Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Malware Problem


  • This topic is locked This topic is locked
21 replies to this topic

#1 blov10

blov10

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:07:10 AM

Posted 06 November 2006 - 11:38 AM

Hello,

I recently set up my Dell Desktop again after about a year and I had numerous upgrades to download. Anyways, I keep getting the Outerinfo pop-ups using IE and cannot get rid of them. I have installed and ran all of the programs except the Qoo tool. It says I'm missing a C:\Windows file. I have also installed Outpost firewall. This seems to be the deciding factor. When first installed, it asked about letting certain programs have outside access and the first to pop up was one called ?TTRIB.EXE (Outerinfo) so gladly I denied the program acccess which has taken care of that OUTERINFO pop-up problem. My concern is that I only have a trial issue of the firewall and believe that when it runs out I will be bombarded by the pop-ups again. Is there anyway to get rid of that ?TTRIB.EXE program so I don't have this problem anymore.

Here is my HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 9:28:24 AM, on 11/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Agnitum\Outpost Firewall\outpost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\?ttrib.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Ben Lotvedt\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL

= http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://red.clientapps.yahoo.com/customize/.../ymsgr/*http://

www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =

Microsoft Internet Explorer
R3 - URLSearchHook: (no name) - {21CE00EA-9554-C8AE-2E53-CDCE6B9FEAC0}

- C:\WINDOWS\system32\igot.dll
O2 - BHO: Adobe PDF Reader Link Helper -

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat

7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: (no name) - {21CE00EA-9554-C8AE-2E53-CDCE6B9FEAC0} -

C:\WINDOWS\system32\igot.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -

C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -

C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper -

{9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common

Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper -

{AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program

files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -

c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common

Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE

/AUTORUN
O4 - HKLM\..\Run: [k67] C:\documents and settings\ben lotvedt\local

settings\temp\k67.exe
O4 - HKLM\..\Run: [im] C:\documents and settings\ben lotvedt\local

settings\temp\im.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [E1zkdMV] C:\documents and settings\ben lotvedt\local

settings\temp\E1zkdMV.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD

Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [9] C:\Documents and Settings\Ben Lotvedt\Local

Settings\Temp\9.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program

Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows

Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program

Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common

Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Outpost Firewall] "C:\Program Files\Agnitum\Outpost

Firewall\outpost.exe" /waitservice
O4 - HKLM\..\Run: [OutpostFeedBack] C:\Program Files\Agnitum\Outpost

Firewall\feedback.exe /dump:os_startup
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program

Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN

Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Cqpjkdl] C:\WINDOWS\system32\?ttrib.exe
O4 - HKCU\..\Run: [C:_Program Files_WordPerfe3a] C:\Program

Files\WordPerfect Office 11\Programs\CorUpd.exe /Watch
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program

Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program

Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Google Updater.lnk = C:\Program

Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music

Jukebox\ymetray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: PartyPoker.com -

{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program

files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com -

{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program

files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -

C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine

Advantage Validation Tool) -

http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID

Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl

Class) -

http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-17.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload

Tool) - http://by103fd.bay103.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {885BB46A-3F1E-44C3-A01B-A7D9260CC98B} (InstallShield Update

Service Setup Player) -

http://updates.installshield.com/CAB/dwusplay.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer

Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF}

(MsnMessengerSetupDownloadControl Class) -

http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl

Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} -

C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} -

C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision

Corporation - C:\Program Files\Common

Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program

Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. -

C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum

Ltd. - C:\Program Files\Agnitum\Outpost Firewall\outpost.exe

I ran the STINGER program but forgot to Turn off my system restore.

Anyways, any and all help is greatly appreciated.

Thanks

Ben

BC AdBot (Login to Remove)

 


#2 stonangel

stonangel

  • Members
  • 595 posts
  • OFFLINE
  •  
  • Location:France
  • Local time:03:10 PM

Posted 06 November 2006 - 12:00 PM

Welcome to Bleping Computer, blov10.

* Please turn off Word Wrap to increase readability (in Notepad, Go to Edit, uncheck Word Wrap option).

* 1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted ImagePosted Image

Olivier

#3 blov10

blov10
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:07:10 AM

Posted 06 November 2006 - 12:36 PM

Hello,

Sorry about that. I downloaded the program and when I click on run a box comes up with a prompt and then disappears. Anyways, I took off word wrap in Notebook and here is that log again:

Logfile of HijackThis v1.99.1
Scan saved at 9:28:24 AM, on 11/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Agnitum\Outpost Firewall\outpost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\?ttrib.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Ben Lotvedt\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R3 - URLSearchHook: (no name) - {21CE00EA-9554-C8AE-2E53-CDCE6B9FEAC0} - C:\WINDOWS\system32\igot.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: (no name) - {21CE00EA-9554-C8AE-2E53-CDCE6B9FEAC0} - C:\WINDOWS\system32\igot.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [k67] C:\documents and settings\ben lotvedt\local settings\temp\k67.exe
O4 - HKLM\..\Run: [im] C:\documents and settings\ben lotvedt\local settings\temp\im.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [E1zkdMV] C:\documents and settings\ben lotvedt\local settings\temp\E1zkdMV.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [9] C:\Documents and Settings\Ben Lotvedt\Local Settings\Temp\9.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Outpost Firewall] "C:\Program Files\Agnitum\Outpost Firewall\outpost.exe" /waitservice
O4 - HKLM\..\Run: [OutpostFeedBack] C:\Program Files\Agnitum\Outpost Firewall\feedback.exe /dump:os_startup
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Cqpjkdl] C:\WINDOWS\system32\?ttrib.exe
O4 - HKCU\..\Run: [C:_Program Files_WordPerfe3a] C:\Program Files\WordPerfect Office 11\Programs\CorUpd.exe /Watch
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-17.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay103.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {885BB46A-3F1E-44C3-A01B-A7D9260CC98B} (InstallShield Update Service Setup Player) - http://updates.installshield.com/CAB/dwusplay.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - C:\Program Files\Agnitum\Outpost Firewall\outpost.exe

#4 stonangel

stonangel

  • Members
  • 595 posts
  • OFFLINE
  •  
  • Location:France
  • Local time:03:10 PM

Posted 06 November 2006 - 01:42 PM

Hi blov10,

* You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.


* First download AVG Anti-Spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program
  • Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.

* Go to Start > Control Panel > Add/Remove Programs and look for any of these and uninstall them:

Oin
Yazzle by Oin
Purityscan by Oin
Snowballwars by Oin
or anything similar with Oin or Outerinfo in it.
Zolero
Tizzletalk
MediaTickets
Cowabanga
and any other programs you didn't install or don't recognize - if your not sure please ask first


* Download and run this uninstaller:
http://www.outerinfo.com/OiUninstaller.exe

* Please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
  • Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close AVG Anti-Spyware and reboot your system back into Normal Mode and post the results of the AVG Anti-Spyware report scan and a new hijackthis log, please.

