Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

888 Toolbar Need Help Removing. Please!


  • This topic is locked This topic is locked
30 replies to this topic

#1 byeats1989

byeats1989

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:57 AM

Posted 26 November 2006 - 04:05 PM

I have already run hijack this, I followed instructions ran ATF cleaner and AVG spyware in safe mode but the toolbar is still there. I have also run adaware but it keeps freezing!!


Logfile of HijackThis v1.99.1
Scan saved at 4:00:37 PM, on 11/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lexmark 4300 Series\lxcemon.exe
C:\Program Files\Lexmark 4300 Series\ezprint.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\MIEXEC~1.EXE
C:\DOCUME~1\Family\APPLIC~1\FNTS~1\nopdb.exe
C:\WINDOWS\system32\lxcecoms.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sympatico.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - URLSearchHook: (no name) - {4FB30F6A-9481-9C22-828E-CD6935D88EB3} - C:\WINDOWS\system32\odpuad.dll (file missing)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2EA6C205-5EC4-0437-C17E-09157B6FE6CC} - C:\WINDOWS\System32\ootmk.dll (file missing)
O2 - BHO: (no name) - {4FB30F6A-9481-9C22-828E-CD6935D88EB3} - C:\WINDOWS\system32\odpuad.dll (file missing)
O2 - BHO: (no name) - {B1CE1E56-8BC6-D510-9800-DEC86DFF2AE1} - C:\WINDOWS\System32\zucyfl.dll (file missing)
O2 - BHO: 888Bar - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{342FC8F8-02DA-1033-0714-000310080001}\888.dll
O2 - BHO: (no name) - {F80698F1-5C46-56C2-4345-5D50A1253195} - C:\WINDOWS\system32\ytnqpgqv.dll (file missing)
O3 - Toolbar: 888Bar - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{342FC8F8-02DA-1033-0714-000310080001}\888.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [LXCECATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxcemon.exe] "C:\Program Files\Lexmark 4300 Series\lxcemon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 4300 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe
O4 - HKCU\..\Run: [Str] C:\WINDOWS\system32\MIEXEC~1.EXE
O4 - HKCU\..\Run: [Oueo] C:\Documents and Settings\Family\Application Data\utop.exe
O4 - HKCU\..\Run: [Alrs] "C:\DOCUME~1\Family\APPLIC~1\FNTS~1\nopdb.exe" -vt rbnd
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - https://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://everwood13b.spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5CB1506E-1DEA-4E63-89A7-E40E52AEA1FD} (OnagerCtrl Class) - https://www.puretracks.com/onager.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1104048131132
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} (Installer Class) - http://activex.matcash.com/speedtest2.dll
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O20 - AppInit_DLLs: netdde.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: lxce_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcecoms.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

BC AdBot (Login to Remove)

 


#2 byeats1989

byeats1989
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:57 AM

Posted 26 November 2006 - 04:21 PM

This was the AVG scan report!!

--------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 1:14:01 PM 11/26/2006

+ Scan result:



C:\System Volume Information\_restore{D0ED122D-FF37-495D-9CDF-BBC8B911F5A7}\RP507\A0118541.rbf -> Backdoor.Agent.aim : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D0ED122D-FF37-495D-9CDF-BBC8B911F5A7}\RP507\A0119688.pif -> Backdoor.Agent.aim : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D0ED122D-FF37-495D-9CDF-BBC8B911F5A7}\RP507\A0119689.pif -> Backdoor.Agent.aim : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D0ED122D-FF37-495D-9CDF-BBC8B911F5A7}\RP481\A0111380.exe -> Downloader.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D0ED122D-FF37-495D-9CDF-BBC8B911F5A7}\RP489\A0115021.exe -> Downloader.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D0ED122D-FF37-495D-9CDF-BBC8B911F5A7}\RP503\A0117387.exe -> Downloader.PurityScan : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\a.exe -> Hijacker.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\Family\Local Settings\Temporary Internet Files\Content.IE5\Y5DYBEP0\speedtest2[1].dll -> Not-A-Virus.Downloader.Win32.InsTool.a : Cleaned with backup (quarantined).
C:\Documents and Settings\Family\Local Settings\Temporary Internet Files\Content.IE5\WDYB4D6N\skin[1].exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D0ED122D-FF37-495D-9CDF-BBC8B911F5A7}\RP505\A0117529.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\usetup.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\usetup.exe -> Trojan.Small : Cleaned with backup (quarantined).


::Report end

#3 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:57 PM

Posted 26 November 2006 - 07:55 PM

Hello byeats1989,

I am SifuMike and I will be helping you. :thumbsup:

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

Edited by SifuMike, 26 November 2006 - 08:00 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#4 byeats1989

byeats1989
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:57 AM

Posted 27 November 2006 - 02:30 PM

Hi, Ok I ran the smitfraud test and here are the results

SmitFraudFix v2.125

Scan done at 14:26:01.74, Mon 11/27/2006
Run from C:\Documents and Settings\Family\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Family


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Family\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Family\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=" netdde.dll "


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

#5 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:57 PM

Posted 27 November 2006 - 06:46 PM

Hi byeats1989,

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log and a fresh Hijackthis log.

Notes:
Do not mouseclick combofix's window while it's running. That may cause it to stall
Disable script blocking if you have Norton Antivirus installed so it will not interfere with the fix. Trojan Hunter has been reported to detect combofix as Worm.Qiv.100.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 byeats1989

byeats1989
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:57 AM

Posted 27 November 2006 - 09:19 PM

Here are the two reports:

Family - 06-11-27 20:40:06.24 Service Pack 2
ComboFix 06.11.27W - Running from: "C:\Documents and Settings\Family\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Inetget2
C:\Program Files\Ipwins
C:\Program Files\Common Files\{D42FC8F8-02DA-1033-0714-000310080001}
C:\Program Files\Common Files\{342FC8F8-02DA-1033-0714-000310080001}

