exe"

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregbacstray]
C:Program FilesBroadcomBACSBacsTray.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregIgfxTray]
C:WINDOWSsystem32igfxtray.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregLGBLiveUpdate]
C:WINDOWSsystem32lgbpd.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregMSMSGS]
"C:Program FilesMessengermsmsgs.exe" /background

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregSpybotSD TeaTimer]
C:Program FilesSpybot - Search & DestroyTeaTimer.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregSunJavaUpdateSched]
"C:Program FilesJavajre1.6.0_05binjusched.exe"

*Newly Created Service* - ASYNCMAC

[HKEY_LOCAL_MACHINEsoftwaremicrosoftactive setupinstalled components{66186F05-BBBB-4a39-864F-72D84615C679}]
rundll32 sockins32.dll,InitModule



-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.1001-search.info
127.0.0.1 1001-search.info
127.0.0.1 www.181.365soft.info
127.0.0.1 181.365soft.info
127.0.0.1 www.1-extreme.biz
127.0.0.1 1-extreme.biz
127.0.0.1 www.24.365soft.info
127.0.0.1 24.365soft.info
127.0.0.1 www.24-7pharmacy.info
127.0.0.1 24-7pharmacy.info

3031 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-06-08 19:25:36 ------------

Edited by Orange Blossom, 09 June 2008 - 08:08 PM.
Deactivate links and correct some spelling. ~ OB


BC AdBot (Login to Remove)

 


m

#2 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 12 June 2008 - 01:24 AM

Hi and Welcome to the forums.

Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

#3 skothelpoo9

skothelpoo9
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  

Posted 12 June 2008 - 12:23 PM

THANK YOU FOR YOUR HELP- HERE IS THE COMBOFIX LOG (S) YOU ASKED FOR

ONE NOTE - A WEBSITE SAID, TO FIX THE ZEDO VIRUS POPUP ADS - GO TO THE Prefetch FILE INSIDE System32 - AND DELETE EVERYTHING IN THE FILE. I DID. THE ADS STOPPED.

IN REMOVING EVERYTHING FROM PREFTECH FILE I MAY HAVE "CAUSED" THE PROBLEM TO STOP, BUT MAY NOT HAVE ACTUALLY "ELIMINATED" THE VIRUS...

SO, I STILL WOULD LIKE TO KNOW IF I HAVE REMOVED EVERYTHING THAT WAS PLACED ON MY COMPUTER BY THE VIRUS. AND I WOULD LIKE TO MAKE SURE I DELETE EVERYTHING ASSOCIATED.

THE ORIGINAL PROBLEM WAS - FIREFOX OPENS A BROWSER (AUTOMATICALLY) ABOUT EVERY MINUTE OR SO. THE FIRST URL IS FROM popads123.com... etc THEN THE URL CHANGES TO c5zedo.com ... etc, AND AN AD FOR A RANDOM OFFER OR COMPANY IS DISPLAYED.

I WILL COPY AND PASTE - 2 COMBOFIX LOGS.

THE FIRST LOG, IS THE COMBOFIX I RAN WHILE THE PROBLEM WAS ACTIVE.

THE SECOND LOG, IS THE COMBOFIX I RAN TODAY (PROBLEM HAS STOPPED, BUT NOT SURE IF IT'S REALLY ELIMINATED)

- - - LOG 1 - - -
ComboFix 08-06-08.7 - User 2008-06-08 22:40:41.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.470 [GMT -7:00]
Running from: C:\Documents and Settings\home\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\home\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\home\Application Data\macromedia\Flash Player\#SharedObjects\NMRU6NQB\www.broadcaster.com
C:\Documents and Settings\home\Application Data\macromedia\Flash Player\#SharedObjects\NMRU6NQB\www.broadcaster.com\played_list.sol
C:\Documents and Settings\home\Application Data\macromedia\Flash Player\#SharedObjects\NMRU6NQB\www.broadcaster.com\video_queue.sol
C:\Documents and Settings\home\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\home\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Documents and Settings\home\Application Data\Microsoft\dtsc
C:\Documents and Settings\home\Application Data\Microsoft\dtsc\14256.exe
C:\Documents and Settings\home\Application Data\Microsoft\dtsc\Intervideo WinDVD v4.0.11.187 Plus by CORE.torrent
C:\Documents and Settings\home\Application Data\Microsoft\dtsc\Intervideo WinDVD v4.0.11.187 Plus by CORE.zip
C:\Documents and Settings\home\Application Data\Microsoft\dtsc\Norton Internet Security 2001 v2.5.torrent
C:\Documents and Settings\home\Application Data\Microsoft\dtsc\Norton Internet Security 2001 v2.5.zip
C:\Documents and Settings\home\Application Data\Microsoft\dtsc\s
C:\Documents and Settings\home\Application Data\Microsoft\dtsc\WinAVI Video Converter v5.7 by SND.torrent
C:\Documents and Settings\home\Application Data\Microsoft\dtsc\WinAVI Video Converter v5.7 by SND.zip
C:\Documents and Settings\home\Start Menu\Programs\Internet Speed Monitor
C:\Documents and Settings\home\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\home\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\Documents and Settings\Scott\Application Data\macromedia\Flash Player\#SharedObjects\NMRU6NQB\www.broadcaster.com
C:\Documents and Settings\Scott\Application Data\macromedia\Flash Player\#SharedObjects\NMRU6NQB\www.broadcaster.com\played_list.sol
C:\Documents and Settings\Scott\Application Data\macromedia\Flash Player\#SharedObjects\NMRU6NQB\www.broadcaster.com\video_queue.sol
C:\Documents and Settings\Scott\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Scott\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Program Files\ISM
C:\Program Files\ISM\Uninstall.exe
C:\Program Files\QdrModule
C:\Program Files\QdrModule\dicer.gz
C:\Program Files\QdrModule\kwder.gz
C:\Program Files\QdrModule\pckrer.dat
C:\Program Files\QdrModule\QdrModule17.exe
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\index.html
C:\WINDOWS\system32\000050.exe
C:\WINDOWS\system32\000060.exe
C:\WINDOWS\system32\000090.exe
C:\WINDOWS\system32\sft.res