Posted ImagePosted Image

Olivier

#5 blov10

blov10
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:07:10 AM

Posted 06 November 2006 - 06:15 PM

Ok, Did all that. AVG took some time but here it is:

AVG SCAN:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 2:59:32 PM 11/6/2006

+ Scan result:



C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP183\A0006897.dll -> Adware.Aws : Cleaned.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP156\A0003968.dll -> Adware.PurityScan : Cleaned.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP158\A0003996.dll -> Adware.PurityScan : Cleaned.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP160\A0004027.dll -> Adware.PurityScan : Cleaned.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP160\A0004028.dll -> Adware.PurityScan : Cleaned.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP160\A0004029.dll -> Adware.PurityScan : Cleaned.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP160\A0004030.dll -> Adware.PurityScan : Cleaned.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP160\A0004069.dll -> Adware.PurityScan : Cleaned.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP161\A0004141.exe -> Adware.PurityScan : Cleaned.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP164\A0004358.dll -> Adware.PurityScan : Cleaned.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP184\A0007005.dll -> Adware.PurityScan : Cleaned.
C:\WINDOWS\Temp\WTuninst.exe -> Adware.Wintol : Cleaned.
C:\WINDOWS\SYSTEM32\vovjagqd.dll -> Adware.WurldMedia : Cleaned.
:mozilla.6:C:\Documents and Settings\Ben Lotvedt\Application Data\Mozilla\Profiles\default\4pkh7hkf.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.7:C:\Documents and Settings\Ben Lotvedt\Application Data\Mozilla\Profiles\default\4pkh7hkf.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Ben Lotvedt\Cookies\ben_lotvedt@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Ben Lotvedt\Cookies\ben_lotvedt@meetupcom.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Ben Lotvedt\Cookies\ben_lotvedt@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Stephanie Hoffert\Cookies\stephanie_hoffert@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\RECYCLER\S-1-5-21-353052747-2714088945-641443271-1007\Dc6.txt -> TrackingCookie.2o7 : Cleaned.
C:\RECYCLER\S-1-5-21-353052747-2714088945-641443271-1007\Dc7.txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Ben Lotvedt\Cookies\ben_lotvedt@rotator.adjuggler[2].txt -> TrackingCookie.Adjuggler : Cleaned.
C:\Documents and Settings\Ben Lotvedt\Cookies\ben_lotvedt@admarketplace[2].txt -> TrackingCookie.Admarketplace : Cleaned.
C:\Documents and Settings\Ben Lotvedt\Cookies\ben_lotvedt@advertising[1].txt -> TrackingCookie.Advertising : Cleaned.
C:\RECYCLER\S-1-5-21-353052747-2714088945-641443271-1007\Dc11.txt -> TrackingCookie.Advertising : Cleaned.
C:\RECYCLER\S-1-5-21-353052747-2714088945-641443271-1007\Dc42.txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Ben Lotvedt\Cookies\ben_lotvedt@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Stephanie Hoffert\Cookies\stephanie_hoffert@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\RECYCLER\S-1-5-21-353052747-2714088945-641443271-1007\Dc13.txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Ben Lotvedt\Cookies\ben_lotvedt@citi.bridgetrack[2].txt -> TrackingCookie.Bridgetrack : Cleaned.
C:\Documents and Settings\Ben Lotvedt\Cookies\ben_lotvedt@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Stephanie Hoffert\Cookies\stephanie_hoffert@burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Stephanie Hoffert\Cookies\stephanie_hoffert@www.burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
C:\RECYCLER\S-1-5-21-353052747-2714088945-641443271-1007\Dc15.txt -> TrackingCookie.Centrport : Cleaned.
C:\Documents and Settings\Ben Lotvedt\Cookies\ben_lotvedt@com[1].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\Ben Lotvedt\Cookies\ben_lotvedt@data.coremetrics[1].txt -> TrackingCookie.Coremetrics : Cleaned.
C:\RECYCLER\S-1-5-21-353052747-2714088945-641443271-1007\Dc17.txt -> TrackingCookie.Coremetrics : Cleaned.
C:\Documents and Settings\Ben Lotvedt\Cookies\ben_lotvedt@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\RECYCLER\S-1-5-21-353052747-2714088945-641443271-1007\Dc21.txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Ben Lotvedt\Cookies\ben lotvedt@e-2dj6wfkiwidpwfq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Ben Lotvedt\Cookies\ben lotvedt@e-2dj6wfkywpd5cco.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Ben Lotvedt\Cookies\ben lotvedt@e-2dj6wfl4khc5aeo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Ben Lotvedt\Cookies\ben lotvedt@e-2dj6wflicgd5gdp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Ben Lotvedt\Cookies\ben lotvedt@e-2dj6wjk4oncjkgo.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Ben Lotvedt\Cookies\ben lotvedt@e-2dj6wjkoopd5adp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Ben Lotvedt\Cookies\ben lotvedt@e-2dj6wjloqpazgbo.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Ben Lotvedt\Cookies\ben lotvedt@e-2dj6wjmiqldjilp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Ben Lotvedt\Cookies\ben_lotvedt@e-2dj6wfk4ahczgdo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Ben Lotvedt\Cookies\ben_lotvedt@e-2dj6wfl4cgdzmlq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Ben Lotvedt\Cookies\ben_lotvedt@e-2dj6wflichczehp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Ben Lotvedt\Cookies\ben_lotvedt@e-2dj6wfmicnajcgo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Ben Lotvedt\Cookies\ben_lotvedt@e-2dj6wgkouic5wgq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Ben Lotvedt\Cookies\ben_lotvedt@e-2dj6wgkowncpmdp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Ben Lotvedt\Cookies\ben_lotvedt@e-2dj6wgkykidjocq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Ben Lotvedt\Cookies\ben_lotvedt@e-2dj6wjkowocjwkp.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Ben Lotvedt\Cookies\ben_lotvedt@e-2dj6wjkyelcpaep.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Ben Lotvedt\Cookies\ben_lotvedt@e-2dj6wjkygmajodo.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Ben Lotvedt\Cookies\ben_lotvedt@e-2dj6wjkygnczeaq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Ben Lotvedt\Cookies\ben_lotvedt@e-2dj6wjkyumazwco.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Ben Lotvedt\Cookies\ben_lotvedt@e-2dj6wjl4olczmfo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Ben Lotvedt\Cookies\ben_lotvedt@e-2dj6wjliwodzmho.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Ben Lotvedt\Cookies\ben_lotvedt@e-2dj6wjlouiajedp.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Ben Lotvedt\Cookies\ben_lotvedt@e-2dj6wjmiwjczsfq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Ben Lotvedt\Cookies\ben_lotvedt@e-2dj6wjnycodpscp.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Ben Lotvedt\Cookies\ben_lotvedt@e-2dj6wjnyghdjiap.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Ben Lotvedt\Cookies\ben_lotvedt@e-2dj6wjnygjdjofp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Ben Lotvedt\Cookies\ben_lotvedt@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\Stephanie Hoffert\Cookies\stephanie_hoffert@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\Ben Lotvedt\Cookies\ben lotvedt@sales.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\Stephanie Hoffert\Cookies\stephanie hoffert@sales.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\Ben Lotvedt\Cookies\ben_lotvedt@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\RECYCLER\S-1-5-21-353052747-2714088945-641443271-1007\Dc29.txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Stephanie Hoffert\Cookies\stephanie hoffert@www.myaffiliateprogram[2].txt -> TrackingCookie.Myaffiliateprogram : Cleaned.
:mozilla.18:C:\Documents and Settings\Ben Lotvedt\Application Data\Mozilla\Profiles\default\4pkh7hkf.slt\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.19:C:\Documents and Settings\Ben Lotvedt\Application Data\Mozilla\Profiles\default\4pkh7hkf.slt\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.20:C:\Documents and Settings\Ben Lotvedt\Application Data\Mozilla\Profiles\default\4pkh7hkf.slt\cookies.txt -> TrackingCookie.Overture : Cleaned.
C:\RECYCLER\S-1-5-21-353052747-2714088945-641443271-1007\Dc38.txt -> TrackingCookie.Overture : Cleaned.
C:\RECYCLER\S-1-5-21-353052747-2714088945-641443271-1007\Dc9.txt -> TrackingCookie.Pointroll : Cleaned.
C:\RECYCLER\S-1-5-21-353052747-2714088945-641443271-1007\Dc39.txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\Ben Lotvedt\Cookies\ben_lotvedt@revenue[1].txt -> TrackingCookie.Revenue : Cleaned.
:mozilla.10:C:\Documents and Settings\Ben Lotvedt\Application Data\Mozilla\Profiles\default\4pkh7hkf.slt\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.11:C:\Documents and Settings\Ben Lotvedt\Application Data\Mozilla\Profiles\default\4pkh7hkf.slt\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.9:C:\Documents and Settings\Ben Lotvedt\Application Data\Mozilla\Profiles\default\4pkh7hkf.slt\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
C:\Documents and Settings\Stephanie Hoffert\Cookies\stephanie_hoffert@edge.ru4[2].txt -> TrackingCookie.Ru4 : Cleaned.
C:\RECYCLER\S-1-5-21-353052747-2714088945-641443271-1007\Dc23.txt -> TrackingCookie.Ru4 : Cleaned.
C:\RECYCLER\S-1-5-21-353052747-2714088945-641443271-1007\Dc43.txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Ben Lotvedt\Cookies\ben_lotvedt@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\Stephanie Hoffert\Cookies\stephanie_hoffert@adopt.specificclick[1].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\Ben Lotvedt\Cookies\ben_lotvedt@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned.
C:\Documents and Settings\Ben Lotvedt\Cookies\ben_lotvedt@anad.tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Ben Lotvedt\Cookies\ben_lotvedt@anat.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Ben Lotvedt\Cookies\ben_lotvedt@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Stephanie Hoffert\Cookies\stephanie_hoffert@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Ben Lotvedt\Cookies\ben_lotvedt@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Ben Lotvedt\Cookies\ben_lotvedt@yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Stephanie Hoffert\Cookies\stephanie_hoffert@yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Ben Lotvedt\Cookies\ben_lotvedt@zedo[1].txt -> TrackingCookie.Zedo : Cleaned.
C:\Documents and Settings\Ben Lotvedt\Local Settings\Temporary Internet Files\Content.IE5\OHAJO5EN\data[2]\data.pif -> Worm.Mytob.i : Cleaned.