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\Family\Application Data\APPATC~1
C:\QooBox\Purity\Documents and Settings\Family\Application Data\ASEMBL~1
C:\QooBox\Purity\Documents and Settings\Family\Application Data\CROSOF~1
C:\QooBox\Purity\Documents and Settings\Family\Application Data\CROSOF~1.NET
C:\QooBox\Purity\Documents and Settings\Family\Application Data\CROSOF~2
C:\QooBox\Purity\Documents and Settings\Family\Application Data\CURITY~1
C:\QooBox\Purity\Documents and Settings\Family\Application Data\DOBE~2
C:\QooBox\Purity\Documents and Settings\Family\Application Data\ECURIT~1
C:\QooBox\Purity\Documents and Settings\Family\Application Data\FNTS~1
C:\QooBox\Purity\Documents and Settings\Family\Application Data\ICROSO~1
C:\QooBox\Purity\Documents and Settings\Family\Application Data\ICROSO~1.NET
C:\QooBox\Purity\Documents and Settings\Family\Application Data\ICROSO~2
C:\QooBox\Purity\Documents and Settings\Family\Application Data\ICROSO~2.NET
C:\QooBox\Purity\Documents and Settings\Family\Application Data\MCROSO~1
C:\QooBox\Purity\Documents and Settings\Family\Application Data\MCROSO~1.NET
C:\QooBox\Purity\Documents and Settings\Family\Application Data\PPATCH~1
C:\QooBox\Purity\Documents and Settings\Family\Application Data\PPPATC~2
C:\QooBox\Purity\Documents and Settings\Family\Application Data\RACLE~1
C:\QooBox\Purity\Documents and Settings\Family\Application Data\SCURIT~1
C:\QooBox\Purity\Documents and Settings\Family\Application Data\SEMBLY~1
C:\QooBox\Purity\Documents and Settings\Family\Application Data\SKS~1
C:\QooBox\Purity\Documents and Settings\Family\Application Data\SKS~2
C:\QooBox\Purity\Documents and Settings\Family\Application Data\SMANTE~1
C:\QooBox\Purity\Documents and Settings\Family\Application Data\SMBOLS~1
C:\QooBox\Purity\Documents and Settings\Family\Application Data\SSEMBL~1
C:\QooBox\Purity\Documents and Settings\Family\Application Data\SSTEM3~1
C:\QooBox\Purity\Documents and Settings\Family\Application Data\STEM32~1
C:\QooBox\Purity\Documents and Settings\Family\Application Data\STEM~1
C:\QooBox\Purity\Documents and Settings\Family\Application Data\TSKS~1
C:\QooBox\Purity\Documents and Settings\Family\Application Data\WNSXS~1
C:\QooBox\Purity\Documents and Settings\Family\Application Data\YMANTE~1
C:\QooBox\Purity\Documents and Settings\Family\Application Data\YMBOLS~1
C:\QooBox\Purity\Documents and Settings\Family\Application Data\YSTEM3~1
C:\QooBox\Purity\Documents and Settings\Family\Application Data\YSTEM~1
C:\QooBox\Purity\Documents and Settings\Family\Application Data\FNTS~1\FNTS~1
C:\QooBox\Purity\Documents and Settings\Family\Application Data\FNTS~1\nopdb.exe
C:\QooBox\Purity\Documents and Settings\Family\My Documents\ASKS~2
C:\QooBox\Purity\Documents and Settings\Family\My Documents\CROSOF~1
C:\QooBox\Purity\Documents and Settings\Family\My Documents\CROSOF~1.NET
C:\QooBox\Purity\Documents and Settings\Family\My Documents\CURITY~1
C:\QooBox\Purity\Documents and Settings\Family\My Documents\DOBE~1
C:\QooBox\Purity\Documents and Settings\Family\My Documents\ECURIT~1
C:\QooBox\Purity\Documents and Settings\Family\My Documents\FNTS~1
C:\QooBox\Purity\Documents and Settings\Family\My Documents\FNTS~2
C:\QooBox\Purity\Documents and Settings\Family\My Documents\ICROSO~1
C:\QooBox\Purity\Documents and Settings\Family\My Documents\ICROSO~1.NET
C:\QooBox\Purity\Documents and Settings\Family\My Documents\ICROSO~2
C:\QooBox\Purity\Documents and Settings\Family\My Documents\ICROSO~2.NET
C:\QooBox\Purity\Documents and Settings\Family\My Documents\MANTEC~1
C:\QooBox\Purity\Documents and Settings\Family\My Documents\PPATCH~1
C:\QooBox\Purity\Documents and Settings\Family\My Documents\PPATCH~2
C:\QooBox\Purity\Documents and Settings\Family\My Documents\PPPATC~1
C:\QooBox\Purity\Documents and Settings\Family\My Documents\RACLE~1
C:\QooBox\Purity\Documents and Settings\Family\My Documents\RACLE~2
C:\QooBox\Purity\Documents and Settings\Family\My Documents\SCURIT~1
C:\QooBox\Purity\Documents and Settings\Family\My Documents\SKS~1
C:\QooBox\Purity\Documents and Settings\Family\My Documents\SKS~2
C:\QooBox\Purity\Documents and Settings\Family\My Documents\SMANTE~1
C:\QooBox\Purity\Documents and Settings\Family\My Documents\SMBOLS~1
C:\QooBox\Purity\Documents and Settings\Family\My Documents\SSEMBL~1
C:\QooBox\Purity\Documents and Settings\Family\My Documents\SSTEM~1
C:\QooBox\Purity\Documents and Settings\Family\My Documents\STEM32~1
C:\QooBox\Purity\Documents and Settings\Family\My Documents\STEM~1
C:\QooBox\Purity\Documents and Settings\Family\My Documents\TSKS~1
C:\QooBox\Purity\Documents and Settings\Family\My Documents\WNSXS~1
C:\QooBox\Purity\Documents and Settings\Family\My Documents\YMBOLS~1
C:\QooBox\Purity\Documents and Settings\Family\My Documents\YSTEM3~1
C:\QooBox\Purity\Documents and Settings\Family\My Documents\YSTEM~1
C:\QooBox\Purity\Program Files\APPATC~1
C:\QooBox\Purity\Program Files\ASKS~1
C:\QooBox\Purity\Program Files\CROSOF~1
C:\QooBox\Purity\Program Files\CROSOF~1.NET
C:\QooBox\Purity\Program Files\CROSOF~2
C:\QooBox\Purity\Program Files\CURITY~1
C:\QooBox\Purity\Program Files\DOBE~1
C:\QooBox\Purity\Program Files\ECURIT~1
C:\QooBox\Purity\Program Files\FNTS~1
C:\QooBox\Purity\Program Files\ICROSO~1
C:\QooBox\Purity\Program Files\ICROSO~1.NET
C:\QooBox\Purity\Program Files\ICROSO~2.NET
C:\QooBox\Purity\Program Files\MBOLS~1
C:\QooBox\Purity\Program Files\MCROSO~1
C:\QooBox\Purity\Program Files\MCROSO~1.NET
C:\QooBox\Purity\Program Files\PPATCH~1
C:\QooBox\Purity\Program Files\PPPATC~2
C:\QooBox\Purity\Program Files\RACLE~1
C:\QooBox\Purity\Program Files\RACLE~2
C:\QooBox\Purity\Program Files\SCURIT~1
C:\QooBox\Purity\Program Files\SEMBLY~1
C:\QooBox\Purity\Program Files\SKS~1
C:\QooBox\Purity\Program Files\SKS~2
C:\QooBox\Purity\Program Files\SMANTE~1
C:\QooBox\Purity\Program Files\SMBOLS~1
C:\QooBox\Purity\Program Files\SSTEM3~1
C:\QooBox\Purity\Program Files\SSTEM~1
C:\QooBox\Purity\Program Files\STEM32~1
C:\QooBox\Purity\Program Files\STEM~1
C:\QooBox\Purity\Program Files\TSKS~1
C:\QooBox\Purity\Program Files\WNSXS~1
C:\QooBox\Purity\Program Files\YMANTE~1
C:\QooBox\Purity\Program Files\YMBOLS~1
C:\QooBox\Purity\Program Files\YSTEM3~1
C:\QooBox\Purity\Program Files\Common Files\APPATC~1
C:\QooBox\Purity\Program Files\Common Files\ASEMBL~1
C:\QooBox\Purity\Program Files\Common Files\ASKS~2
C:\QooBox\Purity\Program Files\Common Files\CROSOF~1
C:\QooBox\Purity\Program Files\Common Files\CURITY~1
C:\QooBox\Purity\Program Files\Common Files\ECURIT~1
C:\QooBox\Purity\Program Files\Common Files\FNTS~1
C:\QooBox\Purity\Program Files\Common Files\FNTS~2
C:\QooBox\Purity\Program Files\Common Files\ICROSO~1.NET
C:\QooBox\Purity\Program Files\Common Files\ICROSO~2.NET
C:\QooBox\Purity\Program Files\Common Files\MANTEC~1
C:\QooBox\Purity\Program Files\Common Files\MBOLS~1
C:\QooBox\Purity\Program Files\Common Files\MCROSO~1
C:\QooBox\Purity\Program Files\Common Files\PPATCH~1
C:\QooBox\Purity\Program Files\Common Files\PPATCH~2
C:\QooBox\Purity\Program Files\Common Files\RACLE~1
C:\QooBox\Purity\Program Files\Common Files\RACLE~2
C:\QooBox\Purity\Program Files\Common Files\SCURIT~1
C:\QooBox\Purity\Program Files\Common Files\SKS~1
C:\QooBox\Purity\Program Files\Common Files\SKS~2
C:\QooBox\Purity\Program Files\Common Files\SMANTE~1
C:\QooBox\Purity\Program Files\Common Files\SSEMBL~1
C:\QooBox\Purity\Program Files\Common Files\SSTEM3~1
C:\QooBox\Purity\Program Files\Common Files\SSTEM~1
C:\QooBox\Purity\Program Files\Common Files\STEM~1
C:\QooBox\Purity\Program Files\Common Files\TSKS~1
C:\QooBox\Purity\Program Files\Common Files\WNSXS~1
C:\QooBox\Purity\Program Files\Common Files\YMANTE~1
C:\QooBox\Purity\Program Files\Common Files\YMBOLS~1
C:\QooBox\Purity\Program Files\Common Files\YSTEM3~1
C:\QooBox\Purity\WINDOWS\APPATC~1
C:\QooBox\Purity\WINDOWS\ASEMBL~1
C:\QooBox\Purity\WINDOWS\CROSOF~1
C:\QooBox\Purity\WINDOWS\CROSOF~1.NET
C:\QooBox\Purity\WINDOWS\CROSOF~2.NET
C:\QooBox\Purity\WINDOWS\CURITY~1
C:\QooBox\Purity\WINDOWS\DOBE~1
C:\QooBox\Purity\WINDOWS\ECURIT~1
C:\QooBox\Purity\WINDOWS\FNTS~1
C:\QooBox\Purity\WINDOWS\FNTS~2
C:\QooBox\Purity\WINDOWS\ICROSO~1
C:\QooBox\Purity\WINDOWS\ICROSO~1.NET
C:\QooBox\Purity\WINDOWS\ICROSO~2
C:\QooBox\Purity\WINDOWS\ICROSO~2.NET
C:\QooBox\Purity\WINDOWS\MANTEC~1
C:\QooBox\Purity\WINDOWS\MBOLS~1
C:\QooBox\Purity\WINDOWS\MCROSO~1
C:\QooBox\Purity\WINDOWS\MCROSO~1.NET
C:\QooBox\Purity\WINDOWS\PPATCH~1
C:\QooBox\Purity\WINDOWS\PPPATC~1
C:\QooBox\Purity\WINDOWS\RACLE~1
C:\QooBox\Purity\WINDOWS\RACLE~2
C:\QooBox\Purity\WINDOWS\SCURIT~1
C:\QooBox\Purity\WINDOWS\SEMBLY~1
C:\QooBox\Purity\WINDOWS\SMANTE~1
C:\QooBox\Purity\WINDOWS\SMBOLS~1
C:\QooBox\Purity\WINDOWS\SSEMBL~1
C:\QooBox\Purity\WINDOWS\SSTEM3~1
C:\QooBox\Purity\WINDOWS\SSTEM~1
C:\QooBox\Purity\WINDOWS\STEM32~1
C:\QooBox\Purity\WINDOWS\STEM~1
C:\QooBox\Purity\WINDOWS\WNSXS~1
C:\QooBox\Purity\WINDOWS\YMANTE~1
C:\QooBox\Purity\WINDOWS\YMBOLS~1
C:\QooBox\Purity\WINDOWS\YSTEM3~1
C:\QooBox\Purity\WINDOWS\YSTEM~1
C:\QooBox\Purity\WINDOWS\system32\APPATC~1
C:\QooBox\Purity\WINDOWS\system32\ASEMBL~1
C:\QooBox\Purity\WINDOWS\system32\CROSOF~1
C:\QooBox\Purity\WINDOWS\system32\CROSOF~1.NET
C:\QooBox\Purity\WINDOWS\system32\CURITY~1
C:\QooBox\Purity\WINDOWS\system32\DOBE~1
C:\QooBox\Purity\WINDOWS\system32\ECURIT~1
C:\QooBox\Purity\WINDOWS\system32\FNTS~1
C:\QooBox\Purity\WINDOWS\system32\FNTS~2
C:\QooBox\Purity\WINDOWS\system32\ICROSO~1
C:\QooBox\Purity\WINDOWS\system32\ICROSO~1.NET
C:\QooBox\Purity\WINDOWS\system32\ICROSO~2
C:\QooBox\Purity\WINDOWS\system32\ICROSO~2.NET
C:\QooBox\Purity\WINDOWS\system32\MBOLS~1
C:\QooBox\Purity\WINDOWS\system32\MCROSO~1
C:\QooBox\Purity\WINDOWS\system32\PPATCH~1
C:\QooBox\Purity\WINDOWS\system32\PPPATC~1
C:\QooBox\Purity\WINDOWS\system32\RACLE~1
C:\QooBox\Purity\WINDOWS\system32\SMANTE~1
C:\QooBox\Purity\WINDOWS\system32\SMBOLS~1
C:\QooBox\Purity\WINDOWS\system32\SSEMBL~1
C:\QooBox\Purity\WINDOWS\system32\SSTEM~1
C:\QooBox\Purity\WINDOWS\system32\STEM32~1
C:\QooBox\Purity\WINDOWS\system32\STEM~1
C:\QooBox\Purity\WINDOWS\system32\TSKS~1
C:\QooBox\Purity\WINDOWS\system32\WNSXS~1
C:\QooBox\Purity\WINDOWS\system32\YMANTE~1
C:\QooBox\Purity\WINDOWS\system32\YMBOLS~1
C:\QooBox\Purity\WINDOWS\system32\YSTEM3~1
C:\QooBox\Purity\WINDOWS\system32\YSTEM~1