----- BITS: Possible infected sites -----

hxxp://80.93.48.89
Infected copy of C:\WINDOWS\system32\userinit.exe was found & disinfected
Restored copy from - C:\WINDOWS\ServicePackFiles\i386\userinit.exe


.
((((((((((((((((((((((((( Files Created from 2008-05-09 to 2008-06-09 )))))))))))))))))))))))))))))))
.

2008-06-08 18:03 . 2008-06-08 18:03 <DIR> d-------- C:\kav
2008-06-08 17:00 . 2008-06-08 17:00 <DIR> d-------- C:\Deckard
2008-06-08 13:56 . 2008-06-08 13:56 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-08 11:34 . 2008-06-08 11:34 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-06-08 11:34 . 2008-06-08 11:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-08 09:28 . 2008-06-08 21:12 <DIR> d-------- C:\Program Files\uTorrent
2008-06-03 09:47 . 2008-06-03 09:47 1,203 --a------ C:\WINDOWS\mozver.dat
2008-05-16 09:31 . 2008-05-16 09:32 <DIR> d-------- C:\Program Files\Avanquest update
2008-05-16 09:31 . 2004-08-03 23:08 25,600 --a------ C:\WINDOWS\system32\drivers\usbser.sys
2008-05-16 09:31 . 2004-08-03 23:08 25,600 --a--c--- C:\WINDOWS\system32\dllcache\usbser.sys
2008-05-16 09:29 . 2008-05-16 09:38 <DIR> d-------- C:\Program Files\Motorola Phone Tools
2008-05-16 09:29 . 2008-05-16 09:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BVRP Software
2008-05-16 09:29 . 2008-05-16 09:33 92,064 --a------ C:\WINDOWS\system32\drivers\mqdmmdm.sys
2008-05-16 09:29 . 2008-05-16 09:33 92,064 --a------ C:\Documents and Settings\home\mqdmmdm.sys
2008-05-16 09:29 . 2008-05-16 09:33 79,328 --a------ C:\WINDOWS\system32\drivers\mqdmserd.sys
2008-05-16 09:29 . 2008-05-16 09:33 79,328 --a------ C:\Documents and Settings\home\mqdmserd.sys
2008-05-16 09:29 . 2008-05-16 09:33 66,656 --a------ C:\WINDOWS\system32\drivers\mqdmbus.sys
2008-05-16 09:29 . 2008-05-16 09:33 66,656 --a------ C:\Documents and Settings\home\mqdmbus.sys
2008-05-16 09:29 . 2008-05-16 09:33 25,600 --a------ C:\Documents and Settings\home\usbsermptxp.sys
2008-05-16 09:29 . 2008-05-16 09:33 22,768 --a------ C:\Documents and Settings\home\usbsermpt.sys
2008-05-16 09:29 . 2008-05-16 09:33 9,232 --a------ C:\WINDOWS\system32\drivers\mqdmmdfl.sys
2008-05-16 09:29 . 2008-05-16 09:33 9,232 --a------ C:\Documents and Settings\home\mqdmmdfl.sys
2008-05-16 09:29 . 2008-05-16 09:33 6,208 --a------ C:\WINDOWS\system32\drivers\mqdmcmnt.sys
2008-05-16 09:29 . 2008-05-16 09:33 6,208 --a------ C:\WINDOWS\system32\drivers\mqdmcm.sys
2008-05-16 09:29 . 2008-05-16 09:33 6,208 --a------ C:\Documents and Settings\home\mqdmcmnt.sys
2008-05-16 09:29 . 2008-05-16 09:33 5,936 --a------ C:\WINDOWS\system32\drivers\mqdmwhnt.sys
2008-05-16 09:29 . 2008-05-16 09:33 5,936 --a------ C:\WINDOWS\system32\drivers\mqdmwh.sys
2008-05-16 09:29 . 2008-05-16 09:33 5,936 --a------ C:\Documents and Settings\home\mqdmwhnt.sys
2008-05-16 09:29 . 2008-05-16 09:33 4,048 --a------ C:\Documents and Settings\home\mqdmcr.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-09 05:25 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-05-16 16:31 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-16 16:27 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-05-16 05:36 --------- d-----w C:\Documents and Settings\home\Application Data\LimeWire
2008-04-30 14:52 --------- d-----w C:\Program Files\Winamp
2008-04-25 06:50 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-04-25 06:35 --------- d-----w C:\Program Files\MSXML 6.0
2008-04-25 06:25 --------- d-----w C:\Program Files\Kelley Blue Book
2008-04-25 06:25 --------- d-----w C:\Program Files\Call Corder 3
2008-04-25 05:35 --------- d-----w C:\Program Files\MSBuild
2008-04-25 05:31 --------- d-----w C:\Program Files\Reference Assemblies
2008-04-20 06:12 --------- d-----w C:\Program Files\Java
2008-04-20 06:11 --------- d-----w C:\Program Files\Common Files\Java
2008-04-01 04:55 86,016 ----a-w C:\WINDOWS\system32\lgbsysinfo.dll
2008-04-01 04:55 81,920 ----a-w C:\WINDOWS\system32\lgbaudio.dll
2008-04-01 04:55 159,744 ----a-w C:\WINDOWS\system32\lgbskin.dll
2008-04-01 04:55 1,043,456 ----a-w C:\WINDOWS\system32\lgbpd.exe
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:40 1,845,888 ----a-w C:\WINDOWS\system32\win32k.sys
2006-09-19 20:54 81,600 ----a-w C:\Documents and Settings\home\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QdrModule17"="C:\Program Files\QdrModule\QdrModule17.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 14:07 61952 C:\WINDOWS\system32\HdAShCut.exe]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-01-13 07:47 163840]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-01-13 07:46 135168]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 20:26 52896]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-09-27 21:33 125168]
"BVRPLiveUpdate"="C:\Program Files\Avanquest update\Engine\Setup.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 19:29 39264]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bacstray]
--a------ 2006-06-03 19:37 118784 C:\Program Files\Broadcom\BACS\BacsTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2007-01-13 07:47 131072 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LGBLiveUpdate]
--a------ 2008-03-31 21:55 1043456 C:\WINDOWS\system32\lgbpd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
---hs---- 2004-10-13 09:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 12:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 04:25 144784 C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\kav\\kav7\\setup.exe"=

