Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Desktop "warning Spyware Threat Has Been Detected On Your Pc"


  • This topic is locked This topic is locked
12 replies to this topic

#1 sandmanrdv

sandmanrdv

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:15 PM

Posted 09 November 2007 - 01:20 AM

I want to say thank you ahead of time for all of the people who volunteer their expertise to assist on the site. A co-worker of mine asked me to assist with a spyware infection on her home PC. According to her she turned over remote access to the Verizon Tech support that she pays for and they were unable to fix the issues, if that stirs any of your competitive juices. I have done the following: Deleted Cookies and Temporary Internet files, downloaded AVG 7.5 , updated it and allowed it to remove what it found. Downloaded and updated Spy-bot and Ad-Aware, ran them in Safe mode and removed what they found. As far as symptoms, the Pc is slow, the Desktop has been taken over by a black background with the message "Warning Spyware Threat Has Been Detected on Your PC" Along with a message and an IP address. Prior to running Spybot and Adaware there was a message generated from the task bar that brought up a web page "C:\windows\system32\drivers\pt.htm" and was an ad to purchase spy ware protection software. I downloaded the latest version of Hi-Jack per the instructions I found here. I again say thank you for your assistance.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:59:26 AM, on 11/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\regsvr32.exe
C:\WINDOWS\system32\regsvr32.exe
C:\WINDOWS\system32\regsvr32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\AOL\1142728209\ee\AOLSoftware.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\HiJackThis\HiJackThis\HijackThis.exe

R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\vvgeowbv.exe,C:\WINDOWS\system32\userinit.exe
O1 - Hosts: 194.54.90.238 google.com
O1 - Hosts: 194.54.90.238 google.ca
O1 - Hosts: 194.54.90.238 www.google.com
O1 - Hosts: 194.54.90.238 search.yahoo.com
O1 - Hosts: 194.54.90.238 search.msn.com
O1 - Hosts: 194.54.90.238 search.live.com
O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)
O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file)
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file)
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {314cdfba-1dd2-11b2-af47-9c9994326280} - C:\WINDOWS\wdkpgdut.dll
O2 - BHO: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - C:\PROGRA~1\VOL_TO~1\VOL_TO~1.DLL
O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: (no name) - {782B473D-B144-45BA-A730-17D1C0A2138A} - C:\Program Files\Internet Explorer\honevag4444.dll (file missing)
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: aivskurq.msdn_hlp - {A6E432B4-D4C2-43B3-BF55-C364F8F7362A} - C:\WINDOWS\system32\aivskurq.dll (file missing)
O2 - BHO: (no name) - {a92628e6-30ce-40a7-a310-bc0d84fa4ce4} - C:\WINDOWS\system32\wfdqrjh.dll (file missing)
O2 - BHO: (no name) - {B1A3C739-2B69-4C1F-8671-47D1D54D158A} - C:\Program Files\Internet Explorer\honevag83122.dll (file missing)
O2 - BHO: (no name) - {b3c8560a-1dd1-11b2-ab68-887fbb421d7e} - C:\WINDOWS\srydercb.dll
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {bb936323-19fa-4521-ba29-eca6a121bc78} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {c5af2622-8c75-4dfb-9693-23ab7686a456} - (no file)
O2 - BHO: (no name) - {c5c98920-1dd1-11b2-a3b4-8f5d84426fb7} - C:\WINDOWS\aluxgdqr.dll
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - C:\PROGRA~1\VOL_TO~1\VOL_TO~1.DLL
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [texqtape] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\texqtape.dll"
O4 - HKLM\..\Run: [SpiralFrog] C:\Program Files\SpiralFrog\Spiralfrog.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [krodcncv] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\krodcncv.dll"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [jczcpavm] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\jczcpavm.dll"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1142728209\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [CheckWinPerf] C:\DOCUME~1\Michael\LOCALS~1\Temp\poewmekwr.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - https://activatemydsl.verizon.net/sdcCommon...DSL/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://ca.com/us/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://ca.com/us/securityadvisor/virusinfo/webscan.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 12727 bytes

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:15 PM

Posted 10 November 2007 - 11:33 PM

Hello sandmanrdv,

I see some items missing in the log. Have you been using Hijackthis to fix things yourself? :thumbsup:

HijackThis is an advanced tool, and therefore requires advanced knowledge about Windows and operating systems in general. If you delete items that it shows, without knowing what they are, it can lead to other problems such as your Internet no longer working or problems with running Windows itself.



Lets run ComboFix.

If you have used Combofix before, please delete the version you are having and redownload it again, because Combofix is being updated everyday.

Disconnect from the Internet while running ComboFix.

Temporarily disable any anti-virus and anti-malware real-time protection before performing a scan.
They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.



1. Download this file - combofix.exe to your Desktop.
Note:
It is important that it is saved directly to your desktop

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you, C:\ComboFix.txt. Post the ComboFix log and a fresh Hijackthis log in your next reply.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
In case you see a sed.cfexe error with the option to send a report or not, choose "don't send".

Edited by SifuMike, 10 November 2007 - 11:38 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 sandmanrdv

sandmanrdv
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:15 PM

Posted 11 November 2007 - 09:38 AM

Hello Mike, Thanks for assisting me. I did not remove any entries with Hi-Jack, I am well aware that I could cause serious damage. As I mentioned, the computer was turned over to Verizon Technical support via remote access, it is possible they removed some things. Here is the ComboFix Log First , followed by the Hi-Jack Log.

