[needhelp238]

Hello,

I am getting a window alert window that say "windows has detected a spyware infection", then it wants me to download windows anti spy ware program.

1. I am getting pop up every few mins with pop up blocker on
2. i have run ad-adware
3. run avg free

I read another post where you asked the person to run Hi jack and paste in info. So i have done the same.

Thank you for any help you can give me.




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:28:57 AM, on 5/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Windows\xpupdate.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: &Search - http://km.bar.need2f...earch.html?p=KM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symant...ex/symdlmgr.cab
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://cvs.pnimedia....tupv2.0.0.9.cab?
O18 - Filter hijack: text/html - (no CLSID) - (no file)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

--
End of file - 3705 bytes

[Advertisements]

Hello needhelp238 and Welcome to Geeks to Go!

Looking at your log, I found signs of malware on your system.
Please stick with me until we get you cleaned up.

Please read this post completely before proceeding with the fix.
If you have questions, don't hesitate to ask.

Let's start.

First,

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Then,


Please download VundoFix.exe to your desktop

• Double-click VundoFix.exe to run it.
• Click the Scan for Vundo button.
• Once it's done scanning, click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files, click YES
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will reboot your computer, click OK.
• Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Please post back with the following logs.

- MBAM log
- Vundofix log
- New HijackThis log

[koko_crunch]

Hello needhelp238 and Welcome to Geeks to Go!

Looking at your log, I found signs of malware on your system.
Please stick with me until we get you cleaned up.

Please read this post completely before proceeding with the fix.
If you have questions, don't hesitate to ask.

Let's start.

First,

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Then,


Please download VundoFix.exe to your desktop

• Double-click VundoFix.exe to run it.
• Click the Scan for Vundo button.
• Once it's done scanning, click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files, click YES
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will reboot your computer, click OK.
• Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Please post back with the following logs.

- MBAM log
- Vundofix log
- New HijackThis log

[needhelp238]

Thank you for your help. Here is what we have:

Malwarebytes' Anti-Malware

Malwarebytes' Anti-Malware 1.14
Database version: 800

9:41:21 AM 5/30/2008
mbam-log-5-30-2008 (09-41-21).txt

Scan type: Quick Scan
Objects scanned: 37036
Time elapsed: 7 minute(s), 29 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 3
Registry Keys Infected: 15
Registry Values Infected: 2
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 16

Memory Processes Infected:
C:\WINDOWS\xpupdate.exe (Trojan.Fakealert) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\__c002D599.dat (Trojan.Agent) -> Unloaded module successfully.
C:\WINDOWS\system32\qoMeFXpm.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\yayvWpno.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9afb8248-617f-460d-9366-d71cdeda3179} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c002d599 (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{69c0e17b-4562-4bea-bc22-0a60e349e465} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{69c0e17b-4562-4bea-bc22-0a60e349e465} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{32341e7e-c319-46de-91d0-e30bb1a3caba} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{32341e7e-c319-46de-91d0-e30bb1a3caba} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\yayvwpno (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows update loader (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{32341e7e-c319-46de-91d0-e30bb1a3caba} (Trojan.Vundo) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\qomefxpm -> Delete on reboot.

Folders Infected:
C:\Program Files\LiveAntispy (Rogue.LiveAntispy) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\KCMDNIns.exe (Trojan.Inject) -> Quarantined and deleted successfully.
C:\Program Files\LiveAntispy\LiveAntispy.exe (Rogue.LiveAntispy) -> Quarantined and deleted successfully.
C:\Program Files\LiveAntispy\LiveAntispy.lic (Rogue.LiveAntispy) -> Quarantined and deleted successfully.
C:\Program Files\LiveAntispy\Uninstall.exe (Rogue.LiveAntispy) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\__c002D599.dat (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\~.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\xpupdate.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\acrsecB.fon (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\acrsecI.fon (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qoMeFXpm.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\rqRLdDVP.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pmnonmLB.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\awtrOhed.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yayvWpno.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\__c00BF1DC.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Cliff and Micky\Application Data\Install.dat (Trojan.Agent) -> Quarantined and deleted successfully.



VundoFIx


VundoFix V7.0.5

Scan started at 9:46:40 AM 5/30/2008

Listing files found while scanning....

No infected files were found.


Hijackthis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:52:47 AM, on 5/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com
O2 - BHO: {48fa456b-0669-5238-3c04-0b2dc07f87f4} - {4f78f70c-d2b0-40c3-8325-9660b654af84} - C:\WINDOWS\system32\eqxoijxn.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: &Search - http://km.bar.need2f...earch.html?p=KM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symant...ex/symdlmgr.cab
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://cvs.pnimedia....tupv2.0.0.9.cab?
O18 - Filter hijack: text/html - (no CLSID) - (no file)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

--
End of file - 3820 bytes

[needhelp238]

Good news maybe.

Before the computer would not let me turn on automatic mircosoft updates. even useing services.msc. But after running those programs it is letting me update.

[koko_crunch]

That's good to hear but we're not done yet. Please stick around until I give you the all clear.

