Member Panel

I just built a new machine and had it running great until I went searching (yes I did IE instead of firefox, ughhh) for an install code for WinDVR, now I'm getting pop-ups and I sometimes get this little red ball in my icon tray!!!! Please take a look at my log file and see if there is anything I can do. Thanks for the help.

Andrew

Edit: Please only post HJT and spyware logs as attachments, Thanks,
LGW

Welcome to PCHF astamfel!

A security analyst will take a look at your log for you soon.

Hello.

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

The 2 logs together were over the 20,000 character limit so I had to attach them as a file.

Andrew

Edit: Split logs into seperate attachments for easier reading. Thanks
LGW

Hey Guys,

@Astampfel, I'll take a look at your logs and see what they have to say.

TTFN

LGW

Hey Atampfel,

Yup you've got some bugs in there. Let's see about getting them out.

First of all will you please download from my signature; Shoot the Messenger, SpySweeper, and RegSupremePro Update SpySweeper and Regsupreme Pro, but do not use them yet. Also please download Rustockb Fix, Smitfraudfix, and Stinger, print out the instructions for Stinger if you wish. Save them all to your desktop, and print out these instructions, you will need them when you boot into Safe Mode.

Boot into Safe Mode using the instructions you followed previously in PreWork. Make sure that your System Restore is disabled, that all your hidden files and folders are showing. You will be staying in Safe Mode until the fix is complete.

Follow these instructions exactly and in order please.

Run the cleaner you used during PreWork, (I still like CCleaner, if you prefer to try that, you can download it from my sig as well).

Go to Add/Remove Programs and remove if found:

nmstt.exe
Toolbar888


Locate and Delete the following files and folders, marked in red, if found:


C:\\Program Files\Toolbar888\My Tool Bar
C:\Program Files\Common Files\qoqi\qoqim.exe
C:\Program Files\Common Files\qoqi\qoqia.exe
C:\Program Files\Common Files\{283927AD-089C-1033-1129-061128050001}\Update.exe" mc-110-12-0000272
C:\WINDOWS\system32\drvzut.dll,startup
C:\WINDOWS\system32\lrikvdet.dll",setvm
C:\WINDOWS\S?mbols\nopdb.exe" -vt yazb
C:\Program Files\Common Files\s?mbols\?canregw.exe
C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000272


Run Stinger
Follow the directions from the download site.

Run SpySweeper
Make sure that you have all available options checked under Custom Sweeps, on the Sweep tab, in the Options page. Then do a full scan saving the log to post back here.

Stop Bad NT Service
Click Start>Run and type in: services.msc
Click OK
In the Services window find: COM+ Messages
Select/highlight and right click the entry, and choose: Properties
On the General tab, under Service Status click the Stop button
Beside: Startup Type, in the drop menu, select: Disabled
Click Apply, then OK

Open HJT and click config > misc tools > ?delete an NT service?
Copy and past: COM+ Messages
Click OK.

Run SmitfraudFix
Double-click SmitfraudFix.exe
Select 2 and hit Enter to delete infect files.
You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
A reboot may be needed to finish the cleaning process. Please reboot back into Safe Mode to finish the fix.
The report can be found at the root of the system drive, usually at C:\rapport.txt please post it when you post back here.

Run RustockbFix
Double click on rustbfix.exe to run the tool. If a Rustock.b-infection is found, you will shortly hereafter be asked to reboot the computer. The reboot will probably take quite a while, and perhaps 2 reboots will be needed. But this will happen automatically. After the reboot 2 logfiles will open (%root%\avenger.txt & %root%\rustbfix\pelog.txt). Please save them to your Desktop.

You can now be back in Normal Mode. Run Shoot the Messenger, it will automatically diable Windows Messenger, an unnecessary utility which leaves you vulnerable to PopUp attacks.

Then please start HijackThis and fix the following if they are still there:


Reboot the computer, and run RegSupremePro, it will want to make a backup of your cache, let it. Click on the Registry Cleaner tab, and select Aggressive. When it has finished, click on Select, and choose All. Click on Fix, and let it fix everything that it finds.
Reboot you computer.

Rerun a new HijackThis log and post that along with all of the other logs created during your fix back here.

We'll be looking forward to your reply,

TTFN

LGW

You are wonderful. Thanks for all the help. I don't know where else I would've gone. I was trying to follow your steps, but I got frustrated, saved all my documents in the "My documents" folder, and just reloaded windows again. It was a big pain, and I had to reinstall all my software and email again, and service pack 2, and my graphics Nvidia drivers, and about 66 security packs from Microsoft But, I think I learned a big lesson, and I'll use all the security software you mentioned in your post. I only use Firefox now, and I hope that I won't visit any more bad sites.

Andrew