ComboFix 07-11-08.1 - Maureen 2007-11-11 0:01:47.1 - NTFSx86
Running from: C:\Documents and Settings\Maureen\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data.\jczcpavm.dll
C:\Documents and Settings\All Users\Application Data.\krodcncv.dll
C:\Documents and Settings\All Users\Application Data.\texqtape.dll
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin1.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin2.zip
C:\Program Files\akl
C:\Program Files\akl\akl.dll
C:\Program Files\akl\akl.exe
C:\Program Files\akl\curlog.htm
C:\Program Files\akl\keylog.txt
C:\Program Files\akl\readme.txt
C:\Program Files\akl\uninstall.exe
C:\Program Files\akl\unsetup.dat
C:\Program Files\akl\unsetup.exe
C:\Program Files\amsys
C:\Program Files\amsys\awmsg.dat
C:\Program Files\amsys\mfc42.dll
C:\Program Files\amsys\msvcrt.dll
C:\Program Files\amsys\unins000.dat
C:\Program Files\amsys\unis000.exe
C:\Program Files\amsys\winam.dat
C:\Program Files\e-zshopper
C:\Program Files\e-zshopper\BarLcher.dll
C:\Program Files\p2pnetworks
C:\Program Files\p2pnetworks\amp2pl.exe
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\764.exe
C:\WINDOWS\aconti.exe
C:\WINDOWS\adbar.dll
C:\WINDOWS\cbinst$.exe
C:\WINDOWS\daxtime.dll
C:\WINDOWS\dp0.dll
C:\WINDOWS\eventlowg.dll
C:\WINDOWS\fhfmm-Uninstaller.exe
C:\WINDOWS\fhfmm.exe
C:\WINDOWS\flt.dll
C:\WINDOWS\hotporn.exe
C:\WINDOWS\ie_32.exe
C:\WINDOWS\jd2002.dll
C:\WINDOWS\kkcomp$.exe
C:\WINDOWS\kkcomp.dll
C:\WINDOWS\kkcomp.exe
C:\WINDOWS\liqad$.exe
C:\WINDOWS\liqad.dll
C:\WINDOWS\liqad.exe
C:\WINDOWS\liqui-Uninstaller.exe
C:\WINDOWS\liqui.dll
C:\WINDOWS\liqui.exe
C:\WINDOWS\ngd.dll
C:\WINDOWS\pbar.dll
C:\WINDOWS\spredirect.dll
C:\WINDOWS\system32\a13
C:\WINDOWS\system32\drivers\blank.gif
C:\WINDOWS\system32\drivers\box_1.gif
C:\WINDOWS\system32\drivers\box_2.gif
C:\WINDOWS\system32\drivers\box_3.gif
C:\WINDOWS\system32\drivers\button_buynow.gif
C:\WINDOWS\system32\drivers\button_freescan.gif
C:\WINDOWS\system32\drivers\cell_bg.gif
C:\WINDOWS\system32\drivers\cell_footer.gif
C:\WINDOWS\system32\drivers\cell_header_block.gif
C:\WINDOWS\system32\drivers\cell_header_remove.gif
C:\WINDOWS\system32\drivers\cell_header_scan.gif
C:\WINDOWS\system32\drivers\detect.htm
C:\WINDOWS\system32\drivers\download_box.gif
C:\WINDOWS\system32\drivers\download_btn.jpg
C:\WINDOWS\system32\drivers\download_now_btn.gif
C:\WINDOWS\system32\drivers\footer_back.jpg
C:\WINDOWS\system32\drivers\header_1.gif
C:\WINDOWS\system32\drivers\header_2.gif
C:\WINDOWS\system32\drivers\header_3.gif
C:\WINDOWS\system32\drivers\header_4.gif
C:\WINDOWS\system32\drivers\header_red_bg.gif
C:\WINDOWS\system32\drivers\header_red_free_scan.gif
C:\WINDOWS\system32\drivers\header_red_free_scan_bg.gif
C:\WINDOWS\system32\drivers\header_red_protect_your_pc.gif
C:\WINDOWS\system32\drivers\infected.gif
C:\WINDOWS\system32\drivers\main_back.gif
C:\WINDOWS\system32\drivers\perfect_cleaner_box.jpg
C:\WINDOWS\system32\drivers\product_1_header.gif
C:\WINDOWS\system32\drivers\product_1_name_small.gif
C:\WINDOWS\system32\drivers\product_2_header.gif
C:\WINDOWS\system32\drivers\product_2_name_small.gif
C:\WINDOWS\system32\drivers\product_3_header.gif
C:\WINDOWS\system32\drivers\product_3_name_small.gif
C:\WINDOWS\system32\drivers\product_features.gif
C:\WINDOWS\system32\drivers\pt.htm
C:\WINDOWS\system32\drivers\rating.gif
C:\WINDOWS\system32\drivers\s_detect.htm
C:\WINDOWS\system32\drivers\screenshot.jpg
C:\WINDOWS\system32\drivers\sep_hor.gif
C:\WINDOWS\system32\drivers\sep_vert.gif
C:\WINDOWS\system32\drivers\shadow.jpg
C:\WINDOWS\system32\drivers\shadow_bg.gif
C:\WINDOWS\system32\drivers\spacer.gif
C:\WINDOWS\system32\drivers\spy_away_box.jpg
C:\WINDOWS\system32\drivers\star.gif
C:\WINDOWS\system32\drivers\star_gray.gif
C:\WINDOWS\system32\drivers\star_gray_small.gif
C:\WINDOWS\system32\drivers\star_small.gif
C:\WINDOWS\system32\drivers\style.css
C:\WINDOWS\system32\drivers\v.gif
C:\WINDOWS\system32\drivers\warning_icon.gif
C:\WINDOWS\system32\drivers\win_logo.gif
C:\WINDOWS\system32\drivers\x.gif
C:\WINDOWS\system32\e2
C:\WINDOWS\system32\ESHOPEE.exe
C:\WINDOWS\system32\g1
C:\WINDOWS\system32\i8
C:\WINDOWS\system32\i8\taldrvr11.exe
C:\WINDOWS\system32\msole32.exe
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\x22
C:\WINDOWS\vxddsk.exe
C:\WINDOWS\wml.exe
C:\WINDOWS\xadbrk.dll
C:\WINDOWS\xadbrk.exe
C:\WINDOWS\xadbrk_.exe
C:\WINDOWS\xxxvideo.exe
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2007-10-11 to 2007-11-11 )))))))))))))))))))))))))))))))
.