Next,

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

• Please, never rename Combofix unless instructed.
• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  

  -----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    

    -----------------------------------------------------------

  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

  -----------------------------------------------------------

• Double click on combofix.exe & follow the prompts.
• When finished, it will produce a report for you.
• Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

[needhelp238]

Another good thing happened. My backgroud had turned black and would not let me change it. After running combofit my backgound is back. Thanks!

Combo Fix



ComboFix 08-05-29.1 - Cliff and Micky 2008-05-30 13:17:06.1 - NTFSx86
Running from: C:\Documents and Settings\Cliff and Micky\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\smdat32a.sys
C:\WINDOWS\smdat32m.sys
C:\WINDOWS\system32\__c002D599.dat
C:\WINDOWS\system32\eqxoijxn.dll
C:\WINDOWS\system32\mpXFeMoq.ini
C:\WINDOWS\system32\mpXFeMoq.ini2
C:\WINDOWS\system32\qgrcvhvv.dll
C:\WINDOWS\system32\qoMeFXpm.dll
C:\WINDOWS\system32\vvhvcrgq.ini

.
((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-30 )))))))))))))))))))))))))))))))
.

2008-05-30 09:46 . 2008-05-30 09:46 <DIR> d-------- C:\VundoFix Backups
2008-05-30 09:26 . 2008-05-30 09:31 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-30 09:26 . 2008-05-30 09:26 <DIR> d-------- C:\Documents and Settings\Cliff and Micky\Application Data\Malwarebytes
2008-05-30 09:26 . 2008-05-30 09:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-30 09:26 . 2008-05-30 01:06 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-30 09:26 . 2008-05-30 01:06 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-30 00:18 . 2008-05-30 00:18 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-29 19:05 . 2008-05-29 19:06 <DIR> dr-h----- C:\$VAULT$.AVG
2008-05-28 12:49 . 2008-05-29 12:51 33,925 ---hs---- C:\WINDOWS\system32\hxxpdsog.ini
2008-05-28 12:42 . 2008-05-30 09:41 59,904 --------- C:\WINDOWS\system32\yayvWpno.dll
2008-04-15 07:43 . 2008-05-24 10:36 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-15 07:43 . 2008-04-15 07:43 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-30 17:14 --------- d-----w C:\Documents and Settings\Cliff and Micky\Application Data\AVG7
2008-05-30 02:23 361 ----a-w C:\Documents and Settings\Cliff and Micky\Cliff and Micky_notes.dat
2008-05-15 15:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\pdf995
2008-04-04 12:52 --------- d-----w C:\Documents and Settings\Cliff and Micky\Application Data\gtk-2.0
2008-04-03 00:59 --------- d-----w C:\Documents and Settings\Cliff and Micky\Application Data\FileZilla
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\dllcache\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-13 02:24 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-15 09:07 18,432 ----a-w C:\WINDOWS\system32\dllcache\iedw.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:00 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-03 20:58 219136]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ePad995.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ePad995.lnk
backup=C:\WINDOWS\pss\ePad995.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\A00F4E74F60.exe]
C:\DOCUME~1\CLIFFA~1\LOCALS~1\Temp\_A00F4E74F60.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AspireService]
--a------ 2005-09-29 19:07 114688 C:\Program Files\Acer\Acer eMode Management\AspireService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
--a------ 2008-04-15 08:03 579584 C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BAloud4]
C:\Program Files\Texthelp Systems\Browsealoud\4.0\BAloud4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 01:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eRecoveryService]
--a------ 2005-11-16 20:00 397312 C:\Acer\Empowering Technology\eRecovery\Monitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\fc41625a]
C:\WINDOWS\system32\qgrcvhvv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2006-11-13 13:39 1289000 C:\Program Files\Microsoft ActiveSync\Wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2004-08-04 01:00 208952 C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LaunchApp]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MediaSync]
--a------ 2005-09-21 16:48 425984 C:\Program Files\Acer\Acer eConsole\MediaSync.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
--a------ 2004-08-04 01:00 59392 C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ntiMUI]
--a------ 2005-05-11 22:15 45056 c:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
--a------ 2004-08-04 01:00 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
--a------ 2004-08-04 01:00 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-04-27 09:41 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2004-11-03 00:24 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2005-09-21 20:42 90112 C:\WINDOWS\soundman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-08-26 22:14 36975 C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UDC Integration]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
--a------ 2005-05-13 08:57 53248 C:\WINDOWS\system32\VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"Symantec Core LC"=2 (0x2)
"RioMSC"=2 (0x2)
"ose"=3 (0x3)
"MDM"=2 (0x2)
"Acer Media Server"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Disabled:ActiveSync Application
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Disabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Disabled:ActiveSync RAPI Manager
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\PageBreeze\\pagebreeze.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Disabled:ActiveSync Service

S3 PhotoFrame;PhotoFrame_2.0 Device;C:\WINDOWS\system32\DRIVERS\PhotoFrame.sys [2007-07-11 23:05]