S3 mqdmbus;Motorola DM Composite Driver (WDM);C:\WINDOWS\system32\DRIVERS\mqdmbus.sys [2008-05-16 09:33]
S3 mqdmmdfl;Motorola USB Modem (Filter);C:\WINDOWS\system32\DRIVERS\mqdmmdfl.sys [2008-05-16 09:33]
S3 mqdmmdm;Motorola USB Modem;C:\WINDOWS\system32\DRIVERS\mqdmmdm.sys [2008-05-16 09:33]
S3 mqdmserd;Motorola USB Diag;C:\WINDOWS\system32\DRIVERS\mqdmserd.sys [2008-05-16 09:33]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-06-09 04:15:07 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-08 22:41:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-08 22:42:24
ComboFix-quarantined-files.txt 2008-06-09 05:42:18

Pre-Run: 31,642,980,352 bytes free
Post-Run: 31,619,448,832 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

177 --- E O F --- 2008-06-08 05:45:56



- - - LOG 2 - - -
ComboFix 08-06-10.5 - User 2008-06-12 9:45:17.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.560 [GMT -7:00]
Running from: C:\Documents and Settings\home\Desktop\12341234.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-05-12 to 2008-06-12 )))))))))))))))))))))))))))))))
.

2008-06-10 22:03 . 2008-04-14 04:01 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-08 18:03 . 2008-06-08 18:03 <DIR> d-------- C:\kav
2008-06-08 17:00 . 2008-06-08 17:00 <DIR> d-------- C:\Deckard
2008-06-08 13:56 . 2008-06-08 13:56 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-08 11:34 . 2008-06-08 11:34 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-06-08 11:34 . 2008-06-08 11:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-08 09:28 . 2008-06-08 21:12 <DIR> d-------- C:\Program Files\uTorrent
2008-06-03 09:47 . 2008-06-03 09:47 1,203 --a------ C:\WINDOWS\mozver.dat
2008-05-16 09:31 . 2008-05-16 09:32 <DIR> d-------- C:\Program Files\Avanquest update
2008-05-16 09:31 . 2004-08-03 23:08 25,600 --a------ C:\WINDOWS\system32\drivers\usbser.sys
2008-05-16 09:31 . 2004-08-03 23:08 25,600 --a--c--- C:\WINDOWS\system32\dllcache\usbser.sys
2008-05-16 09:29 . 2008-05-16 09:38 <DIR> d-------- C:\Program Files\Motorola Phone Tools
2008-05-16 09:29 . 2008-05-16 09:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BVRP Software
2008-05-16 09:29 . 2008-05-16 09:33 92,064 --a------ C:\WINDOWS\system32\drivers\mqdmmdm.sys
2008-05-16 09:29 . 2008-05-16 09:33 92,064 --a------ C:\Documents and Settings\home\mqdmmdm.sys
2008-05-16 09:29 . 2008-05-16 09:33 79,328 --a------ C:\WINDOWS\system32\drivers\mqdmserd.sys
2008-05-16 09:29 . 2008-05-16 09:33 79,328 --a------ C:\Documents and Settings\home\mqdmserd.sys
2008-05-16 09:29 . 2008-05-16 09:33 66,656 --a------ C:\WINDOWS\system32\drivers\mqdmbus.sys
2008-05-16 09:29 . 2008-05-16 09:33 66,656 --a------ C:\Documents and Settings\home\mqdmbus.sys
2008-05-16 09:29 . 2008-05-16 09:33 25,600 --a------ C:\Documents and Settings\home\usbsermptxp.sys
2008-05-16 09:29 . 2008-05-16 09:33 22,768 --a------ C:\Documents and Settings\home\usbsermpt.sys
2008-05-16 09:29 . 2008-05-16 09:33 9,232 --a------ C:\WINDOWS\system32\drivers\mqdmmdfl.sys
2008-05-16 09:29 . 2008-05-16 09:33 9,232 --a------ C:\Documents and Settings\home\mqdmmdfl.sys
2008-05-16 09:29 . 2008-05-16 09:33 6,208 --a------ C:\WINDOWS\system32\drivers\mqdmcmnt.sys
2008-05-16 09:29 . 2008-05-16 09:33 6,208 --a------ C:\WINDOWS\system32\drivers\mqdmcm.sys
2008-05-16 09:29 . 2008-05-16 09:33 6,208 --a------ C:\Documents and Settings\home\mqdmcmnt.sys
2008-05-16 09:29 . 2008-05-16 09:33 5,936 --a------ C:\WINDOWS\system32\drivers\mqdmwhnt.sys
2008-05-16 09:29 . 2008-05-16 09:33 5,936 --a------ C:\WINDOWS\system32\drivers\mqdmwh.sys
2008-05-16 09:29 . 2008-05-16 09:33 5,936 --a------ C:\Documents and Settings\home\mqdmwhnt.sys
2008-05-16 09:29 . 2008-05-16 09:33 4,048 --a------ C:\Documents and Settings\home\mqdmcr.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-12 14:56 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-05-16 16:31 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-16 16:27 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-05-16 05:36 --------- d-----w C:\Documents and Settings\home\Application Data\LimeWire
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-30 14:52 --------- d-----w C:\Program Files\Winamp
2008-04-25 06:50 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-04-25 06:35 --------- d-----w C:\Program Files\MSXML 6.0
2008-04-25 06:25 --------- d-----w C:\Program Files\Kelley Blue Book
2008-04-25 06:25 --------- d-----w C:\Program Files\Call Corder 3
2008-04-25 05:35 --------- d-----w C:\Program Files\MSBuild