2007-11-11 00:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-09 00:56 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-11-09 00:17 <DIR> d-------- C:\HiJackThis
2007-11-08 22:07 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\AVG7
2007-11-08 22:07 <DIR> d-------- C:\Documents and Settings\Maureen\Application Data\AVG7
2007-11-08 22:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-08 22:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-11-08 21:32 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-11-02 18:33 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2007-11-02 18:33 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-11-02 18:33 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intuit
2007-11-02 18:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-02 16:59 <DIR> d-------- C:\Program Files\Lavasoft
2007-11-02 16:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-02 16:34 <DIR> d-------- C:\Program Files\Windows Defender
2007-11-01 15:34 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-11-01 15:34 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-11-01 15:33 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-11-01 15:33 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-11-01 14:46 30,976 --a------ C:\WINDOWS\system32\ace16win.dll
2007-10-30 10:59 <DIR> d-------- C:\VundoFix Backups
2007-10-30 07:40 1,246 --a------ C:\WINDOWS\system32\tmp.reg
2007-10-30 07:32 <DIR> d-------- C:\WINDOWS\LMI131.tmp
2007-10-30 05:58 389,120 --a------ C:\GOTOASSIST[1].EXE
2007-10-30 05:55 <DIR> d-------- C:\WINDOWS\pss
2007-10-30 05:42 389,120 --a------ C:\Documents and Settings\Maureen\GoToAssist_phone__268_en.exe
2007-10-30 05:16 69,632 --a------ C:\WINDOWS\srydercb.dll
2007-10-29 21:33 56,320 --a------ C:\WINDOWS\aluxgdqr.dll
2007-10-29 20:44 4 --a------ C:\WINDOWS\system32\stfv.bin
2007-10-29 20:41 <DIR> d-------- C:\WINDOWS\system32\acespy
2007-10-29 20:20 12 --a------ C:\WINDOWS\system32\dpqaqlqx.bin
2007-10-29 20:19 <DIR> d-------- C:\WINDOWS\system32\Mz15r
2007-10-29 20:19 <DIR> d-------- C:\WINDOWS\PerfInfo
2007-10-29 20:19 59,904 --a------ C:\WINDOWS\wdkpgdut.dll
2007-10-29 20:18 <DIR> d-------- C:\TEMP\mZOr
2007-10-29 20:18 3,638 --a------ C:\info.exe
2007-10-22 15:23 <DIR> d--h----- C:\WINDOWS\PIF
2007-10-22 15:07 <DIR> d-------- C:\Documents and Settings\Frankie\Application Data\Verizon
2007-10-20 07:41 <DIR> d-------- C:\Documents and Settings\Maureen\Application Data\Netscape
2007-10-19 20:25 <DIR> d-------- C:\Documents and Settings\Michael\Application Data\Motive
2007-10-19 20:17 <DIR> d-------- C:\Documents and Settings\Michael\Application Data\VOL_TOOLBAR
2007-10-19 20:16 <DIR> d-------- C:\Documents and Settings\Michael\Application Data\Verizon
2007-10-19 19:18 <DIR> d-------- C:\Documents and Settings\Maureen\Application Data\Motive
2007-10-19 19:09 <DIR> d-------- C:\Documents and Settings\Maureen\Application Data\VOL_TOOLBAR
2007-10-19 19:09 <DIR> d-------- C:\Documents and Settings\Maureen\Application Data\Verizon
2007-10-19 17:40 <DIR> d-------- C:\WINDOWS\bin
2007-10-19 17:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Verizon
2007-10-19 17:39 <DIR> d-------- C:\Program Files\Common Files\Motive
2007-10-19 17:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Motive
2007-10-19 17:37 <DIR> d-------- C:\Program Files\vol_toolbar
2007-10-19 17:33 <DIR> d-------- C:\Program Files\Verizon
2007-10-19 17:05 <DIR> d-------- C:\Program Files\Common Files\SupportSoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-09 05:23 --------- d-----w C:\Program Files\InstallShield Installation Information
2007-11-09 02:37 --------- d-----w C:\Program Files\America Online 7.0a
2007-11-09 02:22 --------- d-----w C:\Program Files\Common Files\AOL
2007-11-02 21:58 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-02 21:29 --------- d-----w C:\Program Files\Google
2007-10-31 21:16 --------- d-----w C:\Program Files\Netscape Internet Service
2007-10-31 21:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Netscape Internet Service
2007-10-31 21:15 --------- d-----w C:\Program Files\SpiralFrog
2007-10-31 21:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spiralfrog
2007-10-30 10:53 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-22 20:10 --------- d-----w C:\Program Files\McAfee
2007-10-22 20:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2007-10-06 14:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-10-06 14:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-10-06 14:31 --------- d-----w C:\Documents and Settings\Michael\Application Data\LimeWire
2006-12-20 01:38 0 -c--a-w C:\Documents and Settings\Alyssa\Application Data\wklnhst.dat
2006-11-06 23:19 0 -c--a-w C:\Documents and Settings\Frankie\Application Data\wklnhst.dat
2006-06-08 18:38 274 ----a-w C:\Documents and Settings\Maureen\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000000-d9e3-4bc6-a0bd-3d0ca4be5271}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000012-890e-4aac-afd9-eff6954a34dd}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{029e02f0-a0e5-4b19-b958-7bf2db29fb13}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06dfedaa-6196-11d5-bfc8-00508b4a487d}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1adbcce8-cf84-441e-9b38-afc7a19c06a4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{314cdfba-1dd2-11b2-af47-9c9994326280}]
2007-10-29 20:19 59904 --a------ C:\WINDOWS\wdkpgdut.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22}]
2007-05-25 08:15 1904128 --a------ C:\PROGRA~1\VOL_TO~1\VOL_TO~1.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{51641ef3-8a7a-4d84-8659-b0911e947cc8}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53C330D6-A4AB-419B-B45D-FD4411C1FEF4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54645654-2225-4455-44A1-9F4543D34546}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{669695bc-a811-4a9d-8cdf-ba8c795f261e}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6abc861a-31e7-4d91-b43b-d3c98f22a5c0}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{782B473D-B144-45BA-A730-17D1C0A2138A}]
C:\Program Files\Internet Explorer\honevag4444.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{944864a5-3916-46e2-96a9-a2e84f3f1208}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a4a435cf-3583-11d4-91bd-0048546a1450}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A6E432B4-D4C2-43B3-BF55-C364F8F7362A}]
C:\WINDOWS\system32\aivskurq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a92628e6-30ce-40a7-a310-bc0d84fa4ce4}]
C:\WINDOWS\system32\wfdqrjh.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B1A3C739-2B69-4C1F-8671-47D1D54D158A}]
C:\Program Files\Internet Explorer\honevag83122.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b3c8560a-1dd1-11b2-ab68-887fbb421d7e}]
2007-10-30 05:16 69632 --a------ C:\WINDOWS\srydercb.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b8875bfe-b021-11d4-bfa8-00508b8e9bd3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c2680e10-1655-4a0e-87f8-4259325a84b7}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c4ca6559-2cf1-48b6-96b2-8340a06fd129}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c5af2622-8c75-4dfb-9693-23ab7686a456}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c5c98920-1dd1-11b2-a3b4-8f5d84426fb7}]
2007-10-29 21:33 56320 --a------ C:\WINDOWS\aluxgdqr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ca1d1b05-9c66-11d5-a009-000103c1e50b}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d8efadf1-9009-11d6-8c73-608c5dc19089}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9147a0a-a866-4214-b47c-da821891240f}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9306072-417e-43e3-81d5-369490beef7c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22}"= C:\PROGRA~1\VOL_TO~1\VOL_TO~1.DLL [2007-05-25 08:15 1904128]

[HKEY_CLASSES_ROOT\CLSID\{4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22}]
[HKEY_CLASSES_ROOT\vol_toolbar.VOL_TOOLBAR]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22}"= C:\PROGRA~1\VOL_TO~1\VOL_TO~1.DLL [2007-05-25 08:15 1904128]

[HKEY_CLASSES_ROOT\CLSID\{4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22}]
[HKEY_CLASSES_ROOT\vol_toolbar.VOL_TOOLBAR]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCDrProfiler"="" []
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 12:41]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 23:12]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-11-08 22:07]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-11-21 08:37]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-28 02:50]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 15:46]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
Pin.lnk - C:\hp\bin\CLOAKER.EXE [2005-11-21 08:13:35]

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\\WINDOWS\\system32\\vvgeowbv.exe,C:\\WINDOWS\\system32\\userinit.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=C:\WINDOWS\pss\Microsoft Works Calendar Reminders.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CheckWinPerf]
C:\DOCUME~1\Michael\LOCALS~1\Temp\poewmekwr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1142728209\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe" -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jczcpavm]
regsvr32 /u "C:\Documents and Settings\All Users\Application Data\jczcpavm.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\krodcncv]
regsvr32 /u "C:\Documents and Settings\All Users\Application Data\krodcncv.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]
"C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpiralFrog]
C:\Program Files\SpiralFrog\Spiralfrog.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\texqtape]
regsvr32 /u "C:\Documents and Settings\All Users\Application Data\texqtape.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tgcmd]
C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VerizonServicepoint.exe]
"C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Verizon_McciTrayApp]
C:\Program Files\Verizon\McciTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Weather]
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2d435b36-e506-11d9-9b78-e6b009352ae7}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

.
Contents of the 'Scheduled Tasks' folder
"2007-11-10 06:58:28 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-11 00:08:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-11 0:10:03 - machine was rebooted
.
--- E O F ---


HERE IS THE HJT LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:11:57 AM, on 11/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\HiJackThis\HiJackThis\HijackThis.exe

