spyware redirect to http://www.asiuoqgusdbaksd.com/ - Page 2

donackle · 06-13-2008, 03:39 PM

Thanks again!

Here's hijack this...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:37:50 PM, on 6/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\iprntlgn.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\welcome\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [THotkey] "C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe"
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [Tvs] "C:\Program Files\Toshiba\Tvs\TvsTray.exe"
O4 - HKLM\..\Run: [SmoothView] "C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe"
O4 - HKLM\..\Run: [Pinger] "c:\toshiba\ivp\ism\pinger.exe" /run
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [iPrint Tray] "C:\WINDOWS\system32\iprntctl.exe" TRAY_ICON
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [iPrint Event Monitor] C:\WINDOWS\system32\iprntlgn.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] "C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://denverdigitalimaging.lifepics...eUploader3.cab
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0FO\adialhk.dll
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

--
End of file - 7146 bytes

donackle · 06-13-2008, 03:40 PM

...and I didn't get a dequarantine, just anither combofix...

ComboFix 08-06-08.8 - welcome 2008-06-13 15:33:21.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.584 [GMT -6:00]
Running from: C:\Documents and Settings\welcome\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\welcome\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-05-13 to 2008-06-13 )))))))))))))))))))))))))))))))
.

2008-06-11 09:18 . 2008-04-14 05:01 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 09:18 . 2008-04-14 05:01 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-10 16:28 . 2008-06-10 16:28 <DIR> d-------- C:\Documents and Settings\welcome\Application Data\Malwarebytes
2008-06-10 16:27 . 2008-06-10 16:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-10 14:18 . 2008-06-10 15:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SITEguard
2008-06-10 14:14 . 2008-06-10 14:14 <DIR> d-------- C:\Program Files\Common Files\iS3
2008-06-10 14:14 . 2008-06-10 15:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-06-10 13:06 . 2008-06-10 13:06 2 --a------ C:\WINDOWS\msoffice.ini
2008-06-09 14:30 . 2008-06-09 13:53 1,959,843 --a------ C:\ComboFix.exe
2008-06-04 09:26 . 2008-06-04 09:26 <DIR> d-------- C:\Deckard
2008-06-03 16:29 . 2008-06-10 13:51 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-03 15:40 . 2008-06-03 15:41 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\U3
2008-06-03 07:49 . 2008-04-22 22:16 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-06-03 07:49 . 2007-04-17 03:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-06-03 07:49 . 2007-03-07 23:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-06-03 07:49 . 2008-04-22 22:16 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-06-03 07:49 . 2008-04-22 22:16 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-06-03 07:49 . 2008-04-22 22:16 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-06-03 07:49 . 2008-04-22 22:16 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-06-03 07:49 . 2008-04-22 22:16 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-06-03 07:49 . 2008-04-22 01:39 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-06-03 07:16 . 2008-06-03 07:16 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-06-03 07:16 . 2008-06-03 07:16 <DIR> d-------- C:\Program Files\CCleaner
2008-06-03 07:04 . 2006-02-28 06:00 129,536 --a--c--- C:\WINDOWS\system32\dllcache\acledit.dll
2008-06-03 07:04 . 2006-02-28 06:00 129,536 --a------ C:\WINDOWS\system32\acledit.dll
2008-06-02 22:26 . 2008-06-09 14:43 <DIR> d-------- C:\Documents and Settings\welcome\Application Data\U3
2008-06-02 21:24 . 2008-06-03 07:16 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData
2008-06-02 18:56 . 2008-06-02 18:56 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-06-02 18:13 . 2008-06-02 18:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-02 18:10 . 2008-06-03 14:28 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-06-02 18:10 . 2008-06-03 14:28 <DIR> d-------- C:\Documents and Settings\welcome\Application Data\SUPERAntiSpyware.com
2008-06-02 16:40 . 2007-08-13 18:54 33,792 --a--c--- C:\WINDOWS\system32\dllcache\custsat.dll
2008-06-02 13:43 . 2008-06-11 09:53 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-02 13:43 . 2008-06-11 09:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-02 11:57 . 2008-06-02 11:57 <DIR> d-------- C:\WINDOWS\Recent
2008-06-02 10:56 . 2008-06-10 14:59 96,966 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-06-02 10:56 . 2008-06-10 14:59 88,774 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-06-02 10:55 . 2008-06-02 10:55 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-06-02 10:55 . 2008-06-13 09:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-02 10:55 . 2008-06-13 15:34 3,024,928 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-02 10:55 . 2008-06-13 15:34 85,280 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-06-02 10:55 . 2008-06-12 16:41 41,132 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-06-02 10:55 . 2008-06-12 16:41 8,804 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-06-02 10:34 . 2008-06-02 10:34 <DIR> d-------- C:\KAV
2008-06-02 10:15 . 2007-09-06 10:45 45,056 --a------ C:\WINDOWS\system32\iprntlgn.exe
2008-06-02 10:15 . 2007-09-06 10:45 32,768 --a------ C:\WINDOWS\system32\nipplgex.dll
2008-05-24 23:33 . 2008-06-03 07:15 <DIR> d-------- C:\Documents and Settings\welcome\Application Data\uTorrent
2008-05-24 23:31 . 2004-08-10 06:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-05-24 23:30 . 2008-05-24 23:33 <DIR> d-------- C:\Program Files\uTorrent
2008-05-24 13:39 . 2008-06-10 15:09 <DIR> d-------- C:\Temp
2008-05-21 14:58 . 2008-05-21 14:58 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-21 14:58 . 2008-05-21 14:58 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-19 22:00 . 2008-05-19 22:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-10 20:59 112,144 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
2008-06-10 19:45 --------- d-----w C:\Program Files\Common Files\AOL
2008-06-10 19:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-06-10 19:06 --------- d-----w C:\Documents and Settings\welcome\Application Data\AOL
2008-06-10 19:06 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AOL
2008-06-04 15:07 --------- d-----w C:\Program Files\TOSHIBA
2008-06-03 09:07 --------- d-----w C:\Program Files\DIGStream
2008-06-03 02:23 --------- d-----w C:\Program Files\Yahoo!
2008-06-02 23:24 --------- d-----w C:\Program Files\Metamail Inc
2008-06-02 19:47 --------- d-----w C:\Program Files\Toshiba Games
2008-06-02 16:59 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-02 16:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-26 02:15 --------- d-----w C:\Documents and Settings\welcome\Application Data\ZoomBrowser EX
2008-05-15 00:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\ZoomBrowser
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 04:55 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2006-12-13 03:10 0 ----a-w C:\Documents and Settings\welcome\Application Data\wklnhst.dat
2006-10-03 08:43 2,402,550 ----a-w C:\WINDOWS\inf\SETC6.tmp
.

((((((((((((((((((((((((((((( snapshot_2008-06-12_ 9.21.14.81 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-12 15:18:07 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-13 15:25:55 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 06:00 15360]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 02:32 65536]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-11-27 23:55 98304]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-11-27 23:55 118784]
"THotkey"="C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe" [2006-01-05 16:02 352256]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-12-16 02:34 82009]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-16 02:32 761945]
"NDSTray.exe"="NDSTray.exe" []
"Tvs"="C:\Program Files\Toshiba\Tvs\TvsTray.exe" [2005-11-30 14:25 73728]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-26 18:13 122880]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-17 19:37 151552]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 13:37 667718]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 12:41 602182]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2003-03-08 22:30 188416]
"iPrint Tray"="C:\WINDOWS\system32\iprntctl.exe" [2007-09-06 10:45 40960]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36 256576]
"iPrint Event Monitor"="C:\WINDOWS\system32\iprntlgn.exe" [2007-09-06 10:45 45056]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 00:05:26 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\KASPER~1\KASPER~1.0FO\adialhk.dll

[HKLM\~\startupfolder\C:^Documents and Settings^welcome^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
path=C:\Documents and Settings\welcome\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
backup=C:\WINDOWS\pss\Microsoft Office OneNote 2003 Quick Launch.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IEUpdate]
C:\WINDOWS\system32\acledite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Windows Installer]
C:\Documents and Settings\welcome\Application Data\Microsoft\dtsc\12815.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Swupdtmr"=2 (0x2)
"MsSecurity1.209.4"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"C:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= C:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Novell\\GroupWise\\GrpWise.exe"=
"C:\\Novell\\GroupWise\\Notify.exe"=
"C:\\Program Files\\Microsoft Office\\OFFICE11\\OUTLOOK.EXE"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 KR10N;KR10N;C:\WINDOWS\system32\drivers\KR10N.sys [2005-01-12 02:05]
R1 nipplpt2;Novell iCapture Lpt Redirector 2;C:\WINDOWS\system32\drivers\nipplpt.sys [2007-09-06 10:35]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-05-30 17:49]
S3 tosrfec;Bluetooth ACPI from TOSHIBA;C:\WINDOWS\system32\DRIVERS\tosrfec.sys [2005-09-09 16:47]

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-13 15:34:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-13 15:35:29
ComboFix-quarantined-files.txt 2008-06-13 21:35:27
ComboFix2.txt 2008-06-12 15:21:34
ComboFix3.txt 2008-06-10 21:20:31

Pre-Run: 83,238,633,472 bytes free
Post-Run: 83,227,443,200 bytes free

177 --- E O F --- 2008-06-11 15:25:32

**Glaswegian** · 06-14-2008, 04:57 AM

Hi again

Sorry – that was my fault. Let’s try again.