::Report end

HJT SCAN:

Logfile of HijackThis v1.99.1
Scan saved at 4:08:17 PM, on 11/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Agnitum\Outpost Firewall\outpost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\AOL\1162843804\ee\AOLSoftware.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\?ttrib.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\Documents and Settings\Ben Lotvedt\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R3 - URLSearchHook: (no name) - {21CE00EA-9554-C8AE-2E53-CDCE6B9FEAC0} - C:\WINDOWS\system32\igot.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: (no name) - {21CE00EA-9554-C8AE-2E53-CDCE6B9FEAC0} - C:\WINDOWS\system32\igot.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [k67] C:\documents and settings\ben lotvedt\local settings\temp\k67.exe
O4 - HKLM\..\Run: [im] C:\documents and settings\ben lotvedt\local settings\temp\im.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [E1zkdMV] C:\documents and settings\ben lotvedt\local settings\temp\E1zkdMV.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [9] C:\Documents and Settings\Ben Lotvedt\Local Settings\Temp\9.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Outpost Firewall] "C:\Program Files\Agnitum\Outpost Firewall\outpost.exe" /waitservice
O4 - HKLM\..\Run: [OutpostFeedBack] C:\Program Files\Agnitum\Outpost Firewall\feedback.exe /dump:os_startup
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1162843804\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Cqpjkdl] C:\WINDOWS\system32\?ttrib.exe
O4 - HKCU\..\Run: [C:_Program Files_WordPerfe3a] C:\Program Files\WordPerfect Office 11\Programs\CorUpd.exe /Watch
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-17.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay103.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {885BB46A-3F1E-44C3-A01B-A7D9260CC98B} (InstallShield Update Service Setup Player) - http://updates.installshield.com/CAB/dwusplay.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - C:\Program Files\Agnitum\Outpost Firewall\outpost.exe

I believe this was the file that that was missing when I tried to download and run the Qoo tool :

O2 - BHO: (no name) - {21CE00EA-9554-C8AE-2E53-CDCE6B9FEAC0} - C:\WINDOWS\system32\igot.dll (file missing)


Thanks

#6 stonangel

stonangel

  • Members
  • 595 posts
  • OFFLINE
  •  
  • Location:France
  • Local time:03:10 PM

Posted 07 November 2006 - 11:27 AM

Hi blov10,

* 1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted ImagePosted Image

Olivier

#7 blov10

blov10
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:07:10 AM

Posted 07 November 2006 - 11:52 AM

I figured out why it didnt work before, it has to be saved instead of ran from the dialog box.

Here's the log.