2008-04-25 05:31 --------- d-----w C:\Program Files\Reference Assemblies
2008-04-21 06:56 666,624 ----a-w C:\WINDOWS\system32\wininet.dll
2008-04-20 06:12 --------- d-----w C:\Program Files\Java
2008-04-20 06:11 --------- d-----w C:\Program Files\Common Files\Java
2008-04-14 11:01 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-04-01 04:55 86,016 ----a-w C:\WINDOWS\system32\lgbsysinfo.dll
2008-04-01 04:55 81,920 ----a-w C:\WINDOWS\system32\lgbaudio.dll
2008-04-01 04:55 159,744 ----a-w C:\WINDOWS\system32\lgbskin.dll
2008-04-01 04:55 1,043,456 ----a-w C:\WINDOWS\system32\lgbpd.exe
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:40 1,845,888 ----a-w C:\WINDOWS\system32\win32k.sys
2006-09-19 20:54 81,600 ----a-w C:\Documents and Settings\home\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( snapshot@2008-06-08_22.42.10.54 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-09 04:11:56 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-12 14:56:17 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-14 11:01:02 272,128 ------w C:\WINDOWS\Driver Cache\i386\bthport.sys
- 2008-02-16 09:32:03 1,024,000 ----a-w C:\WINDOWS\system32\browseui.dll
+ 2008-04-21 06:56:54 1,024,000 ----a-w C:\WINDOWS\system32\browseui.dll
- 2008-02-16 09:32:03 151,040 ----a-w C:\WINDOWS\system32\cdfview.dll
+ 2008-04-21 06:56:54 151,040 ----a-w C:\WINDOWS\system32\cdfview.dll
- 2008-02-16 09:32:03 1,054,208 ----a-w C:\WINDOWS\system32\danim.dll
+ 2008-04-21 06:56:55 1,054,208 ----a-w C:\WINDOWS\system32\danim.dll
- 2008-02-16 09:32:03 1,024,000 -c----w C:\WINDOWS\system32\dllcache\browseui.dll
+ 2008-04-21 06:56:54 1,024,000 -c----w C:\WINDOWS\system32\dllcache\browseui.dll
- 2008-02-16 09:32:03 151,040 -c----w C:\WINDOWS\system32\dllcache\cdfview.dll
+ 2008-04-21 06:56:54 151,040 -c----w C:\WINDOWS\system32\dllcache\cdfview.dll
- 2008-02-16 09:32:03 1,054,208 -c----w C:\WINDOWS\system32\dllcache\danim.dll
+ 2008-04-21 06:56:55 1,054,208 -c----w C:\WINDOWS\system32\dllcache\danim.dll
- 2008-02-16 09:32:04 357,888 -c--a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
+ 2008-04-21 06:56:55 357,888 -c--a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
- 2008-02-16 09:32:04 205,312 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
+ 2008-04-21 06:56:55 205,312 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
- 2008-02-16 09:32:04 55,808 -c--a-w C:\WINDOWS\system32\dllcache\extmgr.dll
+ 2008-04-21 06:56:55 55,808 -c--a-w C:\WINDOWS\system32\dllcache\extmgr.dll
- 2008-02-15 09:07:53 18,432 -c--a-w C:\WINDOWS\system32\dllcache\iedw.exe
+ 2008-04-17 10:46:59 18,432 -c--a-w C:\WINDOWS\system32\dllcache\iedw.exe
- 2008-02-16 09:32:04 251,904 -c--a-w C:\WINDOWS\system32\dllcache\iepeers.dll
+ 2008-04-21 06:56:56 251,904 -c--a-w C:\WINDOWS\system32\dllcache\iepeers.dll
- 2008-02-16 09:32:04 96,256 -c--a-w C:\WINDOWS\system32\dllcache\inseng.dll
+ 2008-04-21 06:56:56 96,256 -c--a-w C:\WINDOWS\system32\dllcache\inseng.dll
- 2008-02-16 09:32:04 16,384 -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
+ 2008-04-21 06:56:56 16,384 -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
- 2008-02-16 09:32:06 3,066,880 -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll
+ 2008-04-21 06:56:57 3,066,880 -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll
- 2008-02-16 09:32:06 449,024 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
+ 2008-04-21 06:56:57 449,024 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
- 2008-02-16 09:32:06 146,432 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll
+ 2008-04-21 06:56:57 146,432 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll
- 2008-02-16 09:32:07 532,480 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll
+ 2008-04-21 06:56:58 532,480 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll
- 2008-02-16 09:32:07 39,424 -c--a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
+ 2008-04-21 06:56:58 39,424 -c--a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
- 2007-10-29 22:43:03 1,287,680 -c----w C:\WINDOWS\system32\dllcache\quartz.dll
+ 2008-05-07 05:18:48 1,287,680 -c----w C:\WINDOWS\system32\dllcache\quartz.dll
- 2006-07-13 08:48:58 202,240 -c--a-w C:\WINDOWS\system32\dllcache\rmcast.sys
+ 2008-05-08 12:28:49 202,752 -c--a-w C:\WINDOWS\system32\dllcache\rmcast.sys
- 2008-02-16 09:32:08 1,499,136 -c----w C:\WINDOWS\system32\dllcache\shdocvw.dll
+ 2008-04-21 06:56:58 1,499,136 -c----w C:\WINDOWS\system32\dllcache\shdocvw.dll
- 2008-02-16 09:32:08 474,112 -c----w C:\WINDOWS\system32\dllcache\shlwapi.dll