How are things running now?

Combofix

Close any open browsers.
Open notepad and copy/paste the text in the box below into it:

Code:

DeQuarantine::
C:\Qoobox\Quarantine\C:\e2118555e18d80a669db8f

Quit::

Looking at the image below as an example

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript onto ComboFix.exe.

When finished, it will produce a log for you at "C:\ DeQuarantine_log.txt "

Do not mouseclick combofix's window whilst it's running. This may cause it to stall.

CAUTION! Anyone else thinking of using the above script does so at their own risk - you may end up having to re-install Windows!

Please post the log C:\ DeQuarantine_log.txt along with a fresh HijackThis Log for further review.

donackle · 06-16-2008, 09:19 AM

Still not getting dequarantine_log, just combofix, but here it is..

..and yes, everything seems to be working fine.

ComboFix 08-06-08.8 - welcome 2008-06-16 9

21.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.639 [GMT -6:00]
Running from: C:\Documents and Settings\welcome\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\welcome\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-05-16 to 2008-06-16 )))))))))))))))))))))))))))))))
.

2008-06-11 09:18 . 2008-04-14 05:01 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 09:18 . 2008-04-14 05:01 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-10 16:28 . 2008-06-10 16:28 <DIR> d-------- C:\Documents and Settings\welcome\Application Data\Malwarebytes
2008-06-10 16:27 . 2008-06-10 16:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-10 14:18 . 2008-06-10 15:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SITEguard
2008-06-10 14:14 . 2008-06-10 14:14 <DIR> d-------- C:\Program Files\Common Files\iS3
2008-06-10 14:14 . 2008-06-10 15:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-06-10 13:06 . 2008-06-10 13:06 2 --a------ C:\WINDOWS\msoffice.ini
2008-06-09 14:30 . 2008-06-09 13:53 1,959,843 --a------ C:\ComboFix.exe
2008-06-04 09:26 . 2008-06-04 09:26 <DIR> d-------- C:\Deckard
2008-06-03 16:29 . 2008-06-10 13:51 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-03 15:40 . 2008-06-03 15:41 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\U3
2008-06-03 07:49 . 2008-04-22 22:16 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-06-03 07:49 . 2007-04-17 03:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-06-03 07:49 . 2007-03-07 23:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-06-03 07:49 . 2008-04-22 22:16 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-06-03 07:49 . 2008-04-22 22:16 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-06-03 07:49 . 2008-04-22 22:16 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-06-03 07:49 . 2008-04-22 22:16 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-06-03 07:49 . 2008-04-22 22:16 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-06-03 07:49 . 2008-04-22 01:39 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-06-03 07:16 . 2008-06-03 07:16 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-06-03 07:16 . 2008-06-03 07:16 <DIR> d-------- C:\Program Files\CCleaner
2008-06-03 07:04 . 2006-02-28 06:00 129,536 --a--c--- C:\WINDOWS\system32\dllcache\acledit.dll
2008-06-03 07:04 . 2006-02-28 06:00 129,536 --a------ C:\WINDOWS\system32\acledit.dll
2008-06-02 22:26 . 2008-06-09 14:43 <DIR> d-------- C:\Documents and Settings\welcome\Application Data\U3
2008-06-02 21:24 . 2008-06-03 07:16 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData
2008-06-02 18:56 . 2008-06-02 18:56 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-06-02 18:13 . 2008-06-02 18:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-02 18:10 . 2008-06-03 14:28 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-06-02 18:10 . 2008-06-03 14:28 <DIR> d-------- C:\Documents and Settings\welcome\Application Data\SUPERAntiSpyware.com
2008-06-02 16:40 . 2007-08-13 18:54 33,792 --a--c--- C:\WINDOWS\system32\dllcache\custsat.dll
2008-06-02 13:43 . 2008-06-11 09:53 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-02 13:43 . 2008-06-11 09:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-02 11:57 . 2008-06-02 11:57 <DIR> d-------- C:\WINDOWS\Recent
2008-06-02 10:56 . 2008-06-10 14:59 96,966 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-06-02 10:56 . 2008-06-10 14:59 88,774 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-06-02 10:55 . 2008-06-02 10:55 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-06-02 10:55 . 2008-06-16 08:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-02 10:55 . 2008-06-16 09:07 3,062,560 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-02 10:55 . 2008-06-16 09:07 88,352 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-06-02 10:55 . 2008-06-14 16:40 41,804 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-06-02 10:55 . 2008-06-14 16:40 9,164 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-06-02 10:34 . 2008-06-02 10:34 <DIR> d-------- C:\KAV
2008-06-02 10:15 . 2007-09-06 10:45 45,056 --a------ C:\WINDOWS\system32\iprntlgn.exe
2008-06-02 10:15 . 2007-09-06 10:45 32,768 --a------ C:\WINDOWS\system32\nipplgex.dll
2008-05-24 23:33 . 2008-06-03 07:15 <DIR> d-------- C:\Documents and Settings\welcome\Application Data\uTorrent
2008-05-24 23:31 . 2004-08-10 06:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-05-24 23:30 . 2008-05-24 23:33 <DIR> d-------- C:\Program Files\uTorrent
2008-05-24 13:39 . 2008-06-10 15:09 <DIR> d-------- C:\Temp
2008-05-21 14:58 . 2008-05-21 14:58 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-21 14:58 . 2008-05-21 14:58 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-19 22:00 . 2008-05-19 22:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-10 20:59 112,144 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
2008-06-10 19:45 --------- d-----w C:\Program Files\Common Files\AOL
2008-06-10 19:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-06-10 19:06 --------- d-----w C:\Documents and Settings\welcome\Application Data\AOL
2008-06-10 19:06 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AOL
2008-06-04 15:07 --------- d-----w C:\Program Files\TOSHIBA
2008-06-03 09:07 --------- d-----w C:\Program Files\DIGStream
2008-06-03 02:23 --------- d-----w C:\Program Files\Yahoo!
2008-06-02 23:24 --------- d-----w C:\Program Files\Metamail Inc
2008-06-02 19:47 --------- d-----w C:\Program Files\Toshiba Games
2008-06-02 16:59 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-02 16:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-26 02:15 --------- d-----w C:\Documents and Settings\welcome\Application Data\ZoomBrowser EX
2008-05-15 00:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\ZoomBrowser
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 04:55 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2006-12-13 03:10 0 ----a-w C:\Documents and Settings\welcome\Application Data\wklnhst.dat
2006-10-03 08:43 2,402,550 ----a-w C:\WINDOWS\inf\SETC6.tmp
.

((((((((((((((((((((((((((((( snapshot_2008-06-12_ 9.21.14.81 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-12 15:18:07 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-16 14:42:17 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 06:00 15360]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 02:32 65536]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-11-27 23:55 98304]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-11-27 23:55 118784]
"THotkey"="C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe" [2006-01-05 16:02 352256]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-12-16 02:34 82009]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-16 02:32 761945]
"NDSTray.exe"="NDSTray.exe" []
"Tvs"="C:\Program Files\Toshiba\Tvs\TvsTray.exe" [2005-11-30 14:25 73728]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-26 18:13 122880]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-17 19:37 151552]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 13:37 667718]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 12:41 602182]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2003-03-08 22:30 188416]
"iPrint Tray"="C:\WINDOWS\system32\iprntctl.exe" [2007-09-06 10:45 40960]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36 256576]
"iPrint Event Monitor"="C:\WINDOWS\system32\iprntlgn.exe" [2007-09-06 10:45 45056]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 00:05:26 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\KASPER~1\KASPER~1.0FO\adialhk.dll

[HKLM\~\startupfolder\C:^Documents and Settings^welcome^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
path=C:\Documents and Settings\welcome\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
backup=C:\WINDOWS\pss\Microsoft Office OneNote 2003 Quick Launch.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IEUpdate]
C:\WINDOWS\system32\acledite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Windows Installer]
C:\Documents and Settings\welcome\Application Data\Microsoft\dtsc\12815.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Swupdtmr"=2 (0x2)
"MsSecurity1.209.4"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"C:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= C:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Novell\\GroupWise\\GrpWise.exe"=
"C:\\Novell\\GroupWise\\Notify.exe"=
"C:\\Program Files\\Microsoft Office\\OFFICE11\\OUTLOOK.EXE"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 KR10N;KR10N;C:\WINDOWS\system32\drivers\KR10N.sys [2005-01-12 02:05]
R1 nipplpt2;Novell iCapture Lpt Redirector 2;C:\WINDOWS\system32\drivers\nipplpt.sys [2007-09-06 10:35]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-05-30 17:49]
S3 tosrfec;Bluetooth ACPI from TOSHIBA;C:\WINDOWS\system32\DRIVERS\tosrfec.sys [2005-09-09 16:47]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-16 09:08:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-16 9:08:34
ComboFix-quarantined-files.txt 2008-06-16 15:08:31
ComboFix2.txt 2008-06-13 21:35:30
ComboFix3.txt 2008-06-12 15:21:34
ComboFix4.txt 2008-06-10 21:20:31

Pre-Run: 83,213,791,232 bytes free
Post-Run: 83,202,441,216 bytes free

177 --- E O F --- 2008-06-11 15:25:32

**Glaswegian** · 06-16-2008, 03:59 PM

Hi again

Now I can't even copy and paste - apologies.