Ben Lotvedt - 06-11-07 9:34:49.62 Service Pack 2
ComboFix 06.10.19 - Running from: "C:\Documents and Settings\Ben Lotvedt\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))



~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\Ben Lotvedt\Application Data\STEM~1
C:\QooBox\Purity\Documents and Settings\Ben Lotvedt\My Documents\CROSOF~1
C:\QooBox\Purity\Documents and Settings\Ben Lotvedt\My Documents\STEM32~1
C:\QooBox\Purity\Program Files\SSEMBL~1
C:\QooBox\Purity\Program Files\Common Files\ICROSO~1
C:\QooBox\Purity\Program Files\Common Files\ICROSO~2
C:\QooBox\Purity\Program Files\Common Files\RACLE~1
C:\QooBox\Purity\Program Files\Common Files\SEMBLY~1
C:\QooBox\Purity\WINDOWS\FNTS~1
C:\QooBox\Purity\WINDOWS\SYSTEM32\CROSOF~1.NET
C:\QooBox\Purity\WINDOWS\SYSTEM32\PPATCH~1
C:\QooBox\Purity\WINDOWS\SYSTEM32\SEMBLY~1


((((((((((((((((((((((((((((((( Files Created from 2006-10-07 to 2006-11-07 ))))))))))))))))))))))))))))))))))


2006-11-06 12:24 3,968 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2006-10-24 07:31 221,184 --a------ C:\WINDOWS\SYSTEM32\wmpns.dll
2006-10-19 10:46 245,408 --a------ C:\WINDOWS\SYSTEM32\unicows.dll
2006-10-17 17:47 36,528 --------- C:\WINDOWS\SYSTEM32\DRIVERS\PxHelp20.sys
2006-10-17 17:47 157,352 --------- C:\WINDOWS\SYSTEM32\pxwma.dll
2006-10-17 17:47 115,880 --------- C:\WINDOWS\SYSTEM32\pxinsi64.exe
2006-10-17 17:47 114,856 --------- C:\WINDOWS\SYSTEM32\pxcpyi64.exe
2006-10-17 16:23 38,229 --------- C:\WINDOWS\SYSTEM32\DRIVERS\StMp3Rec.sys
2006-10-17 14:36 121,856 --------- C:\WINDOWS\SYSTEM32\xmllite.dll
2006-10-17 13:43 9,600 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\hidusb.sys
2006-10-17 13:43 12,160 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mouhid.sys
2006-10-17 13:33 6,049,280 --------- C:\WINDOWS\SYSTEM32\ieframe.dll
2006-10-17 13:33 50,688 --------- C:\WINDOWS\SYSTEM32\msfeedsbs.dll
2006-10-17 13:33 458,752 --------- C:\WINDOWS\SYSTEM32\msfeeds.dll
2006-10-17 13:33 180,736 --------- C:\WINDOWS\SYSTEM32\ieui.dll
2006-10-17 13:05 206,336 --------- C:\WINDOWS\SYSTEM32\WinFXDocObj.exe
2006-10-17 12:58 61,952 --------- C:\WINDOWS\SYSTEM32\icardie.dll
2006-10-17 12:58 12,288 --------- C:\WINDOWS\SYSTEM32\msfeedssync.exe
2006-10-17 12:57 266,752 --------- C:\WINDOWS\SYSTEM32\iertutil.dll
2006-10-17 12:27 380,928 --------- C:\WINDOWS\SYSTEM32\ieapfltr.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-07 09:37 -------- d-a------ C:\Program Files\Common Files
2006-11-06 12:23 -------- d-------- C:\Program Files\Grisoft
2006-11-06 12:14 -------- d-------- C:\Documents and Settings\Ben Lotvedt\Application Data\acccore
2006-11-06 12:12 -------- d-------- C:\Program Files\AOL
2006-11-06 12:11 -------- d-------- C:\Program Files\Viewpoint
2006-11-06 12:11 -------- d-------- C:\Program Files\Common Files\aol
2006-11-06 12:11 -------- d-------- C:\Program Files\AOD
2006-11-06 12:10 -------- d-------- C:\Program Files\Common Files\Nullsoft
2006-11-06 12:09 -------- d-------- C:\Program Files\Common Files\aolshare
2006-11-05 19:31 -------- d-------- C:\Documents and Settings\Ben Lotvedt\Application Data\Lavasoft
2006-11-05 19:22 -------- d-------- C:\Program Files\AWS
2006-11-05 18:52 -------- d-------- C:\Program Files\Common Files\Agnitum Shared
2006-11-05 18:52 -------- d-------- C:\Program Files\Agnitum
2006-11-05 18:30 -------- d-------- C:\Documents and Settings\Ben Lotvedt\Application Data\AdobeUM
2006-11-05 16:12 -------- d-------- C:\Documents and Settings\Ben Lotvedt\Application Data\Real
2006-11-05 16:11 -------- d-------- C:\Program Files\Common Files\xing shared
2006-11-05 16:11 -------- d-------- C:\Program Files\Common Files\Real
2006-11-05 16:07 -------- d-------- C:\Program Files\Lavasoft
2006-11-05 16:07 -------- d-------- C:\Program Files\Google
2006-11-05 15:19 -------- d-------- C:\Documents and Settings\Ben Lotvedt\Application Data\Google
2006-10-31 09:37 -------- d-------- C:\Documents and Settings\Ben Lotvedt\Application Data\Sun
2006-10-30 20:22 -------- d-------- C:\Program Files\Java
2006-10-30 20:14 -------- d-------- C:\Program Files\Internet Explorer
2006-10-30 19:51 -------- d-------- C:\Documents and Settings\Ben Lotvedt\Application Data\Adobe
2006-10-30 11:07 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-10-24 16:37 -------- d-------- C:\Program Files\Adobe
2006-10-24 07:26 -------- d-------- C:\Program Files\Jasc Software Inc
2006-10-24 07:26 -------- d-------- C:\Documents and Settings\Ben Lotvedt\Application Data\Jasc Software Inc
2006-10-24 07:25 -------- d-------- C:\Program Files\Dell Computer
2006-10-19 10:59 -------- d-------- C:\Program Files\LimeWire
2006-10-19 10:57 -------- d-------- C:\Program Files\Common Files\Java
2006-10-19 10:46 -------- d-------- C:\Program Files\Windows Media Player
2006-10-19 10:46 -------- d-------- C:\Program Files\MsnMusic
2006-10-19 10:32 -------- d-------- C:\Program Files\Windows Defender
2006-10-17 20:57 -------- d-------- C:\Program Files\PartyPoker
2006-10-17 20:57 -------- d-------- C:\Program Files\PartyGaming