R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)
O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file)
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file)
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {314cdfba-1dd2-11b2-af47-9c9994326280} - C:\WINDOWS\wdkpgdut.dll
O2 - BHO: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - C:\PROGRA~1\VOL_TO~1\VOL_TO~1.DLL
O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: (no name) - {782B473D-B144-45BA-A730-17D1C0A2138A} - C:\Program Files\Internet Explorer\honevag4444.dll (file missing)
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: aivskurq.msdn_hlp - {A6E432B4-D4C2-43B3-BF55-C364F8F7362A} - C:\WINDOWS\system32\aivskurq.dll (file missing)
O2 - BHO: (no name) - {a92628e6-30ce-40a7-a310-bc0d84fa4ce4} - C:\WINDOWS\system32\wfdqrjh.dll (file missing)
O2 - BHO: (no name) - {B1A3C739-2B69-4C1F-8671-47D1D54D158A} - C:\Program Files\Internet Explorer\honevag83122.dll (file missing)
O2 - BHO: (no name) - {b3c8560a-1dd1-11b2-ab68-887fbb421d7e} - C:\WINDOWS\srydercb.dll
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {c5af2622-8c75-4dfb-9693-23ab7686a456} - (no file)
O2 - BHO: (no name) - {c5c98920-1dd1-11b2-a3b4-8f5d84426fb7} - C:\WINDOWS\aluxgdqr.dll
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - C:\PROGRA~1\VOL_TO~1\VOL_TO~1.DLL
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - https://activatemydsl.verizon.net/sdcCommon...DSL/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://ca.com/us/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://ca.com/us/securityadvisor/virusinfo/webscan.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 9526 bytes

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:15 PM

Posted 11 November 2007 - 01:59 PM

Hi sandmanrdv,

I see you are running Teatimer.
I suggest you to disable it because it can interfere with the changes you'll make on your system.

How to disable TeaTimer during HijackThis Cleanup

If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

When everything is done and your log is clean again, you can enable it again.

Download CCleaner and install it. (default location is best). Do not run it yet!

CCleaner Tutorial

*******************************************

Select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix checked"

O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)
O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file)
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file)
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {314cdfba-1dd2-11b2-af47-9c9994326280} - C:\WINDOWS\wdkpgdut.dll
O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: (no name) - {782B473D-B144-45BA-A730-17D1C0A2138A} - C:\Program Files\Internet Explorer\honevag4444.dll (file missing)
O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: aivskurq.msdn_hlp - {A6E432B4-D4C2-43B3-BF55-C364F8F7362A} - C:\WINDOWS\system32\aivskurq.dll (file missing)
O2 - BHO: (no name) - {a92628e6-30ce-40a7-a310-bc0d84fa4ce4} - C:\WINDOWS\system32\wfdqrjh.dll (file missing)
O2 - BHO: (no name) - {B1A3C739-2B69-4C1F-8671-47D1D54D158A} - C:\Program Files\Internet Explorer\honevag83122.dll (file missing)
O2 - BHO: (no name) - {b3c8560a-1dd1-11b2-ab68-887fbb421d7e} - C:\WINDOWS\srydercb.dll
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {c5af2622-8c75-4dfb-9693-23ab7686a456} - (no file)
O2 - BHO: (no name) - {c5c98920-1dd1-11b2-a3b4-8f5d84426fb7} - C:\WINDOWS\aluxgdqr.dll
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)


*******************************************

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders and does not make backups.

Let's empty the temp files:

Run CCleaner.

CAUTION: Please do NOT use the Issues or Registry button. This is a built-in registry cleaner. If you don't know how to use it, you may cause irreparable damage to your system.

1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation.
IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbarfree Basic version instead of the Standard Build.


2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
• Clean all entries in the "Internet Explorer" section except Autocomplete Forum History.
• Clean all the entries in the "Windows Explorer" section.
• Clean all entries in the "System" section except for Start Menu Shortcuts and Desktop Shortcuts.
• Clean any others that you choose.

In the Applications Tab:
• Clean all including cookies in the Firefox/Mozilla section if you use it.
• Clean all in the Opera section if you use it.
• Clean Sun Java in the Internet Section.
• Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

If it asks you to reboot at the end, click NO.

CCleaner should be run with the above settings for each User Account!

*******************************************

Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

File:: 
C:\WINDOWS\wdkpgdut.dll
C:\WINDOWS\aluxgdqr.dll
C:\WINDOWS\srydercb.dll
C:\DOCUME~1\Michael\LOCALS~1\Temp\poewmekwr.exe

Folder:: 
C:\VundoFix Backups

Registry:: 
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CheckWinPerf]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jczcpavm]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\krodcncv]


Name the Notepad file CFScript.txt and Save it to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.


Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Edited by SifuMike, 11 November 2007 - 02:00 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 sandmanrdv

sandmanrdv
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:15 PM

Posted 11 November 2007 - 05:53 PM

Ok SifuMike, All steps were completed successfully (at least to the best of my knowledge) The new ComboFix and HiJack Logs Follow. Regards, Sandman.

ComboFix 07-11-08.1 - Maureen 2007-11-11 17:40:33.2 - NTFSx86
Running from: C:\Documents and Settings\Maureen\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Maureen\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\DOCUME~1\Michael\LOCALS~1\Temp\poewmekwr.exe
C:\WINDOWS\aluxgdqr.dll
C:\WINDOWS\srydercb.dll
C:\WINDOWS\wdkpgdut.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\VundoFix Backups
C:\VundoFix Backups\helper.dll.bad
C:\WINDOWS\srydercb.dll

.
((((((((((((((((((((((((( Files Created from 2007-10-11 to 2007-11-11 )))))))))))))))))))))))))))))))
.