How are things running now?

Combofix

Close any open browsers.
Open notepad and copy/paste the text in the box below into it:

Code:

DeQuarantine::
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f

Quit::

Looking at the image below as an example

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript onto ComboFix.exe.

When finished, it will produce a log for you at "C:\ DeQuarantine_log.txt "

Do not mouseclick combofix's window whilst it's running. This may cause it to stall.

CAUTION! Anyone else thinking of using the above script does so at their own risk - you may end up having to re-install Windows!

Please post the log C:\ DeQuarantine_log.txt along with a fresh HijackThis Log for further review.

donackle · 06-16-2008, 05:01 PM

at last..... success! darn things never do what you want them to do, only what you tell them to do.

C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\admparse.dll -> C:\e2118555e18d80a669db8f\admparse.dll
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\admparse.dll.mui -> C:\e2118555e18d80a669db8f\admparse.dll.mui
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\advpack.dll -> C:\e2118555e18d80a669db8f\advpack.dll
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\advpack.dll.mui -> C:\e2118555e18d80a669db8f\advpack.dll.mui
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\browseui.dll -> C:\e2118555e18d80a669db8f\browseui.dll
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\corpol.dll -> C:\e2118555e18d80a669db8f\corpol.dll
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\custsat.dll -> C:\e2118555e18d80a669db8f\custsat.dll
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\dxtmsft.dll -> C:\e2118555e18d80a669db8f\dxtmsft.dll
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\dxtrans.dll -> C:\e2118555e18d80a669db8f\dxtrans.dll
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\extmgr.dll -> C:\e2118555e18d80a669db8f\extmgr.dll
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\extmgr.dll.mui -> C:\e2118555e18d80a669db8f\extmgr.dll.mui
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\feeddisc.wav -> C:\e2118555e18d80a669db8f\feeddisc.wav
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\hmmapi.dll -> C:\e2118555e18d80a669db8f\hmmapi.dll
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\hmmapi.dll.mui -> C:\e2118555e18d80a669db8f\hmmapi.dll.mui
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\html.iec -> C:\e2118555e18d80a669db8f\html.iec
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\html.iec.mui -> C:\e2118555e18d80a669db8f\html.iec.mui
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\icardie.dll -> C:\e2118555e18d80a669db8f\icardie.dll
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\icardie.dll.mui -> C:\e2118555e18d80a669db8f\icardie.dll.mui
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\icrav03.rat -> C:\e2118555e18d80a669db8f\icrav03.rat
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\ie4uinit.exe -> C:\e2118555e18d80a669db8f\ie4uinit.exe
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\ie4uinit.exe.mui -> C:\e2118555e18d80a669db8f\ie4uinit.exe.mui
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\ieakeng.dll -> C:\e2118555e18d80a669db8f\ieakeng.dll
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\ieakeng.dll.mui -> C:\e2118555e18d80a669db8f\ieakeng.dll.mui
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\ieakmmc.chm -> C:\e2118555e18d80a669db8f\ieakmmc.chm
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\ieaksie.dll -> C:\e2118555e18d80a669db8f\ieaksie.dll
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\ieaksie.dll.mui -> C:\e2118555e18d80a669db8f\ieaksie.dll.mui
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\ieakui.dll -> C:\e2118555e18d80a669db8f\ieakui.dll
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\ieakui.dll.mui -> C:\e2118555e18d80a669db8f\ieakui.dll.mui
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\ieapfltr.dat -> C:\e2118555e18d80a669db8f\ieapfltr.dat
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\ieapfltr.dll -> C:\e2118555e18d80a669db8f\ieapfltr.dll
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\iedkcs32.dll -> C:\e2118555e18d80a669db8f\iedkcs32.dll
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\iedkcs32.dll.mui -> C:\e2118555e18d80a669db8f\iedkcs32.dll.mui
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\iedw.exe -> C:\e2118555e18d80a669db8f\iedw.exe
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\iedw.exe.mui -> C:\e2118555e18d80a669db8f\iedw.exe.mui
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\ieencode.dll -> C:\e2118555e18d80a669db8f\ieencode.dll
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\ieeula.chm -> C:\e2118555e18d80a669db8f\ieeula.chm
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\ieframe.dll -> C:\e2118555e18d80a669db8f\ieframe.dll
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\ieframe.dll.mui -> C:\e2118555e18d80a669db8f\ieframe.dll.mui
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\iepeers.dll -> C:\e2118555e18d80a669db8f\iepeers.dll
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\iepeers.dll.mui -> C:\e2118555e18d80a669db8f\iepeers.dll.mui
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\ieproxy.dll -> C:\e2118555e18d80a669db8f\ieproxy.dll
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\iernonce.dll -> C:\e2118555e18d80a669db8f\iernonce.dll
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\iernonce.dll.mui -> C:\e2118555e18d80a669db8f\iernonce.dll.mui
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\iertutil.dll -> C:\e2118555e18d80a669db8f\iertutil.dll
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\iesetup.dll -> C:\e2118555e18d80a669db8f\iesetup.dll
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\iesetup.dll.mui -> C:\e2118555e18d80a669db8f\iesetup.dll.mui
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\iesupp.chm -> C:\e2118555e18d80a669db8f\iesupp.chm
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\ieudinit.exe -> C:\e2118555e18d80a669db8f\ieudinit.exe
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\ieui.dll -> C:\e2118555e18d80a669db8f\ieui.dll
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\ieui.dll.mui -> C:\e2118555e18d80a669db8f\ieui.dll.mui
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\ieuinit.inf -> C:\e2118555e18d80a669db8f\ieuinit.inf
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\ieunatt.exe.mui -> C:\e2118555e18d80a669db8f\ieunatt.exe.mui
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\iexplore.chm -> C:\e2118555e18d80a669db8f\iexplore.chm
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\iexplore.exe -> C:\e2118555e18d80a669db8f\iexplore.exe
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\iexplore.exe.mui -> C:\e2118555e18d80a669db8f\iexplore.exe.mui
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\imgutil.dll -> C:\e2118555e18d80a669db8f\imgutil.dll
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\inetcorp.iem -> C:\e2118555e18d80a669db8f\inetcorp.iem
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\inetcpl.cpl -> C:\e2118555e18d80a669db8f\inetcpl.cpl
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\inetcpl.cpl.mui -> C:\e2118555e18d80a669db8f\inetcpl.cpl.mui
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\inetres.adm -> C:\e2118555e18d80a669db8f\inetres.adm
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\inetset.iem -> C:\e2118555e18d80a669db8f\inetset.iem
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\infobar.wav -> C:\e2118555e18d80a669db8f\infobar.wav
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\inseng.dll -> C:\e2118555e18d80a669db8f\inseng.dll
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\inseng.dll.mui -> C:\e2118555e18d80a669db8f\inseng.dll.mui
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\install.ins -> C:\e2118555e18d80a669db8f\install.ins
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\jscript.dll -> C:\e2118555e18d80a669db8f\jscript.dll
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\jsproxy.dll -> C:\e2118555e18d80a669db8f\jsproxy.dll
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\licmgr10.dll -> C:\e2118555e18d80a669db8f\licmgr10.dll
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\licmgr10.dll.mui -> C:\e2118555e18d80a669db8f\licmgr10.dll.mui
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\msfeeds.dll -> C:\e2118555e18d80a669db8f\msfeeds.dll
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\msfeeds.mof -> C:\e2118555e18d80a669db8f\msfeeds.mof
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\msfeedsbs.dll -> C:\e2118555e18d80a669db8f\msfeedsbs.dll
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\msfeedsbs.dll.mui -> C:\e2118555e18d80a669db8f\msfeedsbs.dll.mui
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\msfeedsbs.mof -> C:\e2118555e18d80a669db8f\msfeedsbs.mof
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\msfeedssync.exe -> C:\e2118555e18d80a669db8f\msfeedssync.exe
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\mshta.exe -> C:\e2118555e18d80a669db8f\mshta.exe
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\mshta.exe.mui -> C:\e2118555e18d80a669db8f\mshta.exe.mui
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\mshtml.dll -> C:\e2118555e18d80a669db8f\mshtml.dll
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\mshtml.dll.mui -> C:\e2118555e18d80a669db8f\mshtml.dll.mui
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\mshtml.tlb -> C:\e2118555e18d80a669db8f\mshtml.tlb
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\mshtmled.dll -> C:\e2118555e18d80a669db8f\mshtmled.dll
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\mshtmled.dll.mui -> C:\e2118555e18d80a669db8f\mshtmled.dll.mui
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\mshtmler.dll -> C:\e2118555e18d80a669db8f\mshtmler.dll
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\mshtmler.dll.mui -> C:\e2118555e18d80a669db8f\mshtmler.dll.mui
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\msls31.dll -> C:\e2118555e18d80a669db8f\msls31.dll
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\msrating.dll -> C:\e2118555e18d80a669db8f\msrating.dll
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\msrating.dll.mui -> C:\e2118555e18d80a669db8f\msrating.dll.mui
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\mstime.dll -> C:\e2118555e18d80a669db8f\mstime.dll
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\navstart.wav -> C:\e2118555e18d80a669db8f\navstart.wav
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\occache.dll -> C:\e2118555e18d80a669db8f\occache.dll
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\occache.dll.mui -> C:\e2118555e18d80a669db8f\occache.dll.mui
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\occache.ini -> C:\e2118555e18d80a669db8f\occache.ini
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\pngfilt.dll -> C:\e2118555e18d80a669db8f\pngfilt.dll
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\popupblk.wav -> C:\e2118555e18d80a669db8f\popupblk.wav
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\shdocvw.dll -> C:\e2118555e18d80a669db8f\shdocvw.dll
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\shlwapi.dll -> C:\e2118555e18d80a669db8f\shlwapi.dll
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\spmsg.dll -> C:\e2118555e18d80a669db8f\spmsg.dll
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\spuninst.exe -> C:\e2118555e18d80a669db8f\spuninst.exe
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\spupdsvc.exe -> C:\e2118555e18d80a669db8f\spupdsvc.exe
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\tdc.ocx -> C:\e2118555e18d80a669db8f\tdc.ocx
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\ticrf.rat -> C:\e2118555e18d80a669db8f\ticrf.rat
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\url.dll -> C:\e2118555e18d80a669db8f\url.dll
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\urlmon.dll -> C:\e2118555e18d80a669db8f\urlmon.dll
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\urlmon.dll.mui -> C:\e2118555e18d80a669db8f\urlmon.dll.mui
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\vbscript.dll -> C:\e2118555e18d80a669db8f\vbscript.dll
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\vgx.dll -> C:\e2118555e18d80a669db8f\vgx.dll
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\webcheck.dll -> C:\e2118555e18d80a669db8f\webcheck.dll
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\webcheck.dll.mui -> C:\e2118555e18d80a669db8f\webcheck.dll.mui
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\webcheck.ini -> C:\e2118555e18d80a669db8f\webcheck.ini
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\winfxdocobj.exe -> C:\e2118555e18d80a669db8f\winfxdocobj.exe
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\winfxdocobj.exe.mui -> C:\e2118555e18d80a669db8f\winfxdocobj.exe.mui
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\wininet.dll -> C:\e2118555e18d80a669db8f\wininet.dll
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\wininet.dll.mui -> C:\e2118555e18d80a669db8f\wininet.dll.mui
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\update\eula.rtf -> C:\e2118555e18d80a669db8f\update\eula.rtf
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\update\idndl.exe -> C:\e2118555e18d80a669db8f\update\idndl.exe
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\update\ie7.cat -> C:\e2118555e18d80a669db8f\update\ie7.cat
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\update\iecustom.dll -> C:\e2118555e18d80a669db8f\update\iecustom.dll
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\update\iereseticons.exe -> C:\e2118555e18d80a669db8f\update\iereseticons.exe
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\update\iesetup.exe -> C:\e2118555e18d80a669db8f\update\iesetup.exe
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\update\legitlibm.dll -> C:\e2118555e18d80a669db8f\update\legitlibm.dll
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\update\nlsdl.exe -> C:\e2118555e18d80a669db8f\update\nlsdl.exe
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\update\update.exe -> C:\e2118555e18d80a669db8f\update\update.exe
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\update\update.exe.manifest -> C:\e2118555e18d80a669db8f\update\update.exe.manifest
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\update\update.inf -> C:\e2118555e18d80a669db8f\update\update.inf
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\update\update.ver -> C:\e2118555e18d80a669db8f\update\update.ver
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\update\updspapi.dll -> C:\e2118555e18d80a669db8f\update\updspapi.dll
C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\update\xmllitesetup.exe -> C:\e2118555e18d80a669db8f\update\xmllitesetup.exe
127 File(s) copied