2006-10-17 17:53 -------- d-------- C:\Program Files\MUSICMATCH
2006-10-17 17:48 -------- d-------- C:\Program Files\Yahoo!
2006-10-17 17:47 -------- d-------- C:\Program Files\illiminable
2006-10-17 17:47 -------- d-------- C:\Program Files\Common Files\SureThing Shared
2006-10-17 17:46 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-10-17 17:22 -------- d-------- C:\Program Files\Outlook Express
2006-10-17 17:22 -------- d-------- C:\Program Files\Common Files\System
2006-10-17 16:34 -------- d--h----- C:\Program Files\WindowsUpdate
2006-10-17 16:27 -------- d-------- C:\Program Files\QuickTime
2006-10-17 16:27 -------- d-------- C:\Documents and Settings\Ben Lotvedt\Application Data\Apple Computer
2006-10-17 16:25 -------- d-------- C:\Program Files\iTunes
2006-10-17 16:23 -------- d-------- C:\Program Files\iPod
2006-10-17 15:28 -------- d-------- C:\Program Files\Real
2006-10-17 15:27 -------- d---s---- C:\Documents and Settings\Ben Lotvedt\Application Data\Microsoft
2006-10-17 15:25 -------- d-------- C:\Program Files\MSN Messenger
2006-10-17 13:33 413696 --a------ C:\WINDOWS\SYSTEM32\vbscript.dll
2006-10-17 13:33 231424 --a------ C:\WINDOWS\SYSTEM32\webcheck.dll
2006-10-17 13:33 156160 --a------ C:\WINDOWS\SYSTEM32\msls31.dll
2006-10-17 13:06 78336 --a------ C:\WINDOWS\SYSTEM32\ieencode.dll
2006-10-17 13:05 40960 --a------ C:\WINDOWS\SYSTEM32\licmgr10.dll
2006-10-17 13:05 105984 --a------ C:\WINDOWS\SYSTEM32\url.dll
2006-10-17 13:04 101376 --a------ C:\WINDOWS\SYSTEM32\occache.dll
2006-10-17 13:03 17408 --a------ C:\WINDOWS\SYSTEM32\corpol.dll
2006-10-17 13:01 71680 --a------ C:\WINDOWS\SYSTEM32\admparse.dll
2006-10-17 13:01 55296 --a------ C:\WINDOWS\SYSTEM32\iesetup.dll
2006-10-17 13:01 382976 --a------ C:\WINDOWS\SYSTEM32\iedkcs32.dll
2006-10-17 13:01 229376 --a------ C:\WINDOWS\SYSTEM32\ieaksie.dll
2006-10-17 13:01 152064 --a------ C:\WINDOWS\SYSTEM32\ieakeng.dll
2006-10-17 13:01 13312 --a------ C:\WINDOWS\SYSTEM32\ieudinit.exe
2006-10-17 13:00 54784 --a------ C:\WINDOWS\SYSTEM32\ie4uinit.exe
2006-10-17 13:00 43008 --a------ C:\WINDOWS\SYSTEM32\iernonce.dll
2006-10-17 13:00 123904 --a------ C:\WINDOWS\SYSTEM32\advpack.dll
2006-10-17 12:57 36352 --a------ C:\WINDOWS\SYSTEM32\imgutil.dll
2006-10-17 12:56 45568 --a------ C:\WINDOWS\SYSTEM32\mshta.exe
2006-10-17 12:28 48128 --a------ C:\WINDOWS\SYSTEM32\mshtmler.dll
2006-10-17 12:23 161792 --a------ C:\WINDOWS\SYSTEM32\ieakui.dll
2006-10-03 09:23 499712 --a------ C:\WINDOWS\SYSTEM32\MSVCP71.dll
2006-10-03 09:23 348160 --a------ C:\WINDOWS\SYSTEM32\MSVCR71.dll
2006-10-03 09:21 2560 --------- C:\WINDOWS\SYSTEM32\DRIVERS\cdralw2k.sys
2006-10-03 09:21 2432 --------- C:\WINDOWS\SYSTEM32\DRIVERS\cdr4_xp.sys
2006-09-12 21:01 1084416 --a------ C:\WINDOWS\SYSTEM32\msxml3.dll
2006-09-06 17:43 22752 --a------ C:\WINDOWS\SYSTEM32\spupdsvc.exe
2006-08-25 07:45 617472 --a------ C:\WINDOWS\SYSTEM32\comctl32.dll
2006-08-21 04:21 16896 --a------ C:\WINDOWS\SYSTEM32\fltlib.dll
2006-08-21 01:14 23040 --a------ C:\WINDOWS\SYSTEM32\fltmc.exe
2006-08-16 03:58 100352 --a------ C:\WINDOWS\SYSTEM32\6to4svc.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Yahoo! Pager"="C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet"
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"Cqpjkdl"="C:\\WINDOWS\\system32\\?ttrib.exe"
"C:_Program Files_WordPerfe3a"="C:\\Program Files\\WordPerfect Office 11\\Programs\\CorUpd.exe /Watch"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Aim6"="\"C:\\Program Files\\Common Files\\AOL\\Launch\\AOLLaunch.exe\" /d locale=en-US ee://aol/imApp"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"DwlClient"="C:\\Program Files\\Common Files\\Dell\\EUSW\\Support.exe"
"REGSHAVE"="C:\\Program Files\\REGSHAVE\\REGSHAVE.EXE /AUTORUN"
"k67"="C:\\documents and settings\\ben lotvedt\\local settings\\temp\\k67.exe"
"im"="C:\\documents and settings\\ben lotvedt\\local settings\\temp\\im.exe"
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"E1zkdMV"="C:\\documents and settings\\ben lotvedt\\local settings\\temp\\E1zkdMV.exe"
"BCMSMMSG"="BCMSMMSG.exe"
"AdaptecDirectCD"="\"C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"9"="C:\\Documents and Settings\\Ben Lotvedt\\Local Settings\\Temp\\9.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Outpost Firewall"="\"C:\\Program Files\\Agnitum\\Outpost Firewall\\outpost.exe\" /waitservice"
"OutpostFeedBack"="C:\\Program Files\\Agnitum\\Outpost Firewall\\feedback.exe /dump:os_startup"
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1162843804\\ee\\AOLSoftware.exe"
"IPHSend"="C:\\Program Files\\Common Files\\AOL\\IPHSend\\IPHSend.exe"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,4b,00,00,00,00,00,00,00,b5,04,00,00,e2,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ALUAlert"="C:\\Program Files\\Symantec\\LiveUpdate\\ALUNotify.exe"
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"ALUAlert"="C:\\Program Files\\Symantec\\LiveUpdate\\ALUNotify.exe"
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\ISP signup reminder 1.job
C:\WINDOWS\tasks\MP Scheduled Scan.job