+ 2008-04-21 06:56:58 474,112 -c----w C:\WINDOWS\system32\dllcache\shlwapi.dll
- 2008-02-16 09:32:08 618,496 -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll
+ 2008-04-21 06:56:58 618,496 -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll
- 2008-02-16 09:32:09 666,112 -c--a-w C:\WINDOWS\system32\dllcache\wininet.dll
+ 2008-04-21 06:56:59 666,624 -c--a-w C:\WINDOWS\system32\dllcache\wininet.dll
- 2008-02-16 09:32:04 357,888 ----a-w C:\WINDOWS\system32\dxtmsft.dll
+ 2008-04-21 06:56:55 357,888 ----a-w C:\WINDOWS\system32\dxtmsft.dll
- 2008-02-16 09:32:04 205,312 ----a-w C:\WINDOWS\system32\dxtrans.dll
+ 2008-04-21 06:56:55 205,312 ----a-w C:\WINDOWS\system32\dxtrans.dll
- 2008-02-16 09:32:04 55,808 ----a-w C:\WINDOWS\system32\extmgr.dll
+ 2008-04-21 06:56:55 55,808 ----a-w C:\WINDOWS\system32\extmgr.dll
- 2008-02-16 09:32:04 251,904 ----a-w C:\WINDOWS\system32\iepeers.dll
+ 2008-04-21 06:56:56 251,904 ----a-w C:\WINDOWS\system32\iepeers.dll
- 2008-02-16 09:32:04 96,256 ----a-w C:\WINDOWS\system32\inseng.dll
+ 2008-04-21 06:56:56 96,256 ----a-w C:\WINDOWS\system32\inseng.dll
- 2008-02-16 09:32:04 16,384 ----a-w C:\WINDOWS\system32\jsproxy.dll
+ 2008-04-21 06:56:56 16,384 ----a-w C:\WINDOWS\system32\jsproxy.dll
- 2008-05-09 21:35:04 16,863,864 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2008-05-29 23:35:11 17,486,968 ----a-w C:\WINDOWS\system32\MRT.exe
- 2008-02-16 09:32:06 3,066,880 ----a-w C:\WINDOWS\system32\mshtml.dll
+ 2008-04-21 06:56:57 3,066,880 ----a-w C:\WINDOWS\system32\mshtml.dll
- 2008-02-16 09:32:06 449,024 ----a-w C:\WINDOWS\system32\mshtmled.dll
+ 2008-04-21 06:56:57 449,024 ----a-w C:\WINDOWS\system32\mshtmled.dll
- 2008-02-16 09:32:06 146,432 ----a-w C:\WINDOWS\system32\msrating.dll
+ 2008-04-21 06:56:57 146,432 ----a-w C:\WINDOWS\system32\msrating.dll
- 2008-02-16 09:32:07 532,480 ----a-w C:\WINDOWS\system32\mstime.dll
+ 2008-04-21 06:56:58 532,480 ----a-w C:\WINDOWS\system32\mstime.dll
- 2008-06-09 04:16:27 212,394 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-06-12 15:00:41 215,914 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-06-09 04:16:27 796,726 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-06-12 15:00:41 803,744 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2008-02-16 09:32:07 39,424 ----a-w C:\WINDOWS\system32\pngfilt.dll
+ 2008-04-21 06:56:58 39,424 ----a-w C:\WINDOWS\system32\pngfilt.dll
- 2008-06-08 18:03:59 70,084 ----a-w C:\WINDOWS\system32\Restore\rstrlog.dat
+ 2008-06-09 15:08:38 5,480 ----a-w C:\WINDOWS\system32\Restore\rstrlog.dat
- 2008-02-16 09:32:08 1,499,136 ----a-w C:\WINDOWS\system32\shdocvw.dll
+ 2008-04-21 06:56:58 1,499,136 ----a-w C:\WINDOWS\system32\shdocvw.dll
- 2008-02-16 09:32:08 474,112 ----a-w C:\WINDOWS\system32\shlwapi.dll
+ 2008-04-21 06:56:58 474,112 ----a-w C:\WINDOWS\system32\shlwapi.dll
- 2006-10-16 23:10:58 14,640 ------w C:\WINDOWS\system32\spmsg.dll
+ 2007-11-30 11:18:51 17,272 ------w C:\WINDOWS\system32\spmsg.dll
- 2008-02-16 09:32:08 618,496 ----a-w C:\WINDOWS\system32\urlmon.dll
+ 2008-04-21 06:56:58 618,496 ----a-w C:\WINDOWS\system32\urlmon.dll
- 2008-02-15 09:06:21 351,744 ----a-w C:\WINDOWS\system32\xpsp3res.dll
+ 2008-04-17 10:37:04 351,744 ----a-w C:\WINDOWS\system32\xpsp3res.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QdrModule17"="C:\Program Files\QdrModule\QdrModule17.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 14:07 61952 C:\WINDOWS\system32\HdAShCut.exe]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-01-13 07:47 163840]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-01-13 07:46 135168]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 20:26 52896]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-09-27 21:33 125168]
"BVRPLiveUpdate"="C:\Program Files\Avanquest update\Engine\Setup.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 19:29 39264]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bacstray]
--a------ 2006-06-03 19:37 118784 C:\Program Files\Broadcom\BACS\BacsTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2007-01-13 07:47 131072 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LGBLiveUpdate]
--a------ 2008-03-31 21:55 1043456 C:\WINDOWS\system32\lgbpd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
---hs---- 2004-10-13 09:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 12:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 04:25 144784 C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\kav\\kav7\\setup.exe"=