donackle · 06-16-2008, 05:03 PM

Oh, and things still seem ok. I couldn't browse the internet after the last cobofix, but a reboot fixed that. Now we seem normal again.

**Glaswegian** · 06-17-2008, 02:32 PM

Hi again

At last!

All your logs are clean. If there are no more problems we’ll just tidy up and I’ll let you go, along with my recommendations for staying safe and secure.

The following procedure will clear out the tools we've used as well as the backups and quarantines created by the fix. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point.

Referring to the image below

Click Start > Run and copy/paste, or type the following bold text into the Run box and click OK:

ComboFix /u

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:

Spyware Blaster to help prevent spyware from installing in the first place.
Spyware Guard to catch and block spyware before it can execute.
Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here.

Ad-aware 2007
Download and install Ad-Aware 2007. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here.

IE-SPYAD
IE-Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impairs attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here.

SnoopFree
SnoopFree is a real time monitor that notifies you when a programme wants to record your keystrokes or read your screen. Note that SnoopFree is only for XP systems.

MVPS Hosts File
The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. Note that if you use a company provided HOSTS file you should not use the MVPS HOSTS file.

Alternate Browsers
Try the following free alternate browsers rather than Internet Explorer
Firefox
Opera
Maxthon

Firewalls
A good firewall will monitor incoming and outgoing traffic. NOTE: Microsoft's Firewall for XP does not monitor outgoing traffic. If you do not have a firewall, here are 3 free ones available for personal use:
Comodo Personal Firewall
Sygate Personal Firewall
ZoneAlarm

Other Protection
Winpatrol - Download and install the free version of Winpatrol. A tutorial for this product is located here:
Using Winpatrol to protect your computer.

ERUNT & NTREGOPT
ERUNT is a programme that will create automatic backups of your Registry. These backups can be used to help restore your system in the event of a serious crash.
NTREGOPT will compact and optimise your Registry, to assist the smooth running of your system

Additional Reading
In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

PC Safety & Security - What Do I Need?.
Making Internet Explorer Safer.

Have a look here if your PC is still running a bit slow
Is your PC running slow...?

Keep clean and safe and enjoy your computing!

donackle · 06-17-2008, 03:55 PM

Great! Thanks for all your help, and for the links and good advice. I'm the network administrator for a school district and, while the desktops in the district are pretty well protected, I'm finding that notebooks that go home need a little extra care. Your suggestions should help keep them a little cleaner.

Tapadh leat,
Slàinte mhòr agad!

06-13-2008, 03:39 PM	#21 (permalink)
donackle Registered User Join Date: Jun 2008 Posts: 20 OS: xp media center	Re: spyware redirect to http://www.asiuoqgusdbaksd.com/ Thanks again! Here's hijack this... Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 3:37:50 PM, on 6/13/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\WINDOWS\system32\DVDRAMSV.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\eHome\ehSched.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe C:\Program Files\Toshiba\Tvs\TvsTray.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe C:\toshiba\ivp\ism\pinger.exe C:\Program Files\Synaptics\SynTP\Toshiba.exe C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\iprntlgn.exe C:\Program Files\Canon\CAL\CALMAIN.exe C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe C:\Program Files\iPod\bin\iPodService.exe C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\explorer.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Documents and Settings\welcome\Desktop\HiJackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [THotkey] "C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe" O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe O4 - HKLM\..\Run: [Tvs] "C:\Program Files\Toshiba\Tvs\TvsTray.exe" O4 - HKLM\..\Run: [SmoothView] "C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" O4 - HKLM\..\Run: [Pinger] "c:\toshiba\ivp\ism\pinger.exe" /run O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe O4 - HKLM\..\Run: [iPrint Tray] "C:\WINDOWS\system32\iprntctl.exe" TRAY_ICON O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [iPrint Event Monitor] C:\WINDOWS\system32\iprntlgn.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [TOSCDSPD] "C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\ie_banner_deny.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\SCIEPlgn.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://denverdigitalimaging.lifepics...eUploader3.cab O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0FO\adialhk.dll O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe -- End of file - 7146 bytes