Completion time: 06-11-07 9:40:04.65
C:\ComboFix.txt ... 06-11-07 09:40

#8 stonangel

stonangel

  • Members
  • 595 posts
  • OFFLINE
  •  
  • Location:France
  • Local time:03:10 PM

Posted 07 November 2006 - 12:06 PM

Hi blov10,

Could you post back a new hijackthis log, please?
Posted ImagePosted Image

Olivier

#9 blov10

blov10
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:07:10 AM

Posted 07 November 2006 - 12:22 PM

Sorry,

Logfile of HijackThis v1.99.1
Scan saved at 10:19:37 AM, on 11/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Agnitum\Outpost Firewall\outpost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\AOL\1162843804\ee\AOLSoftware.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\?ttrib.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\WINDOWS\system32\svchost.exe
c:\program files\common files\aol\1162843804\ee\aim6.exe
C:\WINDOWS\system32\winlogon.exe
c:\program files\common files\aol\1162843804\ee\anotify.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Ben Lotvedt\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R3 - URLSearchHook: (no name) - {21CE00EA-9554-C8AE-2E53-CDCE6B9FEAC0} - C:\WINDOWS\system32\igot.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: (no name) - {21CE00EA-9554-C8AE-2E53-CDCE6B9FEAC0} - C:\WINDOWS\system32\igot.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [k67] C:\documents and settings\ben lotvedt\local settings\temp\k67.exe
O4 - HKLM\..\Run: [im] C:\documents and settings\ben lotvedt\local settings\temp\im.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [E1zkdMV] C:\documents and settings\ben lotvedt\local settings\temp\E1zkdMV.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [9] C:\Documents and Settings\Ben Lotvedt\Local Settings\Temp\9.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Outpost Firewall] "C:\Program Files\Agnitum\Outpost Firewall\outpost.exe" /waitservice
O4 - HKLM\..\Run: [OutpostFeedBack] C:\Program Files\Agnitum\Outpost Firewall\feedback.exe /dump:os_startup
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1162843804\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Cqpjkdl] C:\WINDOWS\system32\?ttrib.exe
O4 - HKCU\..\Run: [C:_Program Files_WordPerfe3a] C:\Program Files\WordPerfect Office 11\Programs\CorUpd.exe /Watch
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-17.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay103.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {885BB46A-3F1E-44C3-A01B-A7D9260CC98B} (InstallShield Update Service Setup Player) - http://updates.installshield.com/CAB/dwusplay.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - C:\Program Files\Agnitum\Outpost Firewall\outpost.exe

#10 blov10

blov10
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:07:10 AM

Posted 07 November 2006 - 12:31 PM

O4 - HKCU\..\Run: [Cqpjkdl] C:\WINDOWS\system32\?ttrib.exe

I believe this is one of the major problems, but when i search the system32 folder i cannot find it.

#11 blov10

blov10
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:07:10 AM

Posted 07 November 2006 - 01:29 PM

I got the FindQoo to run and that file i posted above, it kept listing is saying there was no file named that.

Anyways, here's the log from that scan:

Tue 11/07/2006
Running from: C:\FindQool\FindQool
PLEASE NOTE: LEGIT FILES MIGHT BE LISTED. IF YOU ARE UNSURE OF WHAT IS LISTED LEAVE THEM ALONE.

Known file names

MD5 Check....

Files found with locate com.
Re-check using dir /a:-d
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
...
...
Runs, Listed here as a Doublecheck for the locate com results
HKLM
HKCU
...
Files In Winlogon shell and userinit
Listed here as a Doublecheck for the locate com results
shell REG_SZ Explorer.exe
userinit REG_SZ C:\WINDOWS\system32\userinit.exe,
...
SWReg utility
Written by Bobbi Flekman 2005
Findqool edited 17/05/2006

#12 stonangel

stonangel

  • Members
  • 595 posts
  • OFFLINE
  •  
  • Location:France
  • Local time:03:10 PM

Posted 08 November 2006 - 03:57 PM

Hi blov10,

* Launch Notepad, and copy/paste the box below into a new text file. Save it as FindFile.bat and save it on your Desktop.

dir C:\WINDOWS\system32\?ttrib.exe /a h > files.txt
notepad files.txt

Locate FindFile.bat on your Desktop and double-click on it. It will open Notepad with some text in it. Please post the text here.
Posted ImagePosted Image

Olivier

#13 blov10

blov10
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:07:10 AM

Posted 08 November 2006 - 04:00 PM

Volume in drive C has no label.
Volume Serial Number is 2CAA-EC34

Directory of C:\WINDOWS\system32

08/29/2002 03:00 AM 11,264 ATTRIB.EXE
1 File(s) 11,264 bytes

Directory of C:\Documents and Settings\Ben Lotvedt\Desktop

I searched and found this file, there were three with the ATTRIB.EXE but i thought it was a different file.

#14 stonangel

stonangel

  • Members
  • 595 posts
  • OFFLINE
  •  
  • Location:France
  • Local time:03:10 PM

Posted 11 November 2006 - 05:26 AM

Hi blov10,

* Please install an antivirus program from here:Run a full scan. Let it quarantine/delete anything it finds. Let me know if there is anything that it reports but can not remove.

* Please download the Killbox by Option^Explicit.

Save it to your desktop. Dont run it yet.

* Go to Start> Control Panel> Add or Remove Programs and uninstall if listed:

Viewpoint
AWS
PartyPoker
PartyGaming


Reboot afterwards.

* Please disable Windows Defender Real-time Protection as it may interfere with the fixes.
  • Open Windows Defender.
  • Click on Tools, General Settings.
  • Scroll down and uncheck Turn on real-time protection (recommended).
  • After you uncheck this, click on the Save button and close Windows Defender.
After all of the fixes are complete it is very important that you enable Real-time Protection again.

* Please re-open HijackThis and scan. Check the below entries:

R3 - URLSearchHook: (no name) - {21CE00EA-9554-C8AE-2E53-CDCE6B9FEAC0} - C:\WINDOWS\system32\igot.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: (no name) - {21CE00EA-9554-C8AE-2E53-CDCE6B9FEAC0} - C:\WINDOWS\system32\igot.dll (file missing)

O4 - HKLM\..\Run: [k67] C:\documents and settings\ben lotvedt\local settings\temp\k67.exe
O4 - HKLM\..\Run: [im] C:\documents and settings\ben lotvedt\local settings\temp\im.exe

O4 - HKLM\..\Run: [E1zkdMV] C:\documents and settings\ben lotvedt\local settings\temp\E1zkdMV.exe

O4 - HKLM\..\Run: [9] C:\Documents and Settings\Ben Lotvedt\Local Settings\Temp\9.exe

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\PartyGaming\PartyPoker\RunApp.exe

Close any open windows except for HijackThis then click on Fix checked.

Delete the following folders if they are still present:

C:\Program Files\Viewpoint
C:\Program Files\AWS
C:\Program Files\PartyPoker
C:\Program Files\PartyGaming

* Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\documents and settings\ben lotvedt\local settings\temp\k67.exe
    C:\documents and settings\ben lotvedt\local settings\temp\im.exe
    C:\documents and settings\ben lotvedt\local settings\temp\E1zkdMV.exe
    C:\Documents and Settings\Ben Lotvedt\Local Settings\Temp\9.exe



  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

* Post back a new hijackthis log as well as a combofix one, please.
Posted ImagePosted Image

Olivier

#15 blov10

blov10
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:07:10 AM

Posted 11 November 2006 - 04:29 PM

Ok,

I've done all these things. I had a little trouble with KillBox, I couldn't get the clipboard to work so i entered each one separately and got the prompt you asked about for each one about the PendingRequest.