((((((((((((((((((((((((((((((( Files Created from 2006-10-27 to 2006-11-27 ))))))))))))))))))))))))))))))))))


2006-11-27 14:26 2,720 --a------ C:\WINDOWS\system32\tmp.reg
2006-11-26 16:00 <DIR> d-------- C:\Program Files\Hijackthis
2006-11-26 15:36 <DIR> d-------- C:\Program Files\Enigma Software Group
2006-11-26 11:34 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-11-26 10:02 3,968 --a------ C:\WINDOWS\system32\drivers\avgclean.sys
2006-11-26 10:01 18,240 --a------ C:\WINDOWS\system32\drivers\avgmfx86.sys
2006-11-25 14:27 139,489 --a------ C:\Documents and Settings\Family\mc2.exe
2006-11-25 14:27 122,880 --a------ C:\Documents and Settings\Family\winstall.exe
2006-11-25 14:08 139,489 --a------ C:\WINDOWS\system32\mc2.exe
2006-11-25 14:08 122,880 --a------ C:\WINDOWS\system32\winstall.exe
2006-11-25 14:07 139,489 --a------ C:\WINDOWS\mc2.exe
2006-11-19 11:24 <DIR> d-------- C:\Program Files\MSXML 4.0
2006-11-19 11:24 <DIR> d-------- C:\a3b0e04f8cab270b1550f42b
2006-11-04 14:14 1,245,696 --a------ C:\WINDOWS\system32\msxml4.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-27 20:45 -------- d-------- C:\Program Files\Common Files
2006-11-27 20:08 -------- d-------- C:\Program Files\Lx_cats
2006-11-26 11:34 -------- d-------- C:\Program Files\Grisoft
2006-11-26 11:30 2 --a------ C:\WINDOWS\system32\wnscpcc.exe
2006-11-26 10:07 -------- d-------- C:\Documents and Settings\Family\Application Data\AVG7
2006-11-26 10:02 816672 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-11-26 10:02 4224 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2006-11-26 10:01 4960 --a------ C:\WINDOWS\system32\drivers\avgtdi.sys
2006-11-26 10:01 28416 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-11-26 09:52 -------- d-------- C:\Program Files\MSN Messenger
2006-11-19 11:23 -------- d-------- C:\Program Files\Internet Explorer
2006-11-19 10:27 21840 --a----t- C:\WINDOWS\system32\SIntfNT.dll
2006-11-19 10:27 17212 --a----t- C:\WINDOWS\system32\SIntf32.dll
2006-11-19 10:27 12067 --a----t- C:\WINDOWS\system32\SIntf16.dll
2006-11-19 10:27 -------- d-------- C:\Program Files\Diablo II
2006-10-15 21:30 -------- d-------- C:\Program Files\Common Files\çasks
2006-10-13 07:35 65536 --a------ C:\WINDOWS\system32\nwwks.dll
2006-10-13 07:35 64000 --a------ C:\WINDOWS\system32\nwapi32.dll
2006-10-13 07:35 142336 --a------ C:\WINDOWS\system32\nwprovau.dll
2006-10-13 05:23 163584 --a------ C:\WINDOWS\system32\drivers\nwrdr.sys
2006-10-08 06:41 -------- d-------- C:\Program Files\Tibia
2006-10-07 23:17 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-10-07 23:17 -------- d-------- C:\Program Files\Maxis
2006-09-13 00:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-09-04 17:57 216064 --a------ C:\WINDOWS\iun3405.exe
2006-09-01 13:57 8265 --a------ C:\Program Files\INSTALL.LOG


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Str"="C:\\WINDOWS\\system32\\MIEXEC~1.EXE"
"Oueo"="C:\\Documents and Settings\\Family\\Application Data\\utop.exe"
"Alrs"="\"C:\\DOCUME~1\\Family\\APPLIC~1\\FNTS~1\\nopdb.exe\" -vt rbnd"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_02\\bin\\jusched.exe"
"ISUSPM Startup"="C:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\isuspm.exe -startup"
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"LXCECATS"="rundll32 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\LXCEtime.dll,_RunDLLEntry@16"
"lxcemon.exe"="\"C:\\Program Files\\Lexmark 4300 Series\\lxcemon.exe\""
"EzPrint"="\"C:\\Program Files\\Lexmark 4300 Series\\ezprint.exe\""
"FaxCenterServer"="\"C:\\Program Files\\Lexmark Fax Solutions\\fm3032.exe\" /s"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,de,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3a,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3a,02,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^D-Link AirPlus G Configuration Utility.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\D-Link AirPlus G Configuration Utility.lnk"
"backup"="C:\\WINDOWS\\pss\\D-Link AirPlus G Configuration Utility.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\D-LINK~1\\AirPlus.exe "
"item"="D-Link AirPlus G Configuration Utility"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdwareAlert]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="adwarealert"
"hkey"="HKLM"
"command"="C:\\Program Files\\AdwareAlert\\adwarealert.Exe -boot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alrs]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nopdb"
"hkey"="HKCU"
"command"="\"C:\\DOCUME~1\\Family\\APPLIC~1\\FNTS~1\\nopdb.exe\" -vt rbnd"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AttuneClientEngine]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="attune_ce"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\Aveo\\Attune\\bin\\attune_ce.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DriveCleaner 2006 Free]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="UDC2006"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\DriveCleaner 2006 Free\\UDC2006.exe\" /min"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Completion time: 06-11-27 20:46:33.80
C:\ComboFix.txt ... 06-11-27 20:46



And Hijack This::

Logfile of HijackThis v1.99.1
Scan saved at 9:16:16 PM, on 11/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Lexmark 4300 Series\lxcemon.exe
C:\Program Files\Lexmark 4300 Series\ezprint.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\MIEXEC~1.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\lxcecoms.exe
C:\WINDOWS\RACLE~1\wowexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sympatico.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - URLSearchHook: (no name) - {4FB30F6A-9481-9C22-828E-CD6935D88EB3} - C:\WINDOWS\system32\odpuad.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2EA6C205-5EC4-0437-C17E-09157B6FE6CC} - C:\WINDOWS\System32\ootmk.dll (file missing)
O2 - BHO: (no name) - {4FB30F6A-9481-9C22-828E-CD6935D88EB3} - C:\WINDOWS\system32\odpuad.dll (file missing)
O2 - BHO: (no name) - {B1CE1E56-8BC6-D510-9800-DEC86DFF2AE1} - C:\WINDOWS\System32\zucyfl.dll (file missing)
O2 - BHO: (no name) - {C004DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O2 - BHO: (no name) - {F80698F1-5C46-56C2-4345-5D50A1253195} - C:\WINDOWS\system32\ytnqpgqv.dll (file missing)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [LXCECATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxcemon.exe] "C:\Program Files\Lexmark 4300 Series\lxcemon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 4300 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Str] C:\WINDOWS\system32\MIEXEC~1.EXE
O4 - HKCU\..\Run: [Oueo] C:\Documents and Settings\Family\Application Data\utop.exe
O4 - HKCU\..\Run: [Alrs] "C:\WINDOWS\RACLE~1\wowexec.exe" -vt rbnd
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - https://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://everwood13b.spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5CB1506E-1DEA-4E63-89A7-E40E52AEA1FD} (OnagerCtrl Class) - https://www.puretracks.com/onager.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1104048131132
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} (Installer Class) - http://activex.matcash.com/speedtest2.dll
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O20 - AppInit_DLLs: netdde.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: lxce_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcecoms.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

#7 byeats1989

byeats1989
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:57 AM

Posted 27 November 2006 - 09:23 PM

Ok so the 888bar is gone does that mean my computer is well again?

#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:57 PM

Posted 27 November 2006 - 11:04 PM

Hi byeats1989,

You still have some malware on your computer. Not to worry, we will soon have it off. :thumbsup:

Download CCleaner and install it. (default location is best). Do not run it yet!