06-13-2008, 03:40 PM	#22 (permalink)
donackle Registered User Join Date: Jun 2008 Posts: 20 OS: xp media center	Re: spyware redirect to http://www.asiuoqgusdbaksd.com/ ...and I didn't get a dequarantine, just anither combofix... ComboFix 08-06-08.8 - welcome 2008-06-13 15:33:21.3 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.584 [GMT -6:00] Running from: C:\Documents and Settings\welcome\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\welcome\Desktop\CFScript.txt * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((( Files Created from 2008-05-13 to 2008-06-13 ))))))))))))))))))))))))))))))) . 2008-06-11 09:18 . 2008-04-14 05:01 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys 2008-06-11 09:18 . 2008-04-14 05:01 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys 2008-06-10 16:28 . 2008-06-10 16:28 <DIR> d-------- C:\Documents and Settings\welcome\Application Data\Malwarebytes 2008-06-10 16:27 . 2008-06-10 16:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-06-10 14:18 . 2008-06-10 15:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SITEguard 2008-06-10 14:14 . 2008-06-10 14:14 <DIR> d-------- C:\Program Files\Common Files\iS3 2008-06-10 14:14 . 2008-06-10 15:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla! 2008-06-10 13:06 . 2008-06-10 13:06 2 --a------ C:\WINDOWS\msoffice.ini 2008-06-09 14:30 . 2008-06-09 13:53 1,959,843 --a------ C:\ComboFix.exe 2008-06-04 09:26 . 2008-06-04 09:26 <DIR> d-------- C:\Deckard 2008-06-03 16:29 . 2008-06-10 13:51 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP 2008-06-03 15:40 . 2008-06-03 15:41 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\U3 2008-06-03 07:49 . 2008-04-22 22:16 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll 2008-06-03 07:49 . 2007-04-17 03:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat 2008-06-03 07:49 . 2007-03-07 23:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui 2008-06-03 07:49 . 2008-04-22 22:16 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll 2008-06-03 07:49 . 2008-04-22 22:16 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll 2008-06-03 07:49 . 2008-04-22 22:16 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll 2008-06-03 07:49 . 2008-04-22 22:16 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll 2008-06-03 07:49 . 2008-04-22 22:16 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll 2008-06-03 07:49 . 2008-04-22 01:39 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe 2008-06-03 07:16 . 2008-06-03 07:16 <DIR> d--hs---- C:\WINDOWS\ftpcache 2008-06-03 07:16 . 2008-06-03 07:16 <DIR> d-------- C:\Program Files\CCleaner 2008-06-03 07:04 . 2006-02-28 06:00 129,536 --a--c--- C:\WINDOWS\system32\dllcache\acledit.dll 2008-06-03 07:04 . 2006-02-28 06:00 129,536 --a------ C:\WINDOWS\system32\acledit.dll 2008-06-02 22:26 . 2008-06-09 14:43 <DIR> d-------- C:\Documents and Settings\welcome\Application Data\U3 2008-06-02 21:24 . 2008-06-03 07:16 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData 2008-06-02 18:56 . 2008-06-02 18:56 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com 2008-06-02 18:13 . 2008-06-02 18:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com 2008-06-02 18:10 . 2008-06-03 14:28 <DIR> d-------- C:\Program Files\SUPERAntiSpyware 2008-06-02 18:10 . 2008-06-03 14:28 <DIR> d-------- C:\Documents and Settings\welcome\Application Data\SUPERAntiSpyware.com 2008-06-02 16:40 . 2007-08-13 18:54 33,792 --a--c--- C:\WINDOWS\system32\dllcache\custsat.dll 2008-06-02 13:43 . 2008-06-11 09:53 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy 2008-06-02 13:43 . 2008-06-11 09:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-06-02 11:57 . 2008-06-02 11:57 <DIR> d-------- C:\WINDOWS\Recent 2008-06-02 10:56 . 2008-06-10 14:59 96,966 --a------ C:\WINDOWS\system32\drivers\klin.dat 2008-06-02 10:56 . 2008-06-10 14:59 88,774 --a------ C:\WINDOWS\system32\drivers\klick.dat 2008-06-02 10:55 . 2008-06-02 10:55 <DIR> d-------- C:\Program Files\Kaspersky Lab 2008-06-02 10:55 . 2008-06-13 09:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab 2008-06-02 10:55 . 2008-06-13 15:34 3,024,928 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat 2008-06-02 10:55 . 2008-06-13 15:34 85,280 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat 2008-06-02 10:55 . 2008-06-12 16:41 41,132 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx 2008-06-02 10:55 . 2008-06-12 16:41 8,804 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx 2008-06-02 10:34 . 2008-06-02 10:34 <DIR> d-------- C:\KAV 2008-06-02 10:15 . 2007-09-06 10:45 45,056 --a------ C:\WINDOWS\system32\iprntlgn.exe 2008-06-02 10:15 . 2007-09-06 10:45 32,768 --a------ C:\WINDOWS\system32\nipplgex.dll 2008-05-24 23:33 . 2008-06-03 07:15 <DIR> d-------- C:\Documents and Settings\welcome\Application Data\uTorrent 2008-05-24 23:31 . 2004-08-10 06:00 4,224 --a------ C:\WINDOWS\system32\beep.sys 2008-05-24 23:30 . 2008-05-24 23:33 <DIR> d-------- C:\Program Files\uTorrent 2008-05-24 13:39 . 2008-06-10 15:09 <DIR> d-------- C:\Temp 2008-05-21 14:58 . 2008-05-21 14:58 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2008-05-21 14:58 . 2008-05-21 14:58 1,409 --a------ C:\WINDOWS\QTFont.for 2008-05-19 22:00 . 2008-05-19 22:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-06-10 20:59 112,144 ----a-w C:\WINDOWS\system32\drivers\kl1.sys 2008-06-10 19:45 --------- d-----w C:\Program Files\Common Files\AOL 2008-06-10 19:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL 2008-06-10 19:06 --------- d-----w C:\Documents and Settings\welcome\Application Data\AOL 2008-06-10 19:06 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AOL 2008-06-04 15:07 --------- d-----w C:\Program Files\TOSHIBA 2008-06-03 09:07 --------- d-----w C:\Program Files\DIGStream 2008-06-03 02:23 --------- d-----w C:\Program Files\Yahoo! 2008-06-02 23:24 --------- d-----w C:\Program Files\Metamail Inc 2008-06-02 19:47 --------- d-----w C:\Program Files\Toshiba Games 2008-06-02 16:59 --------- d-----w C:\Program Files\Common Files\Symantec Shared 2008-06-02 16:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec 2008-05-26 02:15 --------- d-----w C:\Documents and Settings\welcome\Application Data\ZoomBrowser EX 2008-05-15 00:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\ZoomBrowser 2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys 2008-05-07 04:55 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll 2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll 2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll 2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys 2006-12-13 03:10 0 ----a-w C:\Documents and Settings\welcome\Application Data\wklnhst.dat 2006-10-03 08:43 2,402,550 ----a-w C:\WINDOWS\inf\SETC6.tmp . ((((((((((((((((((((((((((((( snapshot_2008-06-12_ 9.21.14.81 ))))))))))))))))))))))))))))))))))))))))) . - 2008-06-12 15:18:07 2,048 --s-a-w C:\WINDOWS\bootstat.dat + 2008-06-13 15:25:55 2,048 --s-a-w C:\WINDOWS\bootstat.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 06:00 15360] "TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 02:32 65536] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-11-27 23:55 98304] "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-11-27 23:55 118784] "THotkey"="C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe" [2006-01-05 16:02 352256] "SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-12-16 02:34 82009] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-16 02:32 761945] "NDSTray.exe"="NDSTray.exe" [] "Tvs"="C:\Program Files\Toshiba\Tvs\TvsTray.exe" [2005-11-30 14:25 73728] "SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-26 18:13 122880] "Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-17 19:37 151552] "IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 13:37 667718] "IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 12:41 602182] "HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2003-03-08 22:30 188416] "iPrint Tray"="C:\WINDOWS\system32\iprntctl.exe" [2007-09-06 10:45 40960] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36 256576] "iPrint Event Monitor"="C:\WINDOWS\system32\iprntlgn.exe" [2007-09-06 10:45 45056] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 00:05:26 29696] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles "InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=C:\PROGRA~1\KASPER~1\KASPER~1.0FO\adialhk.dll [HKLM\~\startupfolder\C:^Documents and Settings^welcome^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk] path=C:\Documents and Settings\welcome\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk backup=C:\WINDOWS\pss\Microsoft Office OneNote 2003 Quick Launch.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IEUpdate] C:\WINDOWS\system32\acledite.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Windows Installer] C:\Documents and Settings\welcome\Application Data\Microsoft\dtsc\12815.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "Swupdtmr"=2 (0x2) "MsSecurity1.209.4"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"= "C:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= C:\\TOSHIBA\\IVP\\ISM\\pinger.exe "C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"= "C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "C:\\Novell\\GroupWise\\GrpWise.exe"= "C:\\Novell\\GroupWise\\Notify.exe"= "C:\\Program Files\\Microsoft Office\\OFFICE11\\OUTLOOK.EXE"= "C:\\Program Files\\iTunes\\iTunes.exe"= "C:\\Program Files\\uTorrent\\uTorrent.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= R0 KR10N;KR10N;C:\WINDOWS\system32\drivers\KR10N.sys [2005-01-12 02:05] R1 nipplpt2;Novell iCapture Lpt Redirector 2;C:\WINDOWS\system32\drivers\nipplpt.sys [2007-09-06 10:35] R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-05-30 17:49] S3 tosrfec;Bluetooth ACPI from TOSHIBA;C:\WINDOWS\system32\DRIVERS\tosrfec.sys [2005-09-09 16:47] Newly Created Service - CATCHME . ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-13 15:34:57 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . Completion time: 2008-06-13 15:35:29 ComboFix-quarantined-files.txt 2008-06-13 21:35:27 ComboFix2.txt 2008-06-12 15:21:34 ComboFix3.txt 2008-06-10 21:20:31 Pre-Run: 83,238,633,472 bytes free Post-Run: 83,227,443,200 bytes free 177 --- E O F --- 2008-06-11 15:25:32