S3 mqdmbus;Motorola DM Composite Driver (WDM);C:\WINDOWS\system32\DRIVERS\mqdmbus.sys [2008-05-16 09:33]
S3 mqdmmdfl;Motorola USB Modem (Filter);C:\WINDOWS\system32\DRIVERS\mqdmmdfl.sys [2008-05-16 09:33]
S3 mqdmmdm;Motorola USB Modem;C:\WINDOWS\system32\DRIVERS\mqdmmdm.sys [2008-05-16 09:33]
S3 mqdmserd;Motorola USB Diag;C:\WINDOWS\system32\DRIVERS\mqdmserd.sys [2008-05-16 09:33]

.
Contents of the 'Scheduled Tasks' folder
"2008-06-12 14:59:27 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-12 09:46:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-12 9:47:33
ComboFix-quarantined-files.txt 2008-06-12 16:47:25
ComboFix2.txt 2008-06-09 05:42:25

Pre-Run: 36,609,544,192 bytes free
Post-Run: 36,609,605,632 bytes free

226 --- E O F --- 2008-06-11 23:22:36

#4 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 12 June 2008 - 02:07 PM

By chance do you have HijackThis installed?

Give the Eset Online Scanner a run.
http://www.eset.com/onlinescan/index.php

1.Accept the terms of use and click the Start button.
2.When prompted to install an ActiveX Control, click the yellow notification bar and select Install ActiveX Control..
3.Click the Install button on the Security Warning window which appears.
4.Once the ActiveX installs click the Start button to download the signature database when prompted.
5.On the "Computer Scan" options window select Remove found threats but leave Scan unwanted applications unchecked, then hit the Scan button.
6.A log file of the results can be found at C:/Program Files/EsetOnlineScanner/log.txt
7.Post the results in your next reply please.

#5 skothelpoo9

skothelpoo9
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:17 PM

Posted 12 June 2008 - 04:51 PM

HERE IS THE EsetOnlineScanner LOG

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3182 (20080612)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=1314040e8f19664d9c8a6cd274dceaa4
# end=finished
# remove_checked=true
# unwanted_checked=false
# utc_time=2008-06-12 08:40:38
# local_time=2008-06-12 01:40:38 (-0800, Pacific Daylight Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=254816
# found=3
# scan_time=2339
C:\QooBox\Quarantine\C\WINDOWS\system32\000050.exe.vir probably a variant of Win32/Genetik trojan (deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\system32\000050.exe.vir »NSIS »Yazzle1552OinAdmin.exe probably a variant of Win32/Genetik trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\WINDOWS\system32\lgb\lgbsetup.exe probably unknown NewHeur_PE virus (unable to clean - deleted) 00000000000000000000000000000000

#6 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 13 June 2008 - 05:19 AM

One more scan and a HijackThis log and I think we can call it good.

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post along with a fresh HijackThis log.