2007-11-11 17:18 <DIR> d-------- C:\Documents and Settings\Michael\Application Data\AVG7
2007-11-11 17:04 <DIR> d-------- C:\Documents and Settings\Frankie\Application Data\VOL_TOOLBAR
2007-11-11 17:03 <DIR> d-------- C:\Documents and Settings\Frankie\Application Data\AVG7
2007-11-11 16:30 <DIR> d-------- C:\Program Files\CCleaner
2007-11-11 16:18 <DIR> d-------- C:\Program Files\FaxTools
2007-11-11 16:18 <DIR> d-------- C:\Program Files\ABBYY FineReader 6.0
2007-11-11 16:18 <DIR> d-------- C:\Program Files\ABBYY FineReader 5.0 Sprint
2007-11-11 16:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BVRP Software
2007-11-11 16:14 <DIR> d-------- C:\Program Files\Lexmark X1100 Series
2007-11-11 16:14 87,040 --a------ C:\WINDOWS\system32\wiafbdrv.dll
2007-11-11 16:14 87,040 --a------ C:\WINDOWS\system32\dllcache\wiafbdrv.dll
2007-11-11 00:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-09 00:56 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-11-09 00:17 <DIR> d-------- C:\HiJackThis
2007-11-08 22:07 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\AVG7
2007-11-08 22:07 <DIR> d-------- C:\Documents and Settings\Maureen\Application Data\AVG7
2007-11-08 22:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-08 22:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-11-08 21:32 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-11-02 18:33 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2007-11-02 18:33 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-11-02 18:33 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intuit
2007-11-02 18:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-02 16:59 <DIR> d-------- C:\Program Files\Lavasoft
2007-11-02 16:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-02 16:34 <DIR> d-------- C:\Program Files\Windows Defender
2007-11-01 15:34 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-11-01 15:34 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-11-01 15:33 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-11-01 15:33 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-11-01 14:46 30,976 --a------ C:\WINDOWS\system32\ace16win.dll
2007-10-30 07:40 1,246 --a------ C:\WINDOWS\system32\tmp.reg
2007-10-30 07:32 <DIR> d-------- C:\WINDOWS\LMI131.tmp
2007-10-30 05:58 389,120 --a------ C:\GOTOASSIST[1].EXE
2007-10-30 05:55 <DIR> d-------- C:\WINDOWS\pss
2007-10-30 05:42 389,120 --a------ C:\Documents and Settings\Maureen\GoToAssist_phone__268_en.exe
2007-10-29 20:44 4 --a------ C:\WINDOWS\system32\stfv.bin
2007-10-29 20:41 <DIR> d-------- C:\WINDOWS\system32\acespy
2007-10-29 20:20 12 --a------ C:\WINDOWS\system32\dpqaqlqx.bin
2007-10-29 20:19 <DIR> d-------- C:\WINDOWS\system32\Mz15r
2007-10-29 20:19 <DIR> d-------- C:\WINDOWS\PerfInfo
2007-10-29 20:18 <DIR> d-------- C:\TEMP\mZOr
2007-10-29 20:18 3,638 --a------ C:\info.exe
2007-10-22 15:23 <DIR> d--h----- C:\WINDOWS\PIF
2007-10-22 15:07 <DIR> d-------- C:\Documents and Settings\Frankie\Application Data\Verizon
2007-10-20 07:41 <DIR> d-------- C:\Documents and Settings\Maureen\Application Data\Netscape
2007-10-19 20:25 <DIR> d-------- C:\Documents and Settings\Michael\Application Data\Motive
2007-10-19 20:17 <DIR> d-------- C:\Documents and Settings\Michael\Application Data\VOL_TOOLBAR
2007-10-19 20:16 <DIR> d-------- C:\Documents and Settings\Michael\Application Data\Verizon
2007-10-19 19:18 <DIR> d-------- C:\Documents and Settings\Maureen\Application Data\Motive
2007-10-19 19:09 <DIR> d-------- C:\Documents and Settings\Maureen\Application Data\VOL_TOOLBAR
2007-10-19 19:09 <DIR> d-------- C:\Documents and Settings\Maureen\Application Data\Verizon
2007-10-19 17:40 <DIR> d-------- C:\WINDOWS\bin
2007-10-19 17:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Verizon
2007-10-19 17:39 <DIR> d-------- C:\Program Files\Common Files\Motive
2007-10-19 17:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Motive
2007-10-19 17:37 <DIR> d-------- C:\Program Files\vol_toolbar
2007-10-19 17:33 <DIR> d-------- C:\Program Files\Verizon
2007-10-19 17:05 <DIR> d-------- C:\Program Files\Common Files\SupportSoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-11 21:59 --------- d-----w C:\Program Files\America Online 7.0a
2007-11-11 21:18 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-11 05:25 --------- d-----w C:\Program Files\America Online 9.0c
2007-11-09 02:22 --------- d-----w C:\Program Files\Common Files\AOL
2007-11-02 21:58 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-02 21:29 --------- d-----w C:\Program Files\Google
2007-10-31 21:16 --------- d-----w C:\Program Files\Netscape Internet Service
2007-10-31 21:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Netscape Internet Service
2007-10-31 21:15 --------- d-----w C:\Program Files\SpiralFrog
2007-10-31 21:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spiralfrog
2007-10-30 10:53 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-22 20:10 --------- d-----w C:\Program Files\McAfee
2007-10-22 20:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2007-10-06 14:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-10-06 14:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-10-06 14:31 --------- d-----w C:\Documents and Settings\Michael\Application Data\LimeWire
2006-12-20 01:38 0 -c--a-w C:\Documents and Settings\Alyssa\Application Data\wklnhst.dat
2006-11-06 23:19 0 -c--a-w C:\Documents and Settings\Frankie\Application Data\wklnhst.dat
2006-06-08 18:38 274 ----a-w C:\Documents and Settings\Maureen\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((( snapshot@2007-11-11_ 0.09.35.28 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-11 21:20:01 45,056 ----a-r C:\WINDOWS\Installer\{D1696920-9794-4BBC-8A30-7A88763DE5A2}\_BB86BFE89996_4EB5_B387_B4EF975DFF29.exe
+ 2001-01-19 15:50:20 40,960 ----a-w C:\WINDOWS\system32\INSTMON.EXE
+ 2003-08-18 13:48:38 196,096 ----a-w C:\WINDOWS\system32\LEX2KUSB.DLL
+ 2003-08-18 10:34:26 147,456 ----a-w C:\WINDOWS\system32\LEXBCE.DLL
+ 2003-08-18 10:37:09 303,104 ----a-w C:\WINDOWS\system32\LEXBCES.EXE
+ 2003-08-18 13:48:40 192,512 ----a-w C:\WINDOWS\system32\LEXLMPM.DLL
+ 2003-08-18 13:47:42 201,216 ----a-w C:\WINDOWS\system32\LEXP2P32.DLL
+ 2003-08-18 10:55:00 155,648 ----a-w C:\WINDOWS\system32\LEXPING.EXE
+ 2003-08-18 10:32:55 174,592 ----a-w C:\WINDOWS\system32\LEXPPS.EXE
+ 2003-08-18 10:53:48 126,976 ----a-w C:\WINDOWS\system32\LXBKCFG.EXE
+ 2003-08-18 11:56:26 57,344 ----a-w C:\WINDOWS\system32\lxbkcinf.dll
+ 2003-08-18 11:56:10 49,152 ----a-w C:\WINDOWS\system32\lxbkcoin.dll
+ 2003-08-18 10:52:54 286,720 ----a-w C:\WINDOWS\system32\lxbkcomm.dll
+ 2003-08-19 10:51:12 69,632 ----a-w C:\WINDOWS\system32\LXBKCU.DLL
+ 2003-08-19 10:43:22 90,112 ----a-w C:\WINDOWS\system32\LXBKCUR.DLL
+ 2002-08-22 15:14:00 983,101 ----a-w C:\WINDOWS\system32\LXBKGF.DLL
+ 2003-08-18 10:55:47 86,016 ----a-w C:\WINDOWS\system32\LXBKIH.EXE
+ 2003-08-19 10:41:52 454,656 ----a-w C:\WINDOWS\system32\LXBKJSWR.DLL
+ 2003-08-18 10:46:38 77,824 ----a-w C:\WINDOWS\system32\LXBKLCNP.DLL
+ 2003-08-18 10:58:40 217,088 ----a-w C:\WINDOWS\system32\LXBKLCNT.DLL
+ 2003-08-18 11:03:23 544,768 ----a-w C:\WINDOWS\system32\LXBKLSNT.EXE
+ 2003-08-18 10:57:04 286,720 ----a-w C:\WINDOWS\system32\LXBKPMNT.DLL
+ 2003-08-19 10:25:55 73,728 ----a-w C:\WINDOWS\system32\lxbkpwr.dll
+ 2003-08-18 11:56:19 69,632 ----a-w C:\WINDOWS\system32\lxbkscin.dll
+ 2003-08-19 10:29:33 352,256 ----a-w C:\WINDOWS\system32\LXBKUTIL.DLL
+ 2002-11-13 15:40:22 40,960 ----a-w C:\WINDOWS\system32\lxbkvs.dll
+ 1996-09-01 10:19:58 73,856 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HLP256.DLL
+ 2001-01-19 15:50:20 40,960 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\INSTMON.EXE
+ 2003-08-18 13:48:38 196,096 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\LEX2KUSB.DLL
+ 2003-08-18 10:34:26 147,456 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\LEXBCE.DLL
+ 2003-08-18 10:37:09 303,104 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\LEXBCES.EXE
+ 2000-02-09 08:35:42 170,496 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\lexdrvin.exe
+ 2003-08-19 11:31:12 430,080 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\LEXEDF.DLL
+ 2002-05-09 14:25:40 24,576 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\lexgo.EXE
+ 2003-08-18 13:48:40 192,512 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\lexlmpm.dll
+ 2003-08-18 13:47:42 201,216 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\LEXP2P32.DLL
+ 2003-08-18 10:55:00 155,648 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\LEXPING.EXE
+ 2003-08-18 10:32:55 174,592 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\LEXPPS.EXE
+ 2003-08-18 10:53:48 126,976 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\LXBKCFG.EXE
+ 2003-08-18 11:56:26 57,344 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\lxbkcinf.dll
+ 2003-08-07 15:53:22 1,449,984 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\LXBKCLR1.DLL
+ 2003-08-07 15:53:22 1,449,984 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\LXBKCLR2.DLL
+ 2003-08-07 15:53:24 1,449,984 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\LXBKCLR3.DLL
+ 2003-08-07 15:53:26 364,544 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\LXBKCLR4.DLL
+ 2003-08-07 15:53:28 364,544 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\LXBKCLR5.DLL
+ 2003-08-18 11:56:10 49,152 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\lxbkcoin.dll
+ 2003-08-18 10:52:54 286,720 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\lxbkcomm.dll
+ 2003-08-19 10:51:12 69,632 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\LXBKCU.DLL
+ 2003-08-19 10:43:22 90,112 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\LXBKCUR.DLL
+ 2003-08-19 11:34:16 87,040 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\LXBKDR5C.DLL
+ 2003-08-07 15:25:36 205,312 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\LXBKFC5C.DLL
+ 2002-08-22 15:14:00 983,101 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\LXBKGF.DLL
+ 2003-08-07 15:29:20 442,368 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\LXBKICUR.DLL
+ 2003-08-18 10:55:47 86,016 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\LXBKIH.EXE
+ 2003-08-19 10:30:26 110,592 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\LXBKJSW.DLL
+ 2003-08-19 10:41:52 454,656 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\LXBKJSWR.DLL
+ 2003-04-30 15:35:14 73,728 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\LXBKJSWX.EXE
+ 2003-08-18 10:46:38 77,824 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\LXBKLCNP.DLL