Logfile of HijackThis v1.99.1
Scan saved at 2:18:36 PM, on 11/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Agnitum\Outpost Firewall\outpost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\AOL\1162843804\ee\AOLSoftware.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Ben Lotvedt\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Outpost Firewall] "C:\Program Files\Agnitum\Outpost Firewall\outpost.exe" /waitservice
O4 - HKLM\..\Run: [OutpostFeedBack] C:\Program Files\Agnitum\Outpost Firewall\feedback.exe /dump:os_startup
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1162843804\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-17.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay103.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {885BB46A-3F1E-44C3-A01B-A7D9260CC98B} (InstallShield Update Service Setup Player) - http://updates.installshield.com/CAB/dwusplay.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - C:\Program Files\Agnitum\Outpost Firewall\outpost.exe

Ben Lotvedt - 06-11-11 14:21:18.65 Service Pack 2
ComboFix 06.10.19 - Running from: "C:\Documents and Settings\Ben Lotvedt\Desktop\Spyware"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))



~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\Ben Lotvedt\Application Data\STEM~1
C:\QooBox\Purity\Documents and Settings\Ben Lotvedt\My Documents\CROSOF~1
C:\QooBox\Purity\Documents and Settings\Ben Lotvedt\My Documents\STEM32~1
C:\QooBox\Purity\Program Files\SSEMBL~1
C:\QooBox\Purity\Program Files\Common Files\ICROSO~1
C:\QooBox\Purity\Program Files\Common Files\ICROSO~2
C:\QooBox\Purity\Program Files\Common Files\RACLE~1
C:\QooBox\Purity\Program Files\Common Files\SEMBLY~1
C:\QooBox\Purity\WINDOWS\FNTS~1
C:\QooBox\Purity\WINDOWS\SYSTEM32\CROSOF~1.NET
C:\QooBox\Purity\WINDOWS\SYSTEM32\PPATCH~1
C:\QooBox\Purity\WINDOWS\SYSTEM32\SEMBLY~1


((((((((((((((((((((((((((((((( Files Created from 2006-10-11 to 2006-11-11 ))))))))))))))))))))))))))))))))))