06-14-2008, 04:57 AM	#23 (permalink)
Glaswegian Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic Join Date: Sep 2005 Location: Glasgow Posts: 25,129 OS: Win XP Pro SP3 / Win 7 Pro My System Blog Entries: 10	Re: spyware redirect to http://www.asiuoqgusdbaksd.com/ Hi again Sorry – that was my fault. Let’s try again. How are things running now? Combofix Close any open browsers. Open notepad and copy/paste the text in the box below into it: Code: DeQuarantine:: C:\Qoobox\Quarantine\C:\e2118555e18d80a669db8f Quit:: Looking at the image below as an example Save this as CFScript.txt, in the same location as ComboFix.exe Refering to the picture above, drag CFScript onto ComboFix.exe. When finished, it will produce a log for you at "C:\ DeQuarantine_log.txt " Do not mouseclick combofix's window whilst it's running. This may cause it to stall. CAUTION! Anyone else thinking of using the above script does so at their own risk - you may end up having to re-install Windows! Please post the log C:\ DeQuarantine_log.txt along with a fresh HijackThis Log for further review. __________________ Iain - Defender of the Haggis and all things Scottish. I don't help by PM - post in the Forums. PC Safety & Security::PC running a bit slow?::Donate::Photographers Corner

06-16-2008, 09:19 AM	#24 (permalink)
donackle Registered User Join Date: Jun 2008 Posts: 20 OS: xp media center	Re: spyware redirect to http://www.asiuoqgusdbaksd.com/ Still not getting dequarantine_log, just combofix, but here it is.. ..and yes, everything seems to be working fine. ComboFix 08-06-08.8 - welcome 2008-06-16 921.4 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.639 [GMT -6:00] Running from: C:\Documents and Settings\welcome\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\welcome\Desktop\CFScript.txt * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((( Files Created from 2008-05-16 to 2008-06-16 ))))))))))))))))))))))))))))))) . 2008-06-11 09:18 . 2008-04-14 05:01 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys 2008-06-11 09:18 . 2008-04-14 05:01 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys 2008-06-10 16:28 . 2008-06-10 16:28 <DIR> d-------- C:\Documents and Settings\welcome\Application Data\Malwarebytes 2008-06-10 16:27 . 2008-06-10 16:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-06-10 14:18 . 2008-06-10 15:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SITEguard 2008-06-10 14:14 . 2008-06-10 14:14 <DIR> d-------- C:\Program Files\Common Files\iS3 2008-06-10 14:14 . 2008-06-10 15:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla! 2008-06-10 13:06 . 2008-06-10 13:06 2 --a------ C:\WINDOWS\msoffice.ini 2008-06-09 14:30 . 2008-06-09 13:53 1,959,843 --a------ C:\ComboFix.exe 2008-06-04 09:26 . 2008-06-04 09:26 <DIR> d-------- C:\Deckard 2008-06-03 16:29 . 2008-06-10 13:51 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP 2008-06-03 15:40 . 2008-06-03 15:41 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\U3 2008-06-03 07:49 . 2008-04-22 22:16 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll 2008-06-03 07:49 . 2007-04-17 03:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat 2008-06-03 07:49 . 2007-03-07 23:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui 2008-06-03 07:49 . 2008-04-22 22:16 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll 2008-06-03 07:49 . 2008-04-22 22:16 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll 2008-06-03 07:49 . 2008-04-22 22:16 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll 2008-06-03 07:49 . 2008-04-22 22:16 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll 2008-06-03 07:49 . 2008-04-22 22:16 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll 2008-06-03 07:49 . 2008-04-22 01:39 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe 2008-06-03 07:16 . 2008-06-03 07:16 <DIR> d--hs---- C:\WINDOWS\ftpcache 2008-06-03 07:16 . 2008-06-03 07:16 <DIR> d-------- C:\Program Files\CCleaner 2008-06-03 07:04 . 2006-02-28 06:00 129,536 --a--c--- C:\WINDOWS\system32\dllcache\acledit.dll 2008-06-03 07:04 . 2006-02-28 06:00 129,536 --a------ C:\WINDOWS\system32\acledit.dll 2008-06-02 22:26 . 2008-06-09 14:43 <DIR> d-------- C:\Documents and Settings\welcome\Application Data\U3 2008-06-02 21:24 . 2008-06-03 07:16 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData 2008-06-02 18:56 . 2008-06-02 18:56 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com 2008-06-02 18:13 . 2008-06-02 18:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com 2008-06-02 18:10 . 2008-06-03 14:28 <DIR> d-------- C:\Program Files\SUPERAntiSpyware 2008-06-02 18:10 . 2008-06-03 14:28 <DIR> d-------- C:\Documents and Settings\welcome\Application Data\SUPERAntiSpyware.com 2008-06-02 16:40 . 2007-08-13 18:54 33,792 --a--c--- C:\WINDOWS\system32\dllcache\custsat.dll 2008-06-02 13:43 . 2008-06-11 09:53 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy 2008-06-02 13:43 . 2008-06-11 09:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-06-02 11:57 . 2008-06-02 11:57 <DIR> d-------- C:\WINDOWS\Recent 2008-06-02 10:56 . 2008-06-10 14:59 96,966 --a------ C:\WINDOWS\system32\drivers\klin.dat 2008-06-02 10:56 . 2008-06-10 14:59 88,774 --a------ C:\WINDOWS\system32\drivers\klick.dat 2008-06-02 10:55 . 2008-06-02 10:55 <DIR> d-------- C:\Program Files\Kaspersky Lab 2008-06-02 10:55 . 2008-06-16 08:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab 2008-06-02 10:55 . 2008-06-16 09:07 3,062,560 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat 2008-06-02 10:55 . 2008-06-16 09:07 88,352 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat 2008-06-02 10:55 . 2008-06-14 16:40 41,804 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx 2008-06-02 10:55 . 2008-06-14 16:40 9,164 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx 2008-06-02 10:34 . 2008-06-02 10:34 <DIR> d-------- C:\KAV 2008-06-02 10:15 . 2007-09-06 10:45 45,056 --a------ C:\WINDOWS\system32\iprntlgn.exe 2008-06-02 10:15 . 2007-09-06 10:45 32,768 --a------ C:\WINDOWS\system32\nipplgex.dll 2008-05-24 23:33 . 2008-06-03 07:15 <DIR> d-------- C:\Documents and Settings\welcome\Application Data\uTorrent 2008-05-24 23:31 . 2004-08-10 06:00 4,224 --a------ C:\WINDOWS\system32\beep.sys 2008-05-24 23:30 . 2008-05-24 23:33 <DIR> d-------- C:\Program Files\uTorrent 2008-05-24 13:39 . 2008-06-10 15:09 <DIR> d-------- C:\Temp 2008-05-21 14:58 . 2008-05-21 14:58 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2008-05-21 14:58 . 2008-05-21 14:58 1,409 --a------ C:\WINDOWS\QTFont.for 2008-05-19 22:00 . 2008-05-19 22:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-06-10 20:59 112,144 ----a-w C:\WINDOWS\system32\drivers\kl1.sys 2008-06-10 19:45 --------- d-----w C:\Program Files\Common Files\AOL 2008-06-10 19:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL 2008-06-10 19:06 --------- d-----w C:\Documents and Settings\welcome\Application Data\AOL 2008-06-10 19:06 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AOL 2008-06-04 15:07 --------- d-----w C:\Program Files\TOSHIBA 2008-06-03 09:07 --------- d-----w C:\Program Files\DIGStream 2008-06-03 02:23 --------- d-----w C:\Program Files\Yahoo! 2008-06-02 23:24 --------- d-----w C:\Program Files\Metamail Inc 2008-06-02 19:47 --------- d-----w C:\Program Files\Toshiba Games 2008-06-02 16:59 --------- d-----w C:\Program Files\Common Files\Symantec Shared 2008-06-02 16:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec 2008-05-26 02:15 --------- d-----w C:\Documents and Settings\welcome\Application Data\ZoomBrowser EX 2008-05-15 00:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\ZoomBrowser 2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys 2008-05-07 04:55 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll 2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll 2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll 2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys 2006-12-13 03:10 0 ----a-w C:\Documents and Settings\welcome\Application Data\wklnhst.dat 2006-10-03 08:43 2,402,550 ----a-w C:\WINDOWS\inf\SETC6.tmp . ((((((((((((((((((((((((((((( snapshot_2008-06-12_ 9.21.14.81 ))))))))))))))))))))))))))))))))))))))))) . - 2008-06-12 15:18:07 2,048 --s-a-w C:\WINDOWS\bootstat.dat + 2008-06-16 14:42:17 2,048 --s-a-w C:\WINDOWS\bootstat.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 06:00 15360] "TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 02:32 65536] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-11-27 23:55 98304] "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-11-27 23:55 118784] "THotkey"="C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe" [2006-01-05 16:02 352256] "SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-12-16 02:34 82009] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-16 02:32 761945] "NDSTray.exe"="NDSTray.exe" [] "Tvs"="C:\Program Files\Toshiba\Tvs\TvsTray.exe" [2005-11-30 14:25 73728] "SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-26 18:13 122880] "Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-17 19:37 151552] "IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 13:37 667718] "IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 12:41 602182] "HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2003-03-08 22:30 188416] "iPrint Tray"="C:\WINDOWS\system32\iprntctl.exe" [2007-09-06 10:45 40960] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36 256576] "iPrint Event Monitor"="C:\WINDOWS\system32\iprntlgn.exe" [2007-09-06 10:45 45056] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 00:05:26 29696] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles "InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=C:\PROGRA~1\KASPER~1\KASPER~1.0FO\adialhk.dll [HKLM\~\startupfolder\C:^Documents and Settings^welcome^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk] path=C:\Documents and Settings\welcome\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk backup=C:\WINDOWS\pss\Microsoft Office OneNote 2003 Quick Launch.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IEUpdate] C:\WINDOWS\system32\acledite.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Windows Installer] C:\Documents and Settings\welcome\Application Data\Microsoft\dtsc\12815.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "Swupdtmr"=2 (0x2) "MsSecurity1.209.4"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"= "C:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= C:\\TOSHIBA\\IVP\\ISM\\pinger.exe "C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"= "C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "C:\\Novell\\GroupWise\\GrpWise.exe"= "C:\\Novell\\GroupWise\\Notify.exe"= "C:\\Program Files\\Microsoft Office\\OFFICE11\\OUTLOOK.EXE"= "C:\\Program Files\\iTunes\\iTunes.exe"= "C:\\Program Files\\uTorrent\\uTorrent.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= R0 KR10N;KR10N;C:\WINDOWS\system32\drivers\KR10N.sys [2005-01-12 02:05] R1 nipplpt2;Novell iCapture Lpt Redirector 2;C:\WINDOWS\system32\drivers\nipplpt.sys [2007-09-06 10:35] R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-05-30 17:49] S3 tosrfec;Bluetooth ACPI from TOSHIBA;C:\WINDOWS\system32\DRIVERS\tosrfec.sys [2005-09-09 16:47] . ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-16 09:08:01 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . Completion time: 2008-06-16 9:08:34 ComboFix-quarantined-files.txt 2008-06-16 15:08:31 ComboFix2.txt 2008-06-13 21:35:30 ComboFix3.txt 2008-06-12 15:21:34 ComboFix4.txt 2008-06-10 21:20:31 Pre-Run: 83,213,791,232 bytes free Post-Run: 83,202,441,216 bytes free 177 --- E O F --- 2008-06-11 15:25:32