CCleaner Tutorial


*******************************************

How to Reboot into Safe Mode
tap F8 key during reboot, until the boot menu appears...use the arrow keys to choose "Safe Mode" from the menu......,then press the "Enter" key. If that does not work this go to this site: http://www.bleepingcomputer.com/tutorials/how-to-start-windows-in-safe-mode/



Please boot into Safe Mode and select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix.”

R3 - URLSearchHook: (no name) - {4FB30F6A-9481-9C22-828E-CD6935D88EB3} - C:\WINDOWS\system32\odpuad.dll (file missing
O2 - BHO: (no name) - {2EA6C205-5EC4-0437-C17E-09157B6FE6CC} - C:\WINDOWS\System32\ootmk.dll (file missing)
O2 - BHO: (no name) - {4FB30F6A-9481-9C22-828E-CD6935D88EB3} - C:\WINDOWS\system32\odpuad.dll (file missing)
O2 - BHO: (no name) - {B1CE1E56-8BC6-D510-9800-DEC86DFF2AE1} - C:\WINDOWS\System32\zucyfl.dll (file missing)
O2 - BHO: (no name) - {C004DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O2 - BHO: (no name) - {F80698F1-5C46-56C2-4345-5D50A1253195} - C:\WINDOWS\system32\ytnqpgqv.dll (file missing)
O4 - HKCU\..\Run: [Str] C:\WINDOWS\system32\MIEXEC~1.EXE
O4 - HKCU\..\Run: [Oueo] C:\Documents and Settings\Family\Application Data\utop.exe
O4 - HKCU\..\Run: [Alrs] "C:\WINDOWS\RACLE~1\wowexec.exe" -vt rbnd
O16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} (Installer Class) - http://activex.matcash.com/speedtest2.dll
O20 - AppInit_DLLs: netdde.dll


*******************************************

Next, we're going on a file hunt.
Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders',
deselect (uncheck) 'hide protected operating system files (recommended)', and
deselect (uncheck) "Hide extensions for known file types.'

Don't use the windows start\search feature
Using Windows Explorer, find and delete each of the following. If you can't delete an item, right-click it and click properties. Make sure 'read-only' is unchecked.
If you still can't delete something, right-click it and rename it to a random word. Then drag the item to a different location. Try deleting it now. If you still can't, be sure to let me know. Folders and files with a tilde (~), means that there is a file/folder that starts with the six characters in front of the tilde, note that there may be spaces in the name.

Using Windows Explorer, delete the following files/folders in bold (Do not be concerned if they do not exist)

C:\WINDOWS\system32\netdde.dll <==file
C:\WINDOWS\system32\MIEXEC~1.EXE <==file Be careful NOT to delete the valid
msiexec.exe file.

C:\Documents and Settings\Family\Application Data\utop.exe <==file  
C:\WINDOWS\RACLE~1\wowexec.exe <==file


*******************************************

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders and does not make backups.

Let's empty the temp files:

Run CCleaner.

1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation.
IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbarfree Basic version instead of the Standard Build.


2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
• Clean all entries in the "Internet Explorer" section except Cookies.
• Clean all the entries in the "Windows Explorer" section.
• Clean all entries in the "System" section.
• Clean all entries in the "Advanced" section.
• Clean any others that you choose.

In the Applications Tab:
• Clean all except cookies in the Firefox/Mozilla section if you use it.
• Clean all in the Opera section if you use it.
• Clean Sun Java in the Internet Section.
• Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

If it asks you to reboot at the end, click NO.

CCleaner should be run with the above settings for each User Account!

*******************************************


Reboot to the Normal Mode

Disable your antivirus program and go here http://www.bitdefender.com/scan8/ie.html and run an online scan with BitDefender (you will need to use Internet Explorer for this scan). When the ActiveX Control has loaded, click on "Click here to scan" and grab a coffee. :flowers:

When BitDefender completes the scan, select the "Detected Problems" tab.
Click on "Click here to export scan".
Save the file as an HTML to your Desktop.
Then click on the saved file and allow it to open with your browser.
Go to Edit - Select All then copy/paste that log back here.
Post the BitDefender log.

Post a new Hijackthis log, the BitDefender log and tell me how your computer is running.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 byeats1989

byeats1989
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:57 AM

Posted 02 December 2006 - 09:55 PM

BitDefender Online Scanner







Scan report generated at: Sat, Dec 02, 2006 - 20:58:00









Scan path: A:\;C:\;D:\;E:\;F:\;















Statistics

Time


01:45:54

Files


291215

Folders


4482

Boot Sectors


2

Archives


2148

Packed Files


22851







Results

Identified Viruses


6

Infected Files


26

Suspect Files


0

Warnings


0

Disinfected


0

Deleted Files


26







Engines Info

Virus Definitions


324037

Engine build


AVCORE v1.0 (build 2368) (i386) (Nov 16 2006 11:31:19)

Scan plugins


14

Archive plugins


38

Unpack plugins


6

E-mail plugins


6

System plugins


1







Scan Settings

First Action


Disinfect

Second Action


Delete

Heuristics


Yes

Enable Warnings


Yes

Scanned Extensions


*;

Exclude Extensions




Scan Emails


Yes

Scan Archives


Yes

Scan Packed


Yes

Scan Files


Yes

Scan Boot


Yes








Scanned File


Status

C:\Documents and Settings\Family\Local Settings\Temporary Internet Files\Content.IE5\E5YDUJEX\!update-4295[1].0000


Infected with: Trojan.Downloader.PurityScan.BP

C:\Documents and Settings\Family\Local Settings\Temporary Internet Files\Content.IE5\E5YDUJEX\!update-4295[1].0000


Disinfection failed

C:\Documents and Settings\Family\Local Settings\Temporary Internet Files\Content.IE5\E5YDUJEX\!update-4295[1].0000


Deleted

C:\Documents and Settings\Family\mc2.exe=>(NSIS o)=>lzma_solid_nsis0002


Detected with: Adware.Softomate.D

C:\Documents and Settings\Family\mc2.exe=>(NSIS o)=>lzma_solid_nsis0002


Disinfection failed

C:\Documents and Settings\Family\mc2.exe=>(NSIS o)=>lzma_solid_nsis0002


Deleted

C:\Documents and Settings\Family\mc2.exe=>(NSIS o)


Update failed

C:\Documents and Settings\Family\mc2.exe=>(NSIS o)=>lzma_solid_nsis0006


Detected with: Adware.Softomate.D

C:\Documents and Settings\Family\mc2.exe=>(NSIS o)=>lzma_solid_nsis0006


Disinfection failed

C:\Documents and Settings\Family\mc2.exe=>(NSIS o)=>lzma_solid_nsis0006


Deleted

C:\Documents and Settings\Family\mc2.exe=>(NSIS o)


Update failed

C:\Documents and Settings\Family\mc2.exe=>(NSIS o)=>lzma_solid_nsis0008=>(NSIS g)=>lzma_solid_nsis0002


Detected with: Adware.Softomate.D

C:\Documents and Settings\Family\mc2.exe=>(NSIS o)=>lzma_solid_nsis0008=>(NSIS g)=>lzma_solid_nsis0002


Disinfection failed

C:\Documents and Settings\Family\mc2.exe=>(NSIS o)=>lzma_solid_nsis0008=>(NSIS g)=>lzma_solid_nsis0002


Deleted

C:\Documents and Settings\Family\mc2.exe=>(NSIS o)=>lzma_solid_nsis0008=>(NSIS g)


Update failed

C:\Documents and Settings\Family\winstall.exe


Infected with: Dropped:Trojan.Purityad.E

C:\Documents and Settings\Family\winstall.exe


Disinfection failed

C:\Documents and Settings\Family\winstall.exe


Deleted

C:\Program Files\Java\jre1.5.0\bin\jusched.exe


Infected with: Generic.Holax.1FB0BA3D

C:\Program Files\Java\jre1.5.0\bin\jusched.exe


Disinfection failed

C:\Program Files\Java\jre1.5.0\bin\jusched.exe


Deleted

C:\System Volume Information\_restore{D0ED122D-FF37-495D-9CDF-BBC8B911F5A7}\RP505\A0117528.exe=>(NSIS o)=>lzma_solid_nsis0002


Detected with: Adware.Softomate.D

C:\System Volume Information\_restore{D0ED122D-FF37-495D-9CDF-BBC8B911F5A7}\RP505\A0117528.exe=>(NSIS o)=>lzma_solid_nsis0002


Disinfection failed

C:\System Volume Information\_restore{D0ED122D-FF37-495D-9CDF-BBC8B911F5A7}\RP505\A0117528.exe=>(NSIS o)=>lzma_solid_nsis0002


Deleted

C:\System Volume Information\_restore{D0ED122D-FF37-495D-9CDF-BBC8B911F5A7}\RP505\A0117528.exe=>(NSIS o)


Update failed

C:\System Volume Information\_restore{D0ED122D-FF37-495D-9CDF-BBC8B911F5A7}\RP505\A0117530.exe=>(NSIS o)=>lzma_solid_nsis0002


Detected with: Adware.Softomate.D

C:\System Volume Information\_restore{D0ED122D-FF37-495D-9CDF-BBC8B911F5A7}\RP505\A0117530.exe=>(NSIS o)=>lzma_solid_nsis0002


Disinfection failed

C:\System Volume Information\_restore{D0ED122D-FF37-495D-9CDF-BBC8B911F5A7}\RP505\A0117530.exe=>(NSIS o)=>lzma_solid_nsis0002