2006-11-11 12:09 3,968 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\avgclean.sys
2006-11-11 12:08 816,672 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\avg7core.sys
2006-11-11 12:08 4,960 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\avgtdi.sys
2006-11-11 12:08 4,224 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\avg7rsw.sys
2006-11-11 12:08 28,416 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\avg7rsxp.sys
2006-11-11 12:08 18,240 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\avgmfx86.sys
2006-11-06 13:24 3,968 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2006-10-24 08:31 221,184 --a------ C:\WINDOWS\SYSTEM32\wmpns.dll
2006-10-19 11:46 245,408 --a------ C:\WINDOWS\SYSTEM32\unicows.dll
2006-10-17 18:47 36,528 --------- C:\WINDOWS\SYSTEM32\DRIVERS\PxHelp20.sys
2006-10-17 18:47 157,352 --------- C:\WINDOWS\SYSTEM32\pxwma.dll
2006-10-17 18:47 115,880 --------- C:\WINDOWS\SYSTEM32\pxinsi64.exe
2006-10-17 18:47 114,856 --------- C:\WINDOWS\SYSTEM32\pxcpyi64.exe
2006-10-17 17:23 38,229 --------- C:\WINDOWS\SYSTEM32\DRIVERS\StMp3Rec.sys
2006-10-17 15:36 121,856 --------- C:\WINDOWS\SYSTEM32\xmllite.dll
2006-10-17 14:43 9,600 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\hidusb.sys
2006-10-17 14:43 12,160 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mouhid.sys
2006-10-17 14:33 6,049,280 --------- C:\WINDOWS\SYSTEM32\ieframe.dll
2006-10-17 14:33 50,688 --------- C:\WINDOWS\SYSTEM32\msfeedsbs.dll
2006-10-17 14:33 458,752 --------- C:\WINDOWS\SYSTEM32\msfeeds.dll
2006-10-17 14:33 180,736 --------- C:\WINDOWS\SYSTEM32\ieui.dll
2006-10-17 14:05 206,336 --------- C:\WINDOWS\SYSTEM32\WinFXDocObj.exe
2006-10-17 13:58 61,952 --------- C:\WINDOWS\SYSTEM32\icardie.dll
2006-10-17 13:58 12,288 --------- C:\WINDOWS\SYSTEM32\msfeedssync.exe
2006-10-17 13:57 266,752 --------- C:\WINDOWS\SYSTEM32\iertutil.dll
2006-10-17 13:27 380,928 --------- C:\WINDOWS\SYSTEM32\ieapfltr.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-11 12:19 -------- d-------- C:\Documents and Settings\Ben Lotvedt\Application Data\AVG7
2006-11-11 12:07 -------- d---s---- C:\Documents and Settings\Ben Lotvedt\Application Data\Microsoft
2006-11-11 12:07 -------- d-------- C:\Program Files\Grisoft
2006-11-09 11:29 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-11-09 11:29 -------- d-------- C:\Program Files\QuickTime
2006-11-09 10:47 -------- d-------- C:\Program Files\Real
2006-11-09 10:46 -------- d-------- C:\Program Files\Jasc Software Inc
2006-11-09 10:39 -------- d-------- C:\Program Files\Common Files\aol
2006-11-08 14:41 -------- d-------- C:\Documents and Settings\Ben Lotvedt\Application Data\ArcSoft
2006-11-07 18:27 -------- d-------- C:\Documents and Settings\Ben Lotvedt\Application Data\Apple Computer
2006-11-07 12:06 -------- d-------- C:\Documents and Settings\Ben Lotvedt\Application Data\Corel
2006-11-07 10:37 -------- d-a------ C:\Program Files\Common Files
2006-11-06 13:14 -------- d-------- C:\Documents and Settings\Ben Lotvedt\Application Data\acccore
2006-11-06 13:12 -------- d-------- C:\Program Files\AOL
2006-11-06 13:11 -------- d-------- C:\Program Files\AOD
2006-11-06 13:10 -------- d-------- C:\Program Files\Common Files\Nullsoft
2006-11-06 13:09 -------- d-------- C:\Program Files\Common Files\aolshare
2006-11-05 20:31 -------- d-------- C:\Documents and Settings\Ben Lotvedt\Application Data\Lavasoft
2006-11-05 19:52 -------- d-------- C:\Program Files\Common Files\Agnitum Shared
2006-11-05 19:52 -------- d-------- C:\Program Files\Agnitum
2006-11-05 19:30 -------- d-------- C:\Documents and Settings\Ben Lotvedt\Application Data\AdobeUM
2006-11-05 17:12 -------- d-------- C:\Documents and Settings\Ben Lotvedt\Application Data\Real
2006-11-05 17:11 -------- d-------- C:\Program Files\Common Files\xing shared
2006-11-05 17:11 -------- d-------- C:\Program Files\Common Files\Real
2006-11-05 17:07 -------- d-------- C:\Program Files\Lavasoft
2006-11-05 17:07 -------- d-------- C:\Program Files\Google
2006-11-05 16:19 -------- d-------- C:\Documents and Settings\Ben Lotvedt\Application Data\Google
2006-10-31 10:37 -------- d-------- C:\Documents and Settings\Ben Lotvedt\Application Data\Sun
2006-10-30 21:22 -------- d-------- C:\Program Files\Java
2006-10-30 21:14 -------- d-------- C:\Program Files\Internet Explorer
2006-10-30 20:51 -------- d-------- C:\Documents and Settings\Ben Lotvedt\Application Data\Adobe
2006-10-24 17:37 -------- d-------- C:\Program Files\Adobe
2006-10-24 08:26 -------- d-------- C:\Documents and Settings\Ben Lotvedt\Application Data\Jasc Software Inc
2006-10-24 08:25 -------- d-------- C:\Program Files\Dell Computer
2006-10-19 11:59 -------- d-------- C:\Program Files\LimeWire
2006-10-19 11:57 -------- d-------- C:\Program Files\Common Files\Java
2006-10-19 11:46 -------- d-------- C:\Program Files\Windows Media Player
2006-10-19 11:32 -------- d-------- C:\Program Files\Windows Defender
2006-10-17 18:53 -------- d-------- C:\Program Files\MUSICMATCH
2006-10-17 18:48 -------- d-------- C:\Program Files\Yahoo!
2006-10-17 18:47 -------- d-------- C:\Program Files\illiminable
2006-10-17 18:47 -------- d-------- C:\Program Files\Common Files\SureThing Shared
2006-10-17 18:46 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-10-17 18:22 -------- d-------- C:\Program Files\Outlook Express
2006-10-17 18:22 -------- d-------- C:\Program Files\Common Files\System
2006-10-17 17:34 -------- d--h----- C:\Program Files\WindowsUpdate
2006-10-17 17:25 -------- d-------- C:\Program Files\iTunes
2006-10-17 17:23 -------- d-------- C:\Program Files\iPod
2006-10-17 16:25 -------- d-------- C:\Program Files\MSN Messenger
2006-10-17 14:33 413696 --a------ C:\WINDOWS\SYSTEM32\vbscript.dll
2006-10-17 14:33 231424 --a------ C:\WINDOWS\SYSTEM32\webcheck.dll
2006-10-17 14:33 156160 --a------ C:\WINDOWS\SYSTEM32\msls31.dll
2006-10-17 14:06 78336 --a------ C:\WINDOWS\SYSTEM32\ieencode.dll
2006-10-17 14:05 40960 --a------ C:\WINDOWS\SYSTEM32\licmgr10.dll
2006-10-17 14:05 105984 --a------ C:\WINDOWS\SYSTEM32\url.dll
2006-10-17 14:04 101376 --a------ C:\WINDOWS\SYSTEM32\occache.dll
2006-10-17 14:03 17408 --a------ C:\WINDOWS\SYSTEM32\corpol.dll
2006-10-17 14:01 71680 --a------ C:\WINDOWS\SYSTEM32\admparse.dll
2006-10-17 14:01 55296 --a------ C:\WINDOWS\SYSTEM32\iesetup.dll
2006-10-17 14:01 382976 --a------ C:\WINDOWS\SYSTEM32\iedkcs32.dll
2006-10-17 14:01 229376 --a------ C:\WINDOWS\SYSTEM32\ieaksie.dll
2006-10-17 14:01 152064 --a------ C:\WINDOWS\SYSTEM32\ieakeng.dll
2006-10-17 14:01 13312 --a------ C:\WINDOWS\SYSTEM32\ieudinit.exe
2006-10-17 14:00 54784 --a------ C:\WINDOWS\SYSTEM32\ie4uinit.exe
2006-10-17 14:00 43008 --a------ C:\WINDOWS\SYSTEM32\iernonce.dll
2006-10-17 14:00 123904 --a------ C:\WINDOWS\SYSTEM32\advpack.dll
2006-10-17 13:57 36352 --a------ C:\WINDOWS\SYSTEM32\imgutil.dll
2006-10-17 13:56 45568 --a------ C:\WINDOWS\SYSTEM32\mshta.exe
2006-10-17 13:28 48128 --a------ C:\WINDOWS\SYSTEM32\mshtmler.dll
2006-10-17 13:23 161792 --a------ C:\WINDOWS\SYSTEM32\ieakui.dll
2006-10-03 10:23 499712 --a------ C:\WINDOWS\SYSTEM32\MSVCP71.dll
2006-10-03 10:23 348160 --a------ C:\WINDOWS\SYSTEM32\MSVCR71.dll
2006-10-03 10:21 2560 --------- C:\WINDOWS\SYSTEM32\DRIVERS\cdralw2k.sys
2006-10-03 10:21 2432 --------- C:\WINDOWS\SYSTEM32\DRIVERS\cdr4_xp.sys
2006-09-12 22:01 1084416 --a------ C:\WINDOWS\SYSTEM32\msxml3.dll
2006-09-06 18:43 22752 --a------ C:\WINDOWS\SYSTEM32\spupdsvc.exe
2006-08-25 08:45 617472 --a------ C:\WINDOWS\SYSTEM32\comctl32.dll
2006-08-21 05:21 16896 --a------ C:\WINDOWS\SYSTEM32\fltlib.dll
2006-08-21 02:14 23040 --a------ C:\WINDOWS\SYSTEM32\fltmc.exe
2006-08-16 04:58 100352 --a------ C:\WINDOWS\SYSTEM32\6to4svc.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Yahoo! Pager"="C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet"
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Aim6"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"DwlClient"="C:\\Program Files\\Common Files\\Dell\\EUSW\\Support.exe"
"REGSHAVE"="C:\\Program Files\\REGSHAVE\\REGSHAVE.EXE /AUTORUN"
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"BCMSMMSG"="BCMSMMSG.exe"
"AdaptecDirectCD"="\"C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Outpost Firewall"="\"C:\\Program Files\\Agnitum\\Outpost Firewall\\outpost.exe\" /waitservice"
"OutpostFeedBack"="C:\\Program Files\\Agnitum\\Outpost Firewall\\feedback.exe /dump:os_startup"
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1162843804\\ee\\AOLSoftware.exe"
"IPHSend"="C:\\Program Files\\Common Files\\AOL\\IPHSend\\IPHSend.exe"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e2,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ALUAlert"="C:\\Program Files\\Symantec\\LiveUpdate\\ALUNotify.exe"
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"ALUAlert"="C:\\Program Files\\Symantec\\LiveUpdate\\ALUNotify.exe"
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\ISP signup reminder 1.job
C:\WINDOWS\tasks\MP Scheduled Scan.job

Completion time: 06-11-11 14:23:21.28
C:\ComboFix.txt ... 06-11-11 14:23
C:\ComboFix2.txt ... 06-11-07 10:40




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users