06-16-2008, 03:59 PM	#25 (permalink)
Glaswegian Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic Join Date: Sep 2005 Location: Glasgow Posts: 25,129 OS: Win XP Pro SP3 / Win 7 Pro My System Blog Entries: 10	Re: spyware redirect to http://www.asiuoqgusdbaksd.com/ Hi again Now I can't even copy and paste - apologies. How are things running now? Combofix Close any open browsers. Open notepad and copy/paste the text in the box below into it: Code: DeQuarantine:: C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f Quit:: Looking at the image below as an example Save this as CFScript.txt, in the same location as ComboFix.exe Refering to the picture above, drag CFScript onto ComboFix.exe. When finished, it will produce a log for you at "C:\ DeQuarantine_log.txt " Do not mouseclick combofix's window whilst it's running. This may cause it to stall. CAUTION! Anyone else thinking of using the above script does so at their own risk - you may end up having to re-install Windows! Please post the log C:\ DeQuarantine_log.txt along with a fresh HijackThis Log for further review. __________________ Iain - Defender of the Haggis and all things Scottish. I don't help by PM - post in the Forums. PC Safety & Security::PC running a bit slow?::Donate::Photographers Corner

06-16-2008, 05:01 PM	#26 (permalink)
donackle Registered User Join Date: Jun 2008 Posts: 20 OS: xp media center	Re: spyware redirect to http://www.asiuoqgusdbaksd.com/ at last..... success! darn things never do what you want them to do, only what you tell them to do. C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\admparse.dll -> C:\e2118555e18d80a669db8f\admparse.dll C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\admparse.dll.mui -> C:\e2118555e18d80a669db8f\admparse.dll.mui C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\advpack.dll -> C:\e2118555e18d80a669db8f\advpack.dll C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\advpack.dll.mui -> C:\e2118555e18d80a669db8f\advpack.dll.mui C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\browseui.dll -> C:\e2118555e18d80a669db8f\browseui.dll C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\corpol.dll -> C:\e2118555e18d80a669db8f\corpol.dll C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\custsat.dll -> C:\e2118555e18d80a669db8f\custsat.dll C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\dxtmsft.dll -> C:\e2118555e18d80a669db8f\dxtmsft.dll C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\dxtrans.dll -> C:\e2118555e18d80a669db8f\dxtrans.dll C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\extmgr.dll -> C:\e2118555e18d80a669db8f\extmgr.dll C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\extmgr.dll.mui -> C:\e2118555e18d80a669db8f\extmgr.dll.mui C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\feeddisc.wav -> C:\e2118555e18d80a669db8f\feeddisc.wav C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\hmmapi.dll -> C:\e2118555e18d80a669db8f\hmmapi.dll C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\hmmapi.dll.mui -> C:\e2118555e18d80a669db8f\hmmapi.dll.mui C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\html.iec -> C:\e2118555e18d80a669db8f\html.iec C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\html.iec.mui -> C:\e2118555e18d80a669db8f\html.iec.mui C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\icardie.dll -> C:\e2118555e18d80a669db8f\icardie.dll C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\icardie.dll.mui -> C:\e2118555e18d80a669db8f\icardie.dll.mui C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\icrav03.rat -> C:\e2118555e18d80a669db8f\icrav03.rat C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\ie4uinit.exe -> C:\e2118555e18d80a669db8f\ie4uinit.exe C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\ie4uinit.exe.mui -> C:\e2118555e18d80a669db8f\ie4uinit.exe.mui C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\ieakeng.dll -> C:\e2118555e18d80a669db8f\ieakeng.dll C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\ieakeng.dll.mui -> C:\e2118555e18d80a669db8f\ieakeng.dll.mui C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\ieakmmc.chm -> C:\e2118555e18d80a669db8f\ieakmmc.chm C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\ieaksie.dll -> C:\e2118555e18d80a669db8f\ieaksie.dll C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\ieaksie.dll.mui -> C:\e2118555e18d80a669db8f\ieaksie.dll.mui C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\ieakui.dll -> C:\e2118555e18d80a669db8f\ieakui.dll C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\ieakui.dll.mui -> C:\e2118555e18d80a669db8f\ieakui.dll.mui C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\ieapfltr.dat -> C:\e2118555e18d80a669db8f\ieapfltr.dat C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\ieapfltr.dll -> C:\e2118555e18d80a669db8f\ieapfltr.dll C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\iedkcs32.dll -> C:\e2118555e18d80a669db8f\iedkcs32.dll C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\iedkcs32.dll.mui -> C:\e2118555e18d80a669db8f\iedkcs32.dll.mui C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\iedw.exe -> C:\e2118555e18d80a669db8f\iedw.exe C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\iedw.exe.mui -> C:\e2118555e18d80a669db8f\iedw.exe.mui C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\ieencode.dll -> C:\e2118555e18d80a669db8f\ieencode.dll C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\ieeula.chm -> C:\e2118555e18d80a669db8f\ieeula.chm C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\ieframe.dll -> C:\e2118555e18d80a669db8f\ieframe.dll C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\ieframe.dll.mui -> C:\e2118555e18d80a669db8f\ieframe.dll.mui C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\iepeers.dll -> C:\e2118555e18d80a669db8f\iepeers.dll C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\iepeers.dll.mui -> C:\e2118555e18d80a669db8f\iepeers.dll.mui C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\ieproxy.dll -> C:\e2118555e18d80a669db8f\ieproxy.dll C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\iernonce.dll -> C:\e2118555e18d80a669db8f\iernonce.dll C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\iernonce.dll.mui -> C:\e2118555e18d80a669db8f\iernonce.dll.mui C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\iertutil.dll -> C:\e2118555e18d80a669db8f\iertutil.dll C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\iesetup.dll -> C:\e2118555e18d80a669db8f\iesetup.dll C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\iesetup.dll.mui -> C:\e2118555e18d80a669db8f\iesetup.dll.mui C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\iesupp.chm -> C:\e2118555e18d80a669db8f\iesupp.chm C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\ieudinit.exe -> C:\e2118555e18d80a669db8f\ieudinit.exe C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\ieui.dll -> C:\e2118555e18d80a669db8f\ieui.dll C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\ieui.dll.mui -> C:\e2118555e18d80a669db8f\ieui.dll.mui C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\ieuinit.inf -> C:\e2118555e18d80a669db8f\ieuinit.inf C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\ieunatt.exe.mui -> C:\e2118555e18d80a669db8f\ieunatt.exe.mui C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\iexplore.chm -> C:\e2118555e18d80a669db8f\iexplore.chm C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\iexplore.exe -> C:\e2118555e18d80a669db8f\iexplore.exe C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\iexplore.exe.mui -> C:\e2118555e18d80a669db8f\iexplore.exe.mui C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\imgutil.dll -> C:\e2118555e18d80a669db8f\imgutil.dll C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\inetcorp.iem -> C:\e2118555e18d80a669db8f\inetcorp.iem C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\inetcpl.cpl -> C:\e2118555e18d80a669db8f\inetcpl.cpl C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\inetcpl.cpl.mui -> C:\e2118555e18d80a669db8f\inetcpl.cpl.mui C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\inetres.adm -> C:\e2118555e18d80a669db8f\inetres.adm C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\inetset.iem -> C:\e2118555e18d80a669db8f\inetset.iem C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\infobar.wav -> C:\e2118555e18d80a669db8f\infobar.wav C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\inseng.dll -> C:\e2118555e18d80a669db8f\inseng.dll C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\inseng.dll.mui -> C:\e2118555e18d80a669db8f\inseng.dll.mui C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\install.ins -> C:\e2118555e18d80a669db8f\install.ins C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\jscript.dll -> C:\e2118555e18d80a669db8f\jscript.dll C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\jsproxy.dll -> C:\e2118555e18d80a669db8f\jsproxy.dll C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\licmgr10.dll -> C:\e2118555e18d80a669db8f\licmgr10.dll C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\licmgr10.dll.mui -> C:\e2118555e18d80a669db8f\licmgr10.dll.mui C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\msfeeds.dll -> C:\e2118555e18d80a669db8f\msfeeds.dll C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\msfeeds.mof -> C:\e2118555e18d80a669db8f\msfeeds.mof C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\msfeedsbs.dll -> C:\e2118555e18d80a669db8f\msfeedsbs.dll C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\msfeedsbs.dll.mui -> C:\e2118555e18d80a669db8f\msfeedsbs.dll.mui C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\msfeedsbs.mof -> C:\e2118555e18d80a669db8f\msfeedsbs.mof C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\msfeedssync.exe -> C:\e2118555e18d80a669db8f\msfeedssync.exe C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\mshta.exe -> C:\e2118555e18d80a669db8f\mshta.exe C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\mshta.exe.mui -> C:\e2118555e18d80a669db8f\mshta.exe.mui C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\mshtml.dll -> C:\e2118555e18d80a669db8f\mshtml.dll C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\mshtml.dll.mui -> C:\e2118555e18d80a669db8f\mshtml.dll.mui C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\mshtml.tlb -> C:\e2118555e18d80a669db8f\mshtml.tlb C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\mshtmled.dll -> C:\e2118555e18d80a669db8f\mshtmled.dll C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\mshtmled.dll.mui -> C:\e2118555e18d80a669db8f\mshtmled.dll.mui C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\mshtmler.dll -> C:\e2118555e18d80a669db8f\mshtmler.dll C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\mshtmler.dll.mui -> C:\e2118555e18d80a669db8f\mshtmler.dll.mui C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\msls31.dll -> C:\e2118555e18d80a669db8f\msls31.dll C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\msrating.dll -> C:\e2118555e18d80a669db8f\msrating.dll C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\msrating.dll.mui -> C:\e2118555e18d80a669db8f\msrating.dll.mui C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\mstime.dll -> C:\e2118555e18d80a669db8f\mstime.dll C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\navstart.wav -> C:\e2118555e18d80a669db8f\navstart.wav C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\occache.dll -> C:\e2118555e18d80a669db8f\occache.dll C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\occache.dll.mui -> C:\e2118555e18d80a669db8f\occache.dll.mui C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\occache.ini -> C:\e2118555e18d80a669db8f\occache.ini C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\pngfilt.dll -> C:\e2118555e18d80a669db8f\pngfilt.dll C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\popupblk.wav -> C:\e2118555e18d80a669db8f\popupblk.wav C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\shdocvw.dll -> C:\e2118555e18d80a669db8f\shdocvw.dll C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\shlwapi.dll -> C:\e2118555e18d80a669db8f\shlwapi.dll C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\spmsg.dll -> C:\e2118555e18d80a669db8f\spmsg.dll C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\spuninst.exe -> C:\e2118555e18d80a669db8f\spuninst.exe C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\spupdsvc.exe -> C:\e2118555e18d80a669db8f\spupdsvc.exe C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\tdc.ocx -> C:\e2118555e18d80a669db8f\tdc.ocx C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\ticrf.rat -> C:\e2118555e18d80a669db8f\ticrf.rat C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\url.dll -> C:\e2118555e18d80a669db8f\url.dll C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\urlmon.dll -> C:\e2118555e18d80a669db8f\urlmon.dll C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\urlmon.dll.mui -> C:\e2118555e18d80a669db8f\urlmon.dll.mui C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\vbscript.dll -> C:\e2118555e18d80a669db8f\vbscript.dll C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\vgx.dll -> C:\e2118555e18d80a669db8f\vgx.dll C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\webcheck.dll -> C:\e2118555e18d80a669db8f\webcheck.dll C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\webcheck.dll.mui -> C:\e2118555e18d80a669db8f\webcheck.dll.mui C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\webcheck.ini -> C:\e2118555e18d80a669db8f\webcheck.ini C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\winfxdocobj.exe -> C:\e2118555e18d80a669db8f\winfxdocobj.exe C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\winfxdocobj.exe.mui -> C:\e2118555e18d80a669db8f\winfxdocobj.exe.mui C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\wininet.dll -> C:\e2118555e18d80a669db8f\wininet.dll C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\wininet.dll.mui -> C:\e2118555e18d80a669db8f\wininet.dll.mui C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\update\eula.rtf -> C:\e2118555e18d80a669db8f\update\eula.rtf C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\update\idndl.exe -> C:\e2118555e18d80a669db8f\update\idndl.exe C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\update\ie7.cat -> C:\e2118555e18d80a669db8f\update\ie7.cat C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\update\iecustom.dll -> C:\e2118555e18d80a669db8f\update\iecustom.dll C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\update\iereseticons.exe -> C:\e2118555e18d80a669db8f\update\iereseticons.exe C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\update\iesetup.exe -> C:\e2118555e18d80a669db8f\update\iesetup.exe C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\update\legitlibm.dll -> C:\e2118555e18d80a669db8f\update\legitlibm.dll C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\update\nlsdl.exe -> C:\e2118555e18d80a669db8f\update\nlsdl.exe C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\update\update.exe -> C:\e2118555e18d80a669db8f\update\update.exe C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\update\update.exe.manifest -> C:\e2118555e18d80a669db8f\update\update.exe.manifest C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\update\update.inf -> C:\e2118555e18d80a669db8f\update\update.inf C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\update\update.ver -> C:\e2118555e18d80a669db8f\update\update.ver C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\update\updspapi.dll -> C:\e2118555e18d80a669db8f\update\updspapi.dll C:\Qoobox\Quarantine\C\e2118555e18d80a669db8f\update\xmllitesetup.exe -> C:\e2118555e18d80a669db8f\update\xmllitesetup.exe 127 File(s) copied