Deleted

C:\System Volume Information\_restore{D0ED122D-FF37-495D-9CDF-BBC8B911F5A7}\RP505\A0117530.exe=>(NSIS o)


Update failed

C:\System Volume Information\_restore{D0ED122D-FF37-495D-9CDF-BBC8B911F5A7}\RP505\A0117530.exe=>(NSIS o)=>lzma_solid_nsis0006


Detected with: Adware.Softomate.D

C:\System Volume Information\_restore{D0ED122D-FF37-495D-9CDF-BBC8B911F5A7}\RP505\A0117530.exe=>(NSIS o)=>lzma_solid_nsis0006


Disinfection failed

C:\System Volume Information\_restore{D0ED122D-FF37-495D-9CDF-BBC8B911F5A7}\RP505\A0117530.exe=>(NSIS o)=>lzma_solid_nsis0006


Deleted

C:\System Volume Information\_restore{D0ED122D-FF37-495D-9CDF-BBC8B911F5A7}\RP505\A0117530.exe=>(NSIS o)


Update failed

C:\System Volume Information\_restore{D0ED122D-FF37-495D-9CDF-BBC8B911F5A7}\RP505\A0117530.exe=>(NSIS o)=>lzma_solid_nsis0008=>(NSIS g)=>lzma_solid_nsis0002


Detected with: Adware.Softomate.D

C:\System Volume Information\_restore{D0ED122D-FF37-495D-9CDF-BBC8B911F5A7}\RP505\A0117530.exe=>(NSIS o)=>lzma_solid_nsis0008=>(NSIS g)=>lzma_solid_nsis0002


Disinfection failed

C:\System Volume Information\_restore{D0ED122D-FF37-495D-9CDF-BBC8B911F5A7}\RP505\A0117530.exe=>(NSIS o)=>lzma_solid_nsis0008=>(NSIS g)=>lzma_solid_nsis0002


Deleted

C:\System Volume Information\_restore{D0ED122D-FF37-495D-9CDF-BBC8B911F5A7}\RP505\A0117530.exe=>(NSIS o)=>lzma_solid_nsis0008=>(NSIS g)


Update failed

C:\System Volume Information\_restore{D0ED122D-FF37-495D-9CDF-BBC8B911F5A7}\RP505\A0117531.exe


Infected with: Dropped:Trojan.Purityad.E

C:\System Volume Information\_restore{D0ED122D-FF37-495D-9CDF-BBC8B911F5A7}\RP505\A0117531.exe


Disinfection failed

C:\System Volume Information\_restore{D0ED122D-FF37-495D-9CDF-BBC8B911F5A7}\RP505\A0117531.exe


Deleted

C:\System Volume Information\_restore{D0ED122D-FF37-495D-9CDF-BBC8B911F5A7}\RP505\A0117532.exe=>(NSIS o)=>lzma_solid_nsis0002


Detected with: Adware.Softomate.D

C:\System Volume Information\_restore{D0ED122D-FF37-495D-9CDF-BBC8B911F5A7}\RP505\A0117532.exe=>(NSIS o)=>lzma_solid_nsis0002


Disinfection failed

C:\System Volume Information\_restore{D0ED122D-FF37-495D-9CDF-BBC8B911F5A7}\RP505\A0117532.exe=>(NSIS o)=>lzma_solid_nsis0002


Deleted

C:\System Volume Information\_restore{D0ED122D-FF37-495D-9CDF-BBC8B911F5A7}\RP505\A0117532.exe=>(NSIS o)


Update failed

C:\System Volume Information\_restore{D0ED122D-FF37-495D-9CDF-BBC8B911F5A7}\RP505\A0117532.exe=>(NSIS o)=>lzma_solid_nsis0006


Detected with: Adware.Softomate.D

C:\System Volume Information\_restore{D0ED122D-FF37-495D-9CDF-BBC8B911F5A7}\RP505\A0117532.exe=>(NSIS o)=>lzma_solid_nsis0006


Disinfection failed

C:\System Volume Information\_restore{D0ED122D-FF37-495D-9CDF-BBC8B911F5A7}\RP505\A0117532.exe=>(NSIS o)=>lzma_solid_nsis0006


Deleted

C:\System Volume Information\_restore{D0ED122D-FF37-495D-9CDF-BBC8B911F5A7}\RP505\A0117532.exe=>(NSIS o)


Update failed

C:\System Volume Information\_restore{D0ED122D-FF37-495D-9CDF-BBC8B911F5A7}\RP505\A0117532.exe=>(NSIS o)=>lzma_solid_nsis0008=>(NSIS g)=>lzma_solid_nsis0002


Detected with: Adware.Softomate.D

C:\System Volume Information\_restore{D0ED122D-FF37-495D-9CDF-BBC8B911F5A7}\RP505\A0117532.exe=>(NSIS o)=>lzma_solid_nsis0008=>(NSIS g)=>lzma_solid_nsis0002


Disinfection failed

C:\System Volume Information\_restore{D0ED122D-FF37-495D-9CDF-BBC8B911F5A7}\RP505\A0117532.exe=>(NSIS o)=>lzma_solid_nsis0008=>(NSIS g)=>lzma_solid_nsis0002


Deleted

C:\System Volume Information\_restore{D0ED122D-FF37-495D-9CDF-BBC8B911F5A7}\RP505\A0117532.exe=>(NSIS o)=>lzma_solid_nsis0008=>(NSIS g)


Update failed

C:\System Volume Information\_restore{D0ED122D-FF37-495D-9CDF-BBC8B911F5A7}\RP507\A0119636.exe


Infected with: Trojan.Clspring.425984.B

C:\System Volume Information\_restore{D0ED122D-FF37-495D-9CDF-BBC8B911F5A7}\RP507\A0119636.exe


Disinfection failed

C:\System Volume Information\_restore{D0ED122D-FF37-495D-9CDF-BBC8B911F5A7}\RP507\A0119636.exe


Deleted

C:\System Volume Information\_restore{D0ED122D-FF37-495D-9CDF-BBC8B911F5A7}\RP507\A0119650.exe


Infected with: Dropped:Trojan.Purityad.E

C:\System Volume Information\_restore{D0ED122D-FF37-495D-9CDF-BBC8B911F5A7}\RP507\A0119650.exe


Disinfection failed

C:\System Volume Information\_restore{D0ED122D-FF37-495D-9CDF-BBC8B911F5A7}\RP507\A0119650.exe


Deleted

C:\System Volume Information\_restore{D0ED122D-FF37-495D-9CDF-BBC8B911F5A7}\RP511\A0120353.exe


Infected with: Dropped:Trojan.Purityad.E

C:\System Volume Information\_restore{D0ED122D-FF37-495D-9CDF-BBC8B911F5A7}\RP511\A0120353.exe


Disinfection failed

C:\System Volume Information\_restore{D0ED122D-FF37-495D-9CDF-BBC8B911F5A7}\RP511\A0120353.exe


Deleted

C:\System Volume Information\_restore{D0ED122D-FF37-495D-9CDF-BBC8B911F5A7}\RP512\A0120354.exe


Infected with: Generic.Holax.1FB0BA3D

C:\System Volume Information\_restore{D0ED122D-FF37-495D-9CDF-BBC8B911F5A7}\RP512\A0120354.exe


Disinfection failed

C:\System Volume Information\_restore{D0ED122D-FF37-495D-9CDF-BBC8B911F5A7}\RP512\A0120354.exe


Deleted

C:\WINDOWS\mc2.exe=>(NSIS o)=>lzma_solid_nsis0002


Detected with: Adware.Softomate.D

C:\WINDOWS\mc2.exe=>(NSIS o)=>lzma_solid_nsis0002


Disinfection failed

C:\WINDOWS\mc2.exe=>(NSIS o)=>lzma_solid_nsis0002


Deleted

C:\WINDOWS\mc2.exe=>(NSIS o)


Update failed

C:\WINDOWS\mc2.exe=>(NSIS o)=>lzma_solid_nsis0006


Detected with: Adware.Softomate.D

C:\WINDOWS\mc2.exe=>(NSIS o)=>lzma_solid_nsis0006


Disinfection failed

C:\WINDOWS\mc2.exe=>(NSIS o)=>lzma_solid_nsis0006


Deleted

C:\WINDOWS\mc2.exe=>(NSIS o)


Update failed

C:\WINDOWS\mc2.exe=>(NSIS o)=>lzma_solid_nsis0008=>(NSIS g)=>lzma_solid_nsis0002


Detected with: Adware.Softomate.D

C:\WINDOWS\mc2.exe=>(NSIS o)=>lzma_solid_nsis0008=>(NSIS g)=>lzma_solid_nsis0002


Disinfection failed

C:\WINDOWS\mc2.exe=>(NSIS o)=>lzma_solid_nsis0008=>(NSIS g)=>lzma_solid_nsis0002


Deleted

C:\WINDOWS\mc2.exe=>(NSIS o)=>lzma_solid_nsis0008=>(NSIS g)


Update failed

C:\WINDOWS\system32\mc2.exe=>(NSIS o)=>lzma_solid_nsis0002


Detected with: Adware.Softomate.D

C:\WINDOWS\system32\mc2.exe=>(NSIS o)=>lzma_solid_nsis0002


Disinfection failed

C:\WINDOWS\system32\mc2.exe=>(NSIS o)=>lzma_solid_nsis0002


Deleted

C:\WINDOWS\system32\mc2.exe=>(NSIS o)