+ 2003-08-18 10:58:40 217,088 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\LXBKLCNT.DLL
+ 2003-08-19 10:42:06 819,200 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\LXBKLPA.DLL
+ 2003-08-19 10:42:20 4,685,824 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\LXBKLPAR.DLL
+ 2003-08-18 11:03:23 544,768 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\LXBKLSNT.EXE
+ 2003-08-18 10:57:04 286,720 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\LXBKPMNT.DLL
+ 2003-07-29 09:27:40 78,336 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\LXBKPP5C.DLL
+ 2003-08-19 10:49:58 450,560 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\LXBKPRP.DLL
+ 2003-08-19 10:43:08 2,015,232 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\LXBKPRPR.DLL
+ 2003-08-19 10:44:47 307,200 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\LXBKPSW.DLL
+ 2003-08-19 10:42:38 655,360 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\LXBKPSWR.DLL
+ 2003-07-25 11:11:10 118,784 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\LXBKPSWX.EXE
+ 2003-08-19 10:25:55 73,728 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\lxbkpwr.dll
+ 2002-04-23 15:29:04 126,976 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\lxbksk0.dll
+ 2001-04-20 14:48:38 204,800 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\lxbksk1.dll
+ 2001-03-28 14:57:02 245,760 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\lxbksk2.dll
+ 2003-08-19 11:35:10 859,136 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\LXBKSTRN.DLL
+ 2003-08-19 11:34:29 49,664 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\LXBKUI5C.DLL
+ 2003-08-18 11:55:14 100,864 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\LXBKUN5C.EXE
+ 2003-08-19 11:39:03 49,152 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\LXBKUNRS.DLL
+ 2003-08-19 10:50:39 73,728 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\LXBKUPD.DLL
+ 2003-08-19 10:43:37 192,512 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\LXBKUPDR.DLL
+ 2003-08-19 10:29:33 352,256 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\LXBKUTIL.DLL
+ 2002-11-13 15:40:22 40,960 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\lxbkvs.dll
+ 2003-08-18 11:04:23 53,248 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\lxbkweb.exe
+ 1998-10-06 22:12:54 152,576 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\ptzipw32.dll
+ 2004-08-04 05:56:48 264,704 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\UNIDRV.DLL
+ 2004-08-04 05:56:48 197,120 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\UNIDRVUI.DLL
+ 2004-08-04 05:56:36 619,520 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\UNIRES.DLL
+ 2002-07-31 00:00:00 311,612 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\WAVS.EXE
+ 1996-09-01 10:19:58 73,856 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\lexmark_x1100_seriesf27b\HLP256.DLL
+ 2001-01-19 15:50:20 40,960 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\lexmark_x1100_seriesf27b\INSTMON.EXE
+ 2003-08-18 13:48:38 196,096 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\lexmark_x1100_seriesf27b\LEX2KUSB.DLL
+ 2003-08-18 10:34:26 147,456 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\lexmark_x1100_seriesf27b\LEXBCE.DLL
+ 2003-08-18 10:37:09 303,104 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\lexmark_x1100_seriesf27b\LEXBCES.EXE
+ 2000-02-09 08:35:42 170,496 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\lexmark_x1100_seriesf27b\lexdrvin.exe
+ 2003-08-19 11:31:12 430,080 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\lexmark_x1100_seriesf27b\lexedf.dll
+ 2002-05-09 14:25:40 24,576 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\lexmark_x1100_seriesf27b\lexgo.EXE
+ 2003-08-18 13:48:40 192,512 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\lexmark_x1100_seriesf27b\lexlmpm.dll
+ 2003-08-18 13:47:42 201,216 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\lexmark_x1100_seriesf27b\LEXP2P32.DLL
+ 2003-08-18 10:55:00 155,648 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\lexmark_x1100_seriesf27b\LEXPING.EXE
+ 2003-08-18 10:32:55 174,592 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\lexmark_x1100_seriesf27b\LEXPPS.EXE
+ 2003-08-18 10:53:48 126,976 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\lexmark_x1100_seriesf27b\LXBKCFG.EXE
+ 2003-08-18 11:56:26 57,344 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\lexmark_x1100_seriesf27b\lxbkcinf.dll
+ 2003-08-07 15:53:22 1,449,984 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\lexmark_x1100_seriesf27b\LXBKCLR1.DLL
+ 2003-08-07 15:53:22 1,449,984 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\lexmark_x1100_seriesf27b\LXBKCLR2.DLL
+ 2003-08-07 15:53:24 1,449,984 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\lexmark_x1100_seriesf27b\LXBKCLR3.DLL
+ 2003-08-07 15:53:26 364,544 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\lexmark_x1100_seriesf27b\LXBKCLR4.DLL
+ 2003-08-07 15:53:28 364,544 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\lexmark_x1100_seriesf27b\LXBKCLR5.DLL
+ 2003-08-18 11:56:10 49,152 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\lexmark_x1100_seriesf27b\lxbkcoin.dll
+ 2003-08-18 10:52:54 286,720 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\lexmark_x1100_seriesf27b\lxbkcomm.dll
+ 2003-08-19 10:51:12 69,632 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\lexmark_x1100_seriesf27b\LXBKCU.DLL
+ 2003-08-19 10:43:22 90,112 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\lexmark_x1100_seriesf27b\LXBKCUR.DLL
+ 2003-08-19 11:34:16 87,040 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\lexmark_x1100_seriesf27b\LXBKDR5C.DLL
+ 2003-08-07 15:25:36 205,312 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\lexmark_x1100_seriesf27b\LXBKFC5C.DLL
+ 2002-08-22 15:14:00 983,101 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\lexmark_x1100_seriesf27b\LXBKGF.DLL
+ 2003-08-07 15:29:20 442,368 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\lexmark_x1100_seriesf27b\LXBKICUR.DLL
+ 2003-08-18 10:55:47 86,016 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\lexmark_x1100_seriesf27b\LXBKIH.EXE
+ 2003-08-19 10:30:26 110,592 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\lexmark_x1100_seriesf27b\LXBKJSW.DLL
+ 2003-08-19 10:41:52 454,656 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\lexmark_x1100_seriesf27b\LXBKJSWR.DLL
+ 2003-04-30 15:35:14 73,728 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\lexmark_x1100_seriesf27b\LXBKJSWX.EXE
+ 2003-08-18 10:46:38 77,824 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\lexmark_x1100_seriesf27b\LXBKLCNP.DLL
+ 2003-08-18 10:58:40 217,088 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\lexmark_x1100_seriesf27b\LXBKLCNT.DLL
+ 2003-08-19 10:42:06 819,200 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\lexmark_x1100_seriesf27b\LXBKLPA.DLL
+ 2003-08-19 10:42:20 4,685,824 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\lexmark_x1100_seriesf27b\LXBKLPAR.DLL
+ 2003-08-18 11:03:23 544,768 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\lexmark_x1100_seriesf27b\LXBKLSNT.EXE
+ 2003-08-18 10:57:04 286,720 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\lexmark_x1100_seriesf27b\LXBKPMNT.DLL
+ 2003-07-29 09:27:40 78,336 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\lexmark_x1100_seriesf27b\LXBKPP5C.DLL
+ 2003-08-19 10:49:58 450,560 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\lexmark_x1100_seriesf27b\LXBKPRP.DLL
+ 2003-08-19 10:43:08 2,015,232 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\lexmark_x1100_seriesf27b\LXBKPRPR.DLL
+ 2003-08-19 10:44:47 307,200 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\lexmark_x1100_seriesf27b\LXBKPSW.DLL
+ 2003-08-19 10:42:38 655,360 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\lexmark_x1100_seriesf27b\LXBKPSWR.DLL
+ 2003-07-25 11:11:10 118,784 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\lexmark_x1100_seriesf27b\LXBKPSWX.EXE
+ 2003-08-19 10:25:55 73,728 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\lexmark_x1100_seriesf27b\lxbkpwr.dll
+ 2002-04-23 15:29:04 126,976 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\lexmark_x1100_seriesf27b\lxbksk0.dll
+ 2001-04-20 14:48:38 204,800 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\lexmark_x1100_seriesf27b\lxbksk1.dll
+ 2001-03-28 14:57:02 245,760 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\lexmark_x1100_seriesf27b\lxbksk2.dll
+ 2003-08-19 11:35:10 859,136 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\lexmark_x1100_seriesf27b\LXBKSTRN.DLL
+ 2003-08-19 11:34:29 49,664 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\lexmark_x1100_seriesf27b\LXBKUI5C.DLL
+ 2003-08-18 11:55:14 100,864 ----a-r C:\WINDOWS\system32\spool\drivers\w32x86\lexmark_x1100_seriesf27b\LXBKUN5C.EXE
+ 2003-08-19 11:39:03 49,152 ----a-r C:\WINDOWS\system32\spool\drivers\w32x86\lexmark_x1100_seriesf27b\LXBKUNRS.DLL
+ 2003-08-19 10:50:39 73,728 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\lexmark_x1100_seriesf27b\LXBKUPD.DLL
+ 2003-08-19 10:43:37 192,512 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\lexmark_x1100_seriesf27b\LXBKUPDR.DLL
+ 2003-08-19 10:29:33 352,256 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\lexmark_x1100_seriesf27b\LXBKUTIL.DLL
+ 2002-11-13 15:40:22 40,960 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\lexmark_x1100_seriesf27b\lxbkvs.dll
+ 2003-08-18 11:04:23 53,248 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\lexmark_x1100_seriesf27b\lxbkweb.exe
+ 1998-10-06 22:12:54 152,576 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\lexmark_x1100_seriesf27b\ptzipw32.dll
+ 2002-07-31 00:00:00 311,612 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\lexmark_x1100_seriesf27b\WAVS.EXE
+ 2004-08-04 05:56:48 264,704 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\unidrv.dll
+ 2004-08-04 05:56:48 197,120 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\unidrvui.dll
+ 2004-08-04 05:56:36 619,520 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\unires.dll
+ 2003-07-29 09:27:40 78,336 ----a-w C:\WINDOWS\system32\spool\prtprocs\w32x86\LXBKPP5C.DLL
+ 2002-05-14 21:50:34 11,264 ------w C:\WINDOWS\system32\spool\prtprocs\w32x86\wfxprint2000.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22}]
2007-05-25 08:15 1904128 --a------ C:\PROGRA~1\VOL_TO~1\VOL_TO~1.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22}"= C:\PROGRA~1\VOL_TO~1\VOL_TO~1.DLL [2007-05-25 08:15 1904128]