#7 skothelpoo9

skothelpoo9
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  

Posted 13 June 2008 - 12:49 PM

Hi and I want to say thank you again,
Here is the report
BTW, Should I see a button or something that allows the shown items to be deleted?
Thanks
-------------------------

KASPERSKY ONLINE SCANNER 7 REPORT
Friday, June 13, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, June 13, 2008 16:46:58
Records in database: 860378


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
C:\
D:\

Scan statistics
Files scanned 51847
Threat name 26
Infected objects 49
Suspicious objects 0
Duration of the scan 00:49:59

File name Threat name Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\00B40000\47F57541.VBN Infected: Trojan-Downloader.Win32.Delf.dlk 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\00B40001\47F5767E.VBN Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\00B40002\47F5794D.VBN Infected: Trojan-Downloader.Win32.Homles.ax 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\00B40003\47F57961.VBN Infected: Trojan.Win32.Monder.gen 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\00B40004\47F57975.VBN Infected: Trojan-Downloader.Win32.Homles.ax 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\00B40005\47F5798D.VBN Infected: Trojan.Win32.Monder.gen 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\00B40006\47F579A0.VBN Infected: not-a-virus:AdWare.Win32.PurityScan.gv 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\00B40007\47F579D4.VBN Infected: Trojan.Win32.Monder.gen 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\00B40008\47F579E7.VBN Infected: Trojan.Win32.BHO.ab 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\00B40009\47F579F9.VBN Infected: Trojan.Win32.BHO.ab 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\00B4000A\47F57A0B.VBN Infected: Trojan.Win32.BHO.ab 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\00B4000B\47F57A1C.VBN Infected: Trojan.Win32.BHO.ab 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\00B4000C\47F57A2E.VBN Infected: Trojan.Win32.BHO.ab 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\00B4000D\47F57A46.VBN Infected: Trojan.Win32.Monder.gen 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\00B4000E\47F57A5B.VBN Infected: Trojan.Win32.BHO.ab 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\00B4000F\47F57A73.VBN Infected: Trojan.Win32.Monder.gen 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\00B40010\47F57A88.VBN Infected: Trojan.Win32.Monder.gen 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\00B40011\47F57A9B.VBN Infected: Trojan-Downloader.Win32.Agent.gdi 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\00B40012\47F57AAD.VBN Infected: Trojan-Downloader.Win32.Agent.ktb 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\00B40014\47F57ACF.VBN Infected: Trojan-Downloader.Win32.Agent.lhu 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\00B40015\47F57AE0.VBN Infected: Trojan.Win32.BHO.ab 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\00B40016\47F57AF8.VBN Infected: Trojan.Win32.Monder.gen 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\00B40017\47F57B0D.VBN Infected: Trojan.Win32.BHO.ab 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\00B40018\47F57B21.VBN Infected: Trojan.Win32.Monder.gen 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\00B40019\47F57B36.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.ixe 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\00B4001A\47F57B4C.VBN Infected: not-a-virus:AdWare.Win32.SuperJuan.bce 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\00B4001B\47F57B5E.VBN Infected: Trojan.Win32.StartPage.ame 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\00B4001C\47F57B70.VBN Infected: Trojan.Win32.Monder.cc 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\00B4001D\47F57B80.VBN Infected: Trojan.Win32.Monder.cc 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\00B4001E\47F57B91.VBN Infected: Trojan.Win32.Monder.cc 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\00B40020\47F57BB2.VBN Infected: not-a-virus:Downloader.Win32.WinFixer.dz 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\00B40021\47F57BC4.VBN Infected: Trojan-Downloader.Win32.Delf.dlk 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\00B40022\47F57BD5.VBN Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\00B40023\47F57BE7.VBN Infected: Trojan-Downloader.Win32.Agent.ezc 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\00B40024\47F57BF7.VBN Infected: Trojan-Downloader.Win32.Agent.cbx 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\00B40025\47F57C06.VBN Infected: Trojan-Downloader.Win32.Agent.fjn 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\00B40026\47F57C15.VBN Infected: Trojan-Downloader.Win32.Agent.kvv 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\00B40027\47F57C23.VBN Infected: Trojan-Downloader.Win32.Homles.ax 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\00B40028\47F57C32.VBN Infected: Trojan-Downloader.Win32.Homles.ax 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\00B4002C\47F57CFA.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.imh 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\00B4002D\47F57D0B.VBN Infected: Trojan.Win32.Monder.gen 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\00B40033\47F57D7B.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.dnn 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\00B40034\47F57D88.VBN Infected: Trojan-Downloader.Win32.VB.cgu 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\00B4003A\47F57DF3.VBN Infected: Trojan.Win32.Zapchast.dt 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A680000\4A6C096D.VBN Infected: Trojan.Win32.DNSChanger.ebg 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A680003.VBN Infected: not-a-virus:AdWare.Win32.BHO.awz 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0ACC0004.VBN Infected: Trojan-Downloader.Win32.Agent.kvv 1

C:\QooBox\Quarantine\C\Documents and Settings\home\Application Data\Microsoft\dtsc\14256.exe.vir Infected: Trojan-Downloader.Win32.Agent.shg 1

C:\QooBox\Quarantine\C\WINDOWS\system32\000060.exe.vir Infected: not-a-virus:AdWare.Win32.AdBand.af 1

The selected area was scanned.

#8 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 15 June 2008 - 06:29 AM

Im not real sure about the Kaspersky scan,its been a bit since i ran it but it usually does not remove what it finds.

Click Start--> Run--> Type in combofix /u and click OK to uninstall ComboFix.