Update failed

C:\WINDOWS\system32\mc2.exe=>(NSIS o)=>lzma_solid_nsis0006


Detected with: Adware.Softomate.D

C:\WINDOWS\system32\mc2.exe=>(NSIS o)=>lzma_solid_nsis0006


Disinfection failed

C:\WINDOWS\system32\mc2.exe=>(NSIS o)=>lzma_solid_nsis0006


Deleted

C:\WINDOWS\system32\mc2.exe=>(NSIS o)


Update failed

C:\WINDOWS\system32\mc2.exe=>(NSIS o)=>lzma_solid_nsis0008=>(NSIS g)=>lzma_solid_nsis0002


Detected with: Adware.Softomate.D

C:\WINDOWS\system32\mc2.exe=>(NSIS o)=>lzma_solid_nsis0008=>(NSIS g)=>lzma_solid_nsis0002


Disinfection failed

C:\WINDOWS\system32\mc2.exe=>(NSIS o)=>lzma_solid_nsis0008=>(NSIS g)=>lzma_solid_nsis0002


Deleted

C:\WINDOWS\system32\mc2.exe=>(NSIS o)=>lzma_solid_nsis0008=>(NSIS g)


Update failed

C:\WINDOWS\system32\utop.exe


Infected with: Trojan.Downloader.2035.B

C:\WINDOWS\system32\utop.exe


Disinfection failed

C:\WINDOWS\system32\utop.exe


Deleted

C:\WINDOWS\system32\winstall.exe


Infected with: Dropped:Trojan.Purityad.E

C:\WINDOWS\system32\winstall.exe


Disinfection failed

C:\WINDOWS\system32\winstall.exe


Deleted




Logfile of HijackThis v1.99.1
Scan saved at 9:49:45 PM, on 12/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Lexmark 4300 Series\lxcemon.exe
C:\Program Files\Lexmark 4300 Series\ezprint.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\lxcecoms.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\m?iexec.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sympatico.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {611C8A8D-4E36-1B9A-3875-4231C0B6FAEC} - C:\WINDOWS\system32\jdgxkd.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [LXCECATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxcemon.exe] "C:\Program Files\Lexmark 4300 Series\lxcemon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 4300 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Alrs] C:\Documents and Settings\Family\Application Data\miob.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - https://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://everwood13b.spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5CB1506E-1DEA-4E63-89A7-E40E52AEA1FD} (OnagerCtrl Class) - https://www.puretracks.com/onager.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1104048131132
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: lxce_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcecoms.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

Ok so my computer seems to be running ok. The 888 bar is gone but I see that other scan came up with other stuff that is infected. I have seen the same type of infections in the last little while (purityad and softomate). Thanks for your continued assistance!!

#10 byeats1989

byeats1989
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:57 AM

Posted 02 December 2006 - 10:06 PM

I see an exe file called mc2.exe that was created the day I got the virus, I'm guessing this is probably something we should look at? And there is some kind of system volume information file that cannot be accessed or deleted.

Edited by byeats1989, 02 December 2006 - 10:09 PM.


#11 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:57 PM

Posted 02 December 2006 - 11:54 PM

Hi byeats1989,

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 5.0 Update 9.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-1_5_0_09-windowsi586-p.exe to install the newest version.

I see an exe file called mc2.exe that was created the day I got the virus, I'm guessing this is probably something we should look at?


If you look at the BitDefender log you will see it is deleted. :flowers:

And there is some kind of system volume information file that cannot be accessed or deleted.

Dont worry about the system volume info, as that is where the deleted files go. It is isolated from the computer there, as we will delete the System Volume info when we are done cleaning your computer.

It looks like you got a purityscan infection since you last visit. :thumbsup:
It was not there when we previously did the combofix.

Please boot to the Safe Mode and run AVG Antispyware (see my previous insturcitons).


How to Reboot into Safe Mode
tap F8 key during reboot, until the boot menu appears...use the arrow keys to choose "Safe Mode" from the menu......,then press the "Enter" key. If that does not work this go to this site: http://www.bleepingcomputer.com/tutorials/how-to-start-windows-in-safe-mode/



Please boot into Safe Mode and select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix.”

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {611C8A8D-4E36-1B9A-3875-4231C0B6FAEC} - C:\WINDOWS\system32\jdgxkd.dll
O4 - HKCU\..\Run: [Alrs] C:\Documents and Settings\Family\Application Data\miob.exe



*******************************************

Next, we're going on a file hunt.
Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders',
deselect (uncheck) 'hide protected operating system files (recommended)', and
deselect (uncheck) "Hide extensions for known file types.'

Don't use the windows start\search feature
Using Windows Explorer, find and delete each of the following. If you can't delete an item, right-click it and click properties. Make sure 'read-only' is unchecked.
If you still can't delete something, right-click it and rename it to a random word. Then drag the item to a different location. Try deleting it now. If you still can't, be sure to let me know.

Using Windows Explorer, delete the following files/folders in bold (Do not be concerned if they do not exist)

C:\WINDOWS\system32\m?iexec.exe <==file Be careful NOT to delete the valid
msiexec.exe file. The ? can be any letter or number.

C:\WINDOWS\system32\jdgxkd.dll <==file
C:\Documents and Settings\Family\Application Data\miob.exe <==file

*******************************************

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders and does not make backups.

Let's empty the temp files:

Run CCleaner.


*******************************************

Reboot to the Normal Mode

Post a new Hijackthis log, the AVG Antispyware log, fresh Hijackthis log and tell me how your computer is running.

Edited by SifuMike, 03 December 2006 - 12:20 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 byeats1989

byeats1989
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:57 AM

Posted 03 December 2006 - 11:29 AM

Here is the new log, the computer seems to be ok, but I noticed this morning the 888bar is back in the add or remove programs.

Logfile of HijackThis v1.99.1
Scan saved at 11:23:58 AM, on 12/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Lexmark 4300 Series\lxcemon.exe
C:\Program Files\Lexmark 4300 Series\ezprint.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\WINDOWS\system32\lxcecoms.exe
c:\program files\common files\installshield\updateservice\isuspm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\agent.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sympatico.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [LXCECATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxcemon.exe] "C:\Program Files\Lexmark 4300 Series\lxcemon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 4300 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - https://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://everwood13b.spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5CB1506E-1DEA-4E63-89A7-E40E52AEA1FD} (OnagerCtrl Class) - https://www.puretracks.com/onager.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1104048131132
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: lxce_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcecoms.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

#13 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:57 PM

Posted 03 December 2006 - 04:35 PM

Hi byeats1989,

We will use Hijackthis to delete it. :thumbsup:

The Hijackthis Uninstall Manager allows you to manage the entries found in your control panel's Add/Remove Programs list. :flowers:
When cleaning malware from a machine entries in the Add/Remove Programs list invariably get left behind.
We will use Uninstall Manager to remove Toolbar 888 entry from your uninstall list.

To access the Uninstall Manager you would do the following:


Start HijackThis
Click on the Config button
Click on the Misc Tools button
Click on the Open Uninstall Manager button.


To delete it, simply click on the Toolbar 888 you would like to remove and then click on the Delete this entry button.


Just to be sure nothing was added run ComboFix and post the log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 byeats1989

byeats1989
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:57 AM

Posted 03 December 2006 - 07:28 PM

I was not able to uninstall the 888 toolbar because it wasn't on the hijackthis list. But it was on the add or remove programs.

Here is the combofix log

Family - 06-12-03 19:21:34.64 Service Pack 2
ComboFix 06.11.27W - Running from: "C:\Documents and Settings\Family\Desktop\Helpful Programs"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))