[HKEY_CLASSES_ROOT\CLSID\{4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22}]
[HKEY_CLASSES_ROOT\vol_toolbar.VOL_TOOLBAR]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22}"= C:\PROGRA~1\VOL_TO~1\VOL_TO~1.DLL [2007-05-25 08:15 1904128]

[HKEY_CLASSES_ROOT\CLSID\{4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22}]
[HKEY_CLASSES_ROOT\vol_toolbar.VOL_TOOLBAR]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCDrProfiler"="" []
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 12:41]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 23:12]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-11-08 22:07]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-11-21 08:37]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-28 02:50]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 09:54]
"Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 05:43]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
Pin.lnk - C:\hp\bin\CLOAKER.EXE [2005-11-21 08:13:35]

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\\WINDOWS\\system32\\vvgeowbv.exe,C:\\WINDOWS\\system32\\userinit.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=C:\WINDOWS\pss\Microsoft Works Calendar Reminders.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1142728209\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe" -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]
"C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpiralFrog]
C:\Program Files\SpiralFrog\Spiralfrog.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\texqtape]
regsvr32 /u "C:\Documents and Settings\All Users\Application Data\texqtape.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tgcmd]
C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VerizonServicepoint.exe]
"C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Verizon_McciTrayApp]
C:\Program Files\Verizon\McciTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Weather]
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2d435b36-e506-11d9-9b78-e6b009352ae7}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