Type in cd\ and click OK

You need to reset System Restore and Clear out all the old infected restore points.
  • Click Start
  • Right-Click "My Computer" and Select Properties.
  • Click on the "System Restore" tab.
  • Place a checkmark in the box for "Turn off System Restore" and Click "Apply."
  • Restart the Computer.
  • Return to System Restore and Uncheck the box for "Turn off System Restore" and Click "Apply."
  • A fresh Restore Point will be created.
Take the time to look through Add\Remove Programs and get rid of anything you dont use and are sure you can live without and keep all current applications up to date and fully patched.

Secunia has a good check for such things
http://secunia.com/software_inspector/


So,How is the PC running today?

#9 skothelpoo9

skothelpoo9
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:17 PM

Posted 15 June 2008 - 04:51 PM

Well, ever since I did the following -

ANOTHER WEBSITE SAID; TO FIX THE ZEDO VIRUS POPUP ADS - GO TO THE Prefetch File INSIDE System32 - AND DELETE EVERYTHING IN THE FILE. I DID. THE ADS STOPPED.

IN REMOVING EVERYTHING FROM PREFTECH FILE I MAY HAVE "CAUSED" THE PROBLEM TO STOP, BUT MAY NOT HAVE ACTUALLY "ELIMINATED" THE VIRUS...
--------------------------------------


So, for now, the pop-up ads have stopped,

but I was really looking for information about popads123 and zedo. I really wanted to be sure i've deleted any remaining files from those, and any other crap they might have spread throughout my computer.

Do you know what deleting everything in the Preftech file does? There were about 100 items that i found and deleted in that folder, but I still have no idea if i've truly gotten rid of the virus, or if deleting the preftech folder simply messes with the functioning of the popads - and that's not what i really want to do. Note, i just looked again now at the Preftech file, and it's full again, mostly of EXE files of all sorts.

Also, when i first started with this problem, I tried to run a system restore,
but no matter which previous date i selected (and tried several times) - it always said it could not restore. so i did the exact procedure you suggested - unchecking and checking - which wiped out all previous restore dates.

So.... any info on Zedo or Popads123 ? and the best procedure to delete them and all realted files from the computer - Note, I did a system Search, and they don't show up under those names anywhere in the computer. but they were in the computer, and causing pop up ads to appear.

thanks again,

#10 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 16 June 2008 - 01:14 AM

Im not real sure where you will find a proper write up on those,you can try the symantec or mcafee virus dictionary and see if there is something there.

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Windows, Internet Explorer and Microsoft Office Updates

Visit Microsoft's Windows Update Site frequently. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

If you are running Microsoft Office, or any application of it, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed.

If you have trouble with Windows Update, you still can get all the Critical Updates, Security Fixes and Service Packs. Below are a few links to bookmark.

Microsoft Security Bulletins
http://www.microsoft.com/technet/security/current.aspx

Office downloads
http://office.microsoft.com/en-us/officeupdate/default.aspx

Download Center
http://www.microsoft.com/downloads/search.aspx

Microsoft Security Advisories
http://www.microsoft.com/technet/security/...ry/default.mspx

Recently Published
http://www.microsoft.com/technet/security/...nt/default.mspx

Programs that may help you in keeping the PC clean

ERUNT(The Emergency Recovery Utility for NT) can be found Here or Here
  • You can use this utility as a primary registry backup utility, apart from System Restore.
  • Two methods of registry backup ( System Restore and using ERUNT ) is often recommended.
  • Detailed usage can be found Here
It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See the link below for a listing of some online & their stand-alone antivirus programs.
Computer Safety On line - Anti-Virus
http://forum.malwareremoval.com/viewtopic.php?p=53#53

Update your Anti Virus Software

It is imperative that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.

Use a Firewall

I can not stress enough how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For an article on Firewalls and a listing of some available ones see the link below.
Computer Safety On line - Software Firewalls
http://forum.malwareremoval.com/viewtopic.php?p=56#56
A tutorial on Understanding and Using Firewalls can be found here

Additional Information

For more information about Spyware, the tools available, and other informative material, including information on how you may have been infected in the first place, please check out this link.

A very nice collection of tutorials is available at Bleeping Computer
http://www.bleepingcomputer.com/tutorials/

Finally, after following up on all these recommendations, run Jason Levine's Browser Security Tests ?
They will provide you with an insight on how vulnerable you might still be to a number of common exploits.
http://www.jasons-toolbox.com/BrowserSecurity/

Other Security checks and more sites relating to computer security are listed below, take the time to visit these when you have time.
Symantec Security Check
Gibson Research Corporation Home Page (Look for the Hot Spots Section)
McAfee SiteAdvisor
LinkScanner
GFI Email Security Testing Zone

#11 skothelpoo9

skothelpoo9
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  

Posted 16 June 2008 - 01:40 AM

thanks again,

regarding MS updates
what is your opinion of updating to Service Pack 3 at this time?

i've heard several people opine that staying with SP 2 is fine for now,
let MS work out any bugs with SP3,
and then get 3 later, (not exactly sure what LATER means.... maybe a few months?)

your thoughts....

#12 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 16 June 2008 - 03:31 AM

what is your opinion of updating to Service Pack 3 at this time?


I have not installed it myself,cant say whether its good or bad.

Using you head and best senses while surfing is the single best line of defense. :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users