~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\Family\Application Data\APPATC~1
C:\QooBox\Purity\Documents and Settings\Family\Application Data\ASEMBL~1
C:\QooBox\Purity\Documents and Settings\Family\Application Data\CROSOF~1
C:\QooBox\Purity\Documents and Settings\Family\Application Data\CROSOF~1.NET
C:\QooBox\Purity\Documents and Settings\Family\Application Data\CROSOF~2
C:\QooBox\Purity\Documents and Settings\Family\Application Data\CURITY~1
C:\QooBox\Purity\Documents and Settings\Family\Application Data\DOBE~2
C:\QooBox\Purity\Documents and Settings\Family\Application Data\ECURIT~1
C:\QooBox\Purity\Documents and Settings\Family\Application Data\FNTS~1
C:\QooBox\Purity\Documents and Settings\Family\Application Data\ICROSO~1
C:\QooBox\Purity\Documents and Settings\Family\Application Data\ICROSO~1.NET
C:\QooBox\Purity\Documents and Settings\Family\Application Data\ICROSO~2
C:\QooBox\Purity\Documents and Settings\Family\Application Data\ICROSO~2.NET
C:\QooBox\Purity\Documents and Settings\Family\Application Data\MCROSO~1
C:\QooBox\Purity\Documents and Settings\Family\Application Data\MCROSO~1.NET
C:\QooBox\Purity\Documents and Settings\Family\Application Data\PPATCH~1
C:\QooBox\Purity\Documents and Settings\Family\Application Data\PPPATC~2
C:\QooBox\Purity\Documents and Settings\Family\Application Data\RACLE~1
C:\QooBox\Purity\Documents and Settings\Family\Application Data\SCURIT~1
C:\QooBox\Purity\Documents and Settings\Family\Application Data\SEMBLY~1
C:\QooBox\Purity\Documents and Settings\Family\Application Data\SKS~1
C:\QooBox\Purity\Documents and Settings\Family\Application Data\SKS~2
C:\QooBox\Purity\Documents and Settings\Family\Application Data\SMANTE~1
C:\QooBox\Purity\Documents and Settings\Family\Application Data\SMBOLS~1
C:\QooBox\Purity\Documents and Settings\Family\Application Data\SSEMBL~1
C:\QooBox\Purity\Documents and Settings\Family\Application Data\SSTEM3~1
C:\QooBox\Purity\Documents and Settings\Family\Application Data\SSTEM~1
C:\QooBox\Purity\Documents and Settings\Family\Application Data\STEM32~1
C:\QooBox\Purity\Documents and Settings\Family\Application Data\STEM~1
C:\QooBox\Purity\Documents and Settings\Family\Application Data\TSKS~1
C:\QooBox\Purity\Documents and Settings\Family\Application Data\WNSXS~1
C:\QooBox\Purity\Documents and Settings\Family\Application Data\YMANTE~1
C:\QooBox\Purity\Documents and Settings\Family\Application Data\YMBOLS~1
C:\QooBox\Purity\Documents and Settings\Family\Application Data\YSTEM3~1
C:\QooBox\Purity\Documents and Settings\Family\Application Data\YSTEM~1
C:\QooBox\Purity\Documents and Settings\Family\Application Data\FNTS~1\FNTS~1
C:\QooBox\Purity\Documents and Settings\Family\Application Data\FNTS~1\nopdb.exe
C:\QooBox\Purity\Documents and Settings\Family\My Documents\ASKS~2
C:\QooBox\Purity\Documents and Settings\Family\My Documents\CROSOF~1
C:\QooBox\Purity\Documents and Settings\Family\My Documents\CROSOF~1.NET
C:\QooBox\Purity\Documents and Settings\Family\My Documents\CURITY~1
C:\QooBox\Purity\Documents and Settings\Family\My Documents\DOBE~1
C:\QooBox\Purity\Documents and Settings\Family\My Documents\ECURIT~1
C:\QooBox\Purity\Documents and Settings\Family\My Documents\FNTS~1
C:\QooBox\Purity\Documents and Settings\Family\My Documents\FNTS~2
C:\QooBox\Purity\Documents and Settings\Family\My Documents\ICROSO~1
C:\QooBox\Purity\Documents and Settings\Family\My Documents\ICROSO~1.NET
C:\QooBox\Purity\Documents and Settings\Family\My Documents\ICROSO~2
C:\QooBox\Purity\Documents and Settings\Family\My Documents\ICROSO~2.NET
C:\QooBox\Purity\Documents and Settings\Family\My Documents\MANTEC~1
C:\QooBox\Purity\Documents and Settings\Family\My Documents\PPATCH~1
C:\QooBox\Purity\Documents and Settings\Family\My Documents\PPATCH~2
C:\QooBox\Purity\Documents and Settings\Family\My Documents\PPPATC~1
C:\QooBox\Purity\Documents and Settings\Family\My Documents\RACLE~1
C:\QooBox\Purity\Documents and Settings\Family\My Documents\RACLE~2
C:\QooBox\Purity\Documents and Settings\Family\My Documents\SCURIT~1
C:\QooBox\Purity\Documents and Settings\Family\My Documents\SKS~1
C:\QooBox\Purity\Documents and Settings\Family\My Documents\SKS~2
C:\QooBox\Purity\Documents and Settings\Family\My Documents\SMANTE~1
C:\QooBox\Purity\Documents and Settings\Family\My Documents\SMBOLS~1
C:\QooBox\Purity\Documents and Settings\Family\My Documents\SSEMBL~1
C:\QooBox\Purity\Documents and Settings\Family\My Documents\SSTEM~1
C:\QooBox\Purity\Documents and Settings\Family\My Documents\STEM32~1
C:\QooBox\Purity\Documents and Settings\Family\My Documents\STEM~1
C:\QooBox\Purity\Documents and Settings\Family\My Documents\TSKS~1
C:\QooBox\Purity\Documents and Settings\Family\My Documents\WNSXS~1
C:\QooBox\Purity\Documents and Settings\Family\My Documents\YMBOLS~1
C:\QooBox\Purity\Documents and Settings\Family\My Documents\YSTEM3~1
C:\QooBox\Purity\Documents and Settings\Family\My Documents\YSTEM~1
C:\QooBox\Purity\Program Files\APPATC~1
C:\QooBox\Purity\Program Files\ASKS~1
C:\QooBox\Purity\Program Files\CROSOF~1
C:\QooBox\Purity\Program Files\CROSOF~1.NET
C:\QooBox\Purity\Program Files\CROSOF~2
C:\QooBox\Purity\Program Files\CURITY~1
C:\QooBox\Purity\Program Files\DOBE~1
C:\QooBox\Purity\Program Files\ECURIT~1
C:\QooBox\Purity\Program Files\FNTS~1
C:\QooBox\Purity\Program Files\ICROSO~1
C:\QooBox\Purity\Program Files\ICROSO~1.NET
C:\QooBox\Purity\Program Files\ICROSO~2.NET
C:\QooBox\Purity\Program Files\MBOLS~1
C:\QooBox\Purity\Program Files\MCROSO~1
C:\QooBox\Purity\Program Files\MCROSO~1.NET
C:\QooBox\Purity\Program Files\PPATCH~1
C:\QooBox\Purity\Program Files\PPPATC~2
C:\QooBox\Purity\Program Files\RACLE~1
C:\QooBox\Purity\Program Files\RACLE~2
C:\QooBox\Purity\Program Files\SCURIT~1
C:\QooBox\Purity\Program Files\SEMBLY~1
C:\QooBox\Purity\Program Files\SKS~1
C:\QooBox\Purity\Program Files\SKS~2
C:\QooBox\Purity\Program Files\SMANTE~1
C:\QooBox\Purity\Program Files\SMBOLS~1
C:\QooBox\Purity\Program Files\SSTEM3~1
C:\QooBox\Purity\Program Files\SSTEM~1
C:\QooBox\Purity\Program Files\STEM32~1
C:\QooBox\Purity\Program Files\STEM~1
C:\QooBox\Purity\Program Files\TSKS~1
C:\QooBox\Purity\Program Files\WNSXS~1
C:\QooBox\Purity\Program Files\YMANTE~1
C:\QooBox\Purity\Program Files\YMBOLS~1
C:\QooBox\Purity\Program Files\YSTEM3~1
C:\QooBox\Purity\Program Files\Common Files\APPATC~1
C:\QooBox\Purity\Program Files\Common Files\ASEMBL~1
C:\QooBox\Purity\Program Files\Common Files\ASKS~2
C:\QooBox\Purity\Program Files\Common Files\CROSOF~1
C:\QooBox\Purity\Program Files\Common Files\CURITY~1
C:\QooBox\Purity\Program Files\Common Files\ECURIT~1
C:\QooBox\Purity\Program Files\Common Files\FNTS~1
C:\QooBox\Purity\Program Files\Common Files\FNTS~2
C:\QooBox\Purity\Program Files\Common Files\ICROSO~1.NET
C:\QooBox\Purity\Program Files\Common Files\ICROSO~2.NET
C:\QooBox\Purity\Program Files\Common Files\MANTEC~1
C:\QooBox\Purity\Program Files\Common Files\MBOLS~1
C:\QooBox\Purity\Program Files\Common Files\MCROSO~1
C:\QooBox\Purity\Program Files\Common Files\PPATCH~1
C:\QooBox\Purity\Program Files\Common Files\PPATCH~2
C:\QooBox\Purity\Program Files\Common Files\RACLE~1
C:\QooBox\Purity\Program Files\Common Files\RACLE~2
C:\QooBox\Purity\Program Files\Common Files\SCURIT~1
C:\QooBox\Purity\Program Files\Common Files\SKS~1
C:\QooBox\Purity\Program Files\Common Files\SKS~2
C:\QooBox\Purity\Program Files\Common Files\SMANTE~1
C:\QooBox\Purity\Program Files\Common Files\SSEMBL~1
C:\QooBox\Purity\Program Files\Common Files\SSTEM3~1
C:\QooBox\Purity\Program Files\Common Files\SSTEM~1
C:\QooBox\Purity\Program Files\Common Files\STEM~1
C:\QooBox\Purity\Program Files\Common Files\TSKS~1
C:\QooBox\Purity\Program Files\Common Files\WNSXS~1
C:\QooBox\Purity\Program Files\Common Files\YMANTE~1
C:\QooBox\Purity\Program Files\Common Files\YMBOLS~1
C:\QooBox\Purity\Program Files\Common Files\YSTEM3~1
C:\QooBox\Purity\WINDOWS\APPATC~1
C:\QooBox\Purity\WINDOWS\ASEMBL~1
C:\QooBox\Purity\WINDOWS\CROSOF~1
C:\QooBox\Purity\WINDOWS\CROSOF~1.NET
C:\QooBox\Purity\WINDOWS\CROSOF~2.NET
C:\QooBox\Purity\WINDOWS\CURITY~1
C:\QooBox\Purity\WINDOWS\DOBE~1
C:\QooBox\Purity\WINDOWS\ECURIT~1
C:\QooBox\Purity\WINDOWS\FNTS~1
C:\QooBox\Purity\WINDOWS\FNTS~2
C:\QooBox\Purity\WINDOWS\ICROSO~1
C:\QooBox\Purity\WINDOWS\ICROSO~1.NET
C:\QooBox\Purity\WINDOWS\ICROSO~2
C:\QooBox\Purity\WINDOWS\ICROSO~2.NET
C:\QooBox\Purity\WINDOWS\MANTEC~1
C:\QooBox\Purity\WINDOWS\MBOLS~1
C:\QooBox\Purity\WINDOWS\MCROSO~1
C:\QooBox\Purity\WINDOWS\MCROSO~1.NET
C:\QooBox\Purity\WINDOWS\PPATCH~1
C:\QooBox\Purity\WINDOWS\PPPATC~1
C:\QooBox\Purity\WINDOWS\RACLE~1
C:\QooBox\Purity\WINDOWS\RACLE~2
C:\QooBox\Purity\WINDOWS\SCURIT~1
C:\QooBox\Purity\WINDOWS\SEMBLY~1
C:\QooBox\Purity\WINDOWS\SMANTE~1
C:\QooBox\Purity\WINDOWS\SMBOLS~1
C:\QooBox\Purity\WINDOWS\SSEMBL~1
C:\QooBox\Purity\WINDOWS\SSTEM3~1
C:\QooBox\Purity\WINDOWS\SSTEM~1
C:\QooBox\Purity\WINDOWS\STEM32~1
C:\QooBox\Purity\WINDOWS\STEM~1
C:\QooBox\Purity\WINDOWS\WNSXS~1
C:\QooBox\Purity\WINDOWS\YMANTE~1
C:\QooBox\Purity\WINDOWS\YMBOLS~1
C:\QooBox\Purity\WINDOWS\YSTEM3~1
C:\QooBox\Purity\WINDOWS\YSTEM~1
C:\QooBox\Purity\WINDOWS\RACLE~1\RACLE~1
C:\QooBox\Purity\WINDOWS\RACLE~1\wowexec.exe
C:\QooBox\Purity\WINDOWS\system32\APPATC~1
C:\QooBox\Purity\WINDOWS\system32\ASEMBL~1
C:\QooBox\Purity\WINDOWS\system32\CROSOF~1
C:\QooBox\Purity\WINDOWS\system32\CROSOF~1.NET
C:\QooBox\Purity\WINDOWS\system32\CURITY~1
C:\QooBox\Purity\WINDOWS\system32\DOBE~1
C:\QooBox\Purity\WINDOWS\system32\ECURIT~1
C:\QooBox\Purity\WINDOWS\system32\FNTS~1
C:\QooBox\Purity\WINDOWS\system32\FNTS~2
C:\QooBox\Purity\WINDOWS\system32\ICROSO~1
C:\QooBox\Purity\WINDOWS\system32\ICROSO~1.NET
C:\QooBox\Purity\WINDOWS\system32\ICROSO~2
C:\QooBox\Purity\WINDOWS\system32\ICROSO~2.NET
C:\QooBox\Purity\WINDOWS\system32\MBOLS~1
C:\QooBox\Purity\WINDOWS\system32\MCROSO~1
C:\QooBox\Purity\WINDOWS\system32\PPATCH~1
C:\QooBox\Purity\WINDOWS\system32\PPPATC~1
C:\QooBox\Purity\WINDOWS\system32\RACLE~1
C:\QooBox\Purity\WINDOWS\system32\SMANTE~1
C:\QooBox\Purity\WINDOWS\system32\SMBOLS~1
C:\QooBox\Purity\WINDOWS\system32\SSEMBL~1
C:\QooBox\Purity\WINDOWS\system32\SSTEM~1
C:\QooBox\Purity\WINDOWS\system32\STEM32~1
C:\QooBox\Purity\WINDOWS\system32\STEM~1
C:\QooBox\Purity\WINDOWS\system32\TSKS~1
C:\QooBox\Purity\WINDOWS\system32\WNSXS~1
C:\QooBox\Purity\WINDOWS\system32\YMANTE~1
C:\QooBox\Purity\WINDOWS\system32\YMBOLS~1
C:\QooBox\Purity\WINDOWS\system32\YSTEM3~1
C:\QooBox\Purity\WINDOWS\system32\YSTEM~1