.
Contents of the 'Scheduled Tasks' folder
"2007-11-11 22:05:37 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-11 17:46:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-11 17:48:33 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-11 00:10
.
--- E O F ---

HI JACK THIS LOG
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:50:14 PM, on 11/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\HiJackThis\HiJackThis\HijackThis.exe

R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - C:\PROGRA~1\VOL_TO~1\VOL_TO~1.DLL
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - C:\PROGRA~1\VOL_TO~1\VOL_TO~1.DLL
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - https://activatemydsl.verizon.net/sdcCommon...DSL/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://ca.com/us/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://ca.com/us/securityadvisor/virusinfo/webscan.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 7351 bytes

#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:15 PM

Posted 11 November 2007 - 06:23 PM

Hi sandmanrdv,

Your log looks much better. :thumbsup:


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of  Java Runtime Environment (JRE) 6 Update 3.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 3".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language  jre-6-windows-i586.exe and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    Examples of older versions in Add or Remove Programs:
    Java 2 Runtime Environment, SE v1.4.2
    J2SE Runtime Environment 5.0
    J2SE Runtime Environment 5.0 Update 6
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u3-windows-i586-p.exe to install the newest version.
*******************************************

I suggest you to disable Teatimer because it can interfere with the changes you'll make on your system.

How to disable TeaTimer during HijackThis Cleanup

If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

When everything is done and your log is clean again, you can enable it again.

*******************************************

We need to disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.
  • Open Windows Defender.
  • Click on Tools, General Settings.
  • Scroll down and uncheck Turn on real-time protection (recommended).
  • After you uncheck this, click on the Save button and close Windows Defender.
After all of the fixes are complete it is very important that you enable Real-time Protection again.



*******************************************

Select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix checked"

These are optional fixes. The following are not necessarily spyware/malware, but we suggest you place a check mark next to the following entries, as these programs may be taking up system resources.

O4 - HKLM\..\Run: [TkBellExe] \"C:\Program Files\Common Files\Real\Update_OB\realsched.exe\" -osboot
(Description: RealPlayer scheduler. Completely unnecessary. Removing this entry will free up a small amount of system resources.)

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
(Description: Apple's QuickTime Tray Icon which enables you to start QuickTime from the System Tray (from version 5 onward). Given the extremely simple functionality of this Tray icon, it is in our view an unreasonable resource hog - it has been measured to use as much as 1.5Mb of memory at times in earlier versions, and in version 7 it uses as much as 3.4Mb of memory on our test systems. Yet, on Windows PCs hardly anyone starts QuickTime manually, whether from the System Tray or otherwise - what usually happens is that the end-user opens a QuickTime movie file or email attachment and Windows then automatically opens QuickTime to enable the end-user to view the movie or video. There is therefore almost never a need for the end-user to start QuickTime manually from the System Tray. )

*******************************************



Let's empty the temp files:

Run CCleaner.

Reboot, post a fresh Hijackthis log, and tell me how your computer is running.

Edited by SifuMike, 11 November 2007 - 10:48 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 sandmanrdv

sandmanrdv
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:15 PM

Posted 11 November 2007 - 08:36 PM

Alrighty Sifu Mike,
I think everything went ok with that as well. As far as the computer's performance, speed has picked up. The icon that was in the task tray near the clock that was popping up a warning about spyware and when you clicked it you were taken to the website address I mentioned in my first post is now gone. The desktop background however remains the black screen with the following text" Warning Spyware Threat Has Been Detected On Your PC, Computer has several fatal errors due to spyware blah blah. From what the owner of the computer told me, this was part of the infection.
I also had a question about an entry I saw in the combofix log, I am not sure if it was something that was removed or not, but the entry was "2007-10-29 20:41 <DIR> d-------- C:\WINDOWS\system32\acespy". I am not meaning to play expert but I remember seeing or reading somewhere that this was a baddie. Not sure though. My Hi Jack log follows, and thank you again for all of your assistance so far, it is greatly appreciated!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:26:43 PM, on 11/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\HiJackThis\HiJackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - C:\PROGRA~1\VOL_TO~1\VOL_TO~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - C:\PROGRA~1\VOL_TO~1\VOL_TO~1.DLL
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - https://activatemydsl.verizon.net/sdcCommon...DSL/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://ca.com/us/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://ca.com/us/securityadvisor/virusinfo/webscan.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 7066 bytes

#8 sandmanrdv

sandmanrdv
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:15 PM

Posted 11 November 2007 - 08:46 PM

I apologize, please ignore my comment about the Desktop, I changed it through Control Panel and now it is actually staying. Prior, it would revert back to the Black Screen I described.

#9 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:15 PM

Posted 11 November 2007 - 10:45 PM

Hi sandmanrdv,

but the entry was "2007-10-29 20:41 <DIR> d-------- C:\WINDOWS\system32\acespy". I am not meaning to play expert but I remember seeing or reading somewhere that this was a baddie. Not sure though.


That is empty folder so It looks like the malware program associated with it, systune.exe, was previously removed by an antimalware program or it was uninstalled.
No systune.exe is there so you are OK.
systune.exe is a process belonging to the Ace Spy advertising program by Retina-X Studios

For clean up, you can delete the empty folder C:\WINDOWS\system32\acespy


You log looks clean. :thumbsup:
How is the computer running?

Edited by SifuMike, 11 November 2007 - 10:46 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 sandmanrdv

sandmanrdv
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:15 PM

Posted 11 November 2007 - 10:57 PM

SifuMike,
Thank you for clarifying that for me, I wasn't trying to be a smart a$$ questioning you. The PC seems to be running like a top!! Being that I will be returning the computer to its owner who has several younger children who use the machine, should I delete any of the programs that we have installed for the fixes?
My plan to try to help her not be reinfected is obviously the kids need to be warned about where they surf, but I had planned to have the Microsoft Defender Real Time protection with auto updates and daily scans in addition to Spy-bot and Adware which I will have to show them how to update and run periodically. I installed the AVG anti-virus and have that set up. Any other suggestions are welcomed. I would also like to thank you for your time, effort and patience in assisting me. Yourself and the other who assist users on the board definitely have some good karma floating in the universe. :thumbsup:

#11 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:15 PM

Posted 12 November 2007 - 12:38 AM

A few more things to do. :thumbsup:

Uninstall ComboFix, go to to Start > Run & type in ComboFix /u
Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Please read and follow How did I get infected?, With steps so it does not happen again!
as well as
How to prevent Malware' by miekiemoes


If you want to improve speed/system performance after malware removal, take a look here.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 sandmanrdv

sandmanrdv
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:15 PM

Posted 12 November 2007 - 12:10 PM

Mike, Thank you for your help, I greatly appreciate it. I will be printing out some of that information so they can take steps to keep this from happening again. I think we can close this case as solved! :thumbsup:

#13 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:15 PM

Posted 12 November 2007 - 02:38 PM

You're most welcome. :thumbsup: And I thank you for taking the time to say thank you! It's amazing just how far those two little words go. :blink:


Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please contact me or a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users