06-16-2008, 05:03 PM	#27 (permalink)
donackle Registered User Join Date: Jun 2008 Posts: 20 OS: xp media center	Re: spyware redirect to http://www.asiuoqgusdbaksd.com/ Oh, and things still seem ok. I couldn't browse the internet after the last cobofix, but a reboot fixed that. Now we seem normal again.

06-17-2008, 02:32 PM	#28 (permalink)
Glaswegian Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic Join Date: Sep 2005 Location: Glasgow Posts: 25,129 OS: Win XP Pro SP3 / Win 7 Pro My System Blog Entries: 10	Re: spyware redirect to http://www.asiuoqgusdbaksd.com/ Hi again At last! All your logs are clean. If there are no more problems we’ll just tidy up and I’ll let you go, along with my recommendations for staying safe and secure. The following procedure will clear out the tools we've used as well as the backups and quarantines created by the fix. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point. Referring to the image below Click Start > Run and copy/paste, or type the following bold text into the Run box and click OK: ComboFix /u Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs: Spyware Blaster to help prevent spyware from installing in the first place. Spyware Guard to catch and block spyware before it can execute. Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here. Ad-aware 2007 Download and install Ad-Aware 2007. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here. IE-SPYAD IE-Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impairs attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here. SnoopFree SnoopFree is a real time monitor that notifies you when a programme wants to record your keystrokes or read your screen. Note that SnoopFree is only for XP systems. MVPS Hosts File The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. Note that if you use a company provided HOSTS file you should not use the MVPS HOSTS file. Alternate Browsers Try the following free alternate browsers rather than Internet Explorer Firefox Opera Maxthon Firewalls A good firewall will monitor incoming and outgoing traffic. NOTE: Microsoft's Firewall for XP does not monitor outgoing traffic. If you do not have a firewall, here are 3 free ones available for personal use: Comodo Personal Firewall Sygate Personal Firewall ZoneAlarm Other Protection Winpatrol - Download and install the free version of Winpatrol. A tutorial for this product is located here: Using Winpatrol to protect your computer. ERUNT & NTREGOPT ERUNT is a programme that will create automatic backups of your Registry. These backups can be used to help restore your system in the event of a serious crash. NTREGOPT will compact and optimise your Registry, to assist the smooth running of your system Additional Reading In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles PC Safety & Security - What Do I Need?. Making Internet Explorer Safer. Have a look here if your PC is still running a bit slow Is your PC running slow...? Keep clean and safe and enjoy your computing! __________________ Iain - Defender of the Haggis and all things Scottish. I don't help by PM - post in the Forums. PC Safety & Security::PC running a bit slow?::Donate::Photographers Corner

06-17-2008, 03:55 PM	#29 (permalink)
donackle Registered User Join Date: Jun 2008 Posts: 20 OS: xp media center	Re: spyware redirect to http://www.asiuoqgusdbaksd.com/ Great! Thanks for all your help, and for the links and good advice. I'm the network administrator for a school district and, while the desktops in the district are pretty well protected, I'm finding that notebooks that go home need a little extra care. Your suggestions should help keep them a little cleaner. Tapadh leat, Slàinte mhòr agad!