((((((((((((((((((((((((((((((( Files Created from 2006-11-03 to 2006-12-03 ))))))))))))))))))))))))))))))))))


2006-12-03 11:20 <DIR> dr-h----- C:\Documents and Settings\Family\Recent
2006-12-03 10:06 <DIR> d-------- C:\Program Files\Java
2006-12-03 10:05 <DIR> d-------- C:\Program Files\Common Files\Java
2006-12-02 19:11 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2006-12-02 19:00 <DIR> d-------- C:\Program Files\CCleaner
2006-11-29 20:50 <DIR> d-------- C:\WINDOWS\system32\çasks
2006-11-28 17:55 <DIR> d-------- C:\Documents and Settings\Family\Contacts
2006-11-28 17:54 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2006-11-27 21:15 53,248 --a------ C:\WINDOWS\system32\Process.exe
2006-11-27 21:15 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2006-11-27 21:15 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2006-11-27 21:15 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2006-11-27 14:26 2,720 --a------ C:\WINDOWS\system32\tmp.reg
2006-11-26 16:00 <DIR> d-------- C:\Program Files\Hijackthis
2006-11-26 15:36 <DIR> d-------- C:\Program Files\Enigma Software Group
2006-11-26 11:34 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-11-26 10:02 3,968 --a------ C:\WINDOWS\system32\drivers\avgclean.sys
2006-11-26 10:01 18,240 --a------ C:\WINDOWS\system32\drivers\avgmfx86.sys
2006-11-25 14:27 139,489 --a------ C:\Documents and Settings\Family\mc2.exe
2006-11-25 14:08 139,489 --a------ C:\WINDOWS\system32\mc2.exe
2006-11-25 14:07 139,489 --a------ C:\WINDOWS\mc2.exe
2006-11-19 11:24 <DIR> d-------- C:\Program Files\MSXML 4.0
2006-11-19 11:24 <DIR> d-------- C:\a3b0e04f8cab270b1550f42b
2006-11-04 14:14 1,245,696 --a------ C:\WINDOWS\system32\msxml4.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-12-03 19:22 -------- d-------- C:\Program Files\Common Files
2006-12-03 19:15 -------- d-------- C:\Program Files\Lx_cats
2006-12-03 13:36 -------- d-------- C:\Program Files\Diablo II
2006-12-03 13:35 21840 --a----t- C:\WINDOWS\system32\SIntfNT.dll
2006-12-03 13:35 17212 --a----t- C:\WINDOWS\system32\SIntf32.dll
2006-12-03 13:35 12067 --a----t- C:\WINDOWS\system32\SIntf16.dll
2006-11-28 17:54 -------- d-------- C:\Program Files\MSN Messenger
2006-11-26 11:34 -------- d-------- C:\Program Files\Grisoft
2006-11-26 10:07 -------- d-------- C:\Documents and Settings\Family\Application Data\AVG7
2006-11-26 10:02 816672 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-11-26 10:02 4224 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2006-11-26 10:01 4960 --a------ C:\WINDOWS\system32\drivers\avgtdi.sys
2006-11-26 10:01 28416 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-11-19 11:23 -------- d-------- C:\Program Files\Internet Explorer
2006-10-15 21:30 -------- d-------- C:\Program Files\Common Files\çasks
2006-10-13 07:35 65536 --a------ C:\WINDOWS\system32\nwwks.dll
2006-10-13 07:35 64000 --a------ C:\WINDOWS\system32\nwapi32.dll
2006-10-13 07:35 142336 --a------ C:\WINDOWS\system32\nwprovau.dll
2006-10-13 05:23 163584 --a------ C:\WINDOWS\system32\drivers\nwrdr.sys
2006-10-08 06:41 -------- d-------- C:\Program Files\Tibia
2006-10-07 23:17 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-10-07 23:17 -------- d-------- C:\Program Files\Maxis
2006-09-13 00:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-09-04 17:57 216064 --a------ C:\WINDOWS\iun3405.exe
2006-09-01 13:57 8265 --a------ C:\Program Files\INSTALL.LOG


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ISUSPM Startup"="C:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\isuspm.exe -startup"
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"LXCECATS"="rundll32 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\LXCEtime.dll,_RunDLLEntry@16"
"lxcemon.exe"="\"C:\\Program Files\\Lexmark 4300 Series\\lxcemon.exe\""
"EzPrint"="\"C:\\Program Files\\Lexmark 4300 Series\\ezprint.exe\""
"FaxCenterServer"="\"C:\\Program Files\\Lexmark Fax Solutions\\fm3032.exe\" /s"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,de,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3a,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3a,02,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^D-Link AirPlus G Configuration Utility.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\D-Link AirPlus G Configuration Utility.lnk"
"backup"="C:\\WINDOWS\\pss\\D-Link AirPlus G Configuration Utility.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\D-LINK~1\\AirPlus.exe "
"item"="D-Link AirPlus G Configuration Utility"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdwareAlert]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="adwarealert"
"hkey"="HKLM"
"command"="C:\\Program Files\\AdwareAlert\\adwarealert.Exe -boot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alrs]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nopdb"
"hkey"="HKCU"
"command"="\"C:\\DOCUME~1\\Family\\APPLIC~1\\FNTS~1\\nopdb.exe\" -vt rbnd"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AttuneClientEngine]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="attune_ce"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\Aveo\\Attune\\bin\\attune_ce.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DriveCleaner 2006 Free]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="UDC2006"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\DriveCleaner 2006 Free\\UDC2006.exe\" /min"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Completion time: 06-12-03 19:23:43.71
C:\ComboFix.txt ... 06-12-03 19:23
C:\ComboFix2.txt ... 06-11-27 20:46

#15 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:57 PM

Posted 03 December 2006 - 07:49 PM

Looks good.

Delete this folder created by ComboFix - C:\QooBox\

Then run ComboFix again and post the log.

Edited by SifuMike, 03 December 2006 - 07:51 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users