.
Contents of the 'Scheduled Tasks' folder
"2008-05-29 00:08:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-30 13:22:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
.
**************************************************************************
.
Completion time: 2008-05-30 13:26:48 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-30 17:26:43

Pre-Run: 55,544,655,872 bytes free
Post-Run: 55,479,529,472 bytes free

157 --- E O F --- 2008-05-30 14:00:59


hijackthis


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:28:00 PM, on 5/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\internet explorer\iexplore.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: &Search - http://km.bar.need2f...earch.html?p=KM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symant...ex/symdlmgr.cab
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://cvs.pnimedia....tupv2.0.0.9.cab?
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

--
End of file - 3690 bytes

[koko_crunch]

Much better... But we're not done yet. ')

Next,

Jotti File Submission:

• Please go to Jotti's malware scan
  
• Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
  
  
  • C:\WINDOWS\system32\DRIVERS\PhotoFrame.sys
• Click on the submit button
• Please post the results in your next reply.

Then,

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\hxxpdsog.ini
C:\WINDOWS\system32\yayvWpno.dll
C:\DOCUME~1\CLIFFA~1\LOCALS~1\Temp\_A00F4E74F60.exe
C:\WINDOWS\system32\qgrcvhvv.dll

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\fc41625a]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\A00F4E74F60.exe]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt
• A new HijackThis log.

Logs required on next post.

-Jotti log
-CF log
-New Hijackthis

[needhelp238]

Thanks!

Here you go:

Jotti- hope this is what you needed

Packers detected: -

Scanner results
Scan taken on 30 May 2008 23:21:43 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing


Scanner Malware name
A-Squared X
AntiVir X
ArcaVir X
Avast X
AVG Antivirus X
BitDefender X
ClamAV X
CPsecure X
Dr.Web X
F-Prot Antivirus X
F-Secure Anti-Virus Trojan.Win32.Patched.bb
Fortinet X
Ikarus X
Kaspersky Anti-Virus Trojan.Win32.Patched.bb
NOD32 X
Norman Virus Control X
Panda Antivirus X
Sophos Antivirus Troj/User32Hk-A
VirusBuster X
VBA32 X


Combo Fit


ComboFix 08-05-29.1 - Cliff and Micky 2008-05-30 19:26:55.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.43 [GMT -4:00]Running from: C:\Documents and Settings\Cliff and Micky\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Cliff and Micky\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\DOCUME~1\CLIFFA~1\LOCALS~1\Temp\_A00F4E74F60.exe
C:\WINDOWS\system32\hxxpdsog.ini
C:\WINDOWS\system32\qgrcvhvv.dll
C:\WINDOWS\system32\yayvWpno.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\hxxpdsog.ini
C:\WINDOWS\system32\yayvWpno.dll

.
((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-30 )))))))))))))))))))))))))))))))
.

2008-05-30 09:46 . 2008-05-30 09:46 <DIR> d-------- C:\VundoFix Backups
2008-05-30 09:26 . 2008-05-30 09:31 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-30 09:26 . 2008-05-30 09:26 <DIR> d-------- C:\Documents and Settings\Cliff and Micky\Application Data\Malwarebytes
2008-05-30 09:26 . 2008-05-30 09:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-30 09:26 . 2008-05-30 01:06 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-30 09:26 . 2008-05-30 01:06 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-30 00:18 . 2008-05-30 00:18 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-29 19:05 . 2008-05-29 19:06 <DIR> dr-h----- C:\$VAULT$.AVG
2008-04-15 07:43 . 2008-05-24 10:36 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-15 07:43 . 2008-04-15 07:43 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-30 17:14 --------- d-----w C:\Documents and Settings\Cliff and Micky\Application Data\AVG7
2008-05-30 02:23 361 ----a-w C:\Documents and Settings\Cliff and Micky\Cliff and Micky_notes.dat
2008-05-15 15:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\pdf995
2008-04-04 12:52 --------- d-----w C:\Documents and Settings\Cliff and Micky\Application Data\gtk-2.0
2008-04-03 00:59 --------- d-----w C:\Documents and Settings\Cliff and Micky\Application Data\FileZilla
.

((((((((((((((((((((((((((((( snapshot@2008-05-30_13.26.28.54 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-30 17:21:07 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-30 23:16:38 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-30 23:17:36 16,384 ----atw C:\WINDOWS\temp\Perflib_Perfdata_7a0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:00 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-03 20:58 219136]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ePad995.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ePad995.lnk
backup=C:\WINDOWS\pss\ePad995.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AspireService]
--a------ 2005-09-29 19:07 114688 C:\Program Files\Acer\Acer eMode Management\AspireService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
--a------ 2008-04-15 08:03 579584 C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BAloud4]
C:\Program Files\Texthelp Systems\Browsealoud\4.0\BAloud4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 01:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eRecoveryService]
--a------ 2005-11-16 20:00 397312 C:\Acer\Empowering Technology\eRecovery\Monitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2006-11-13 13:39 1289000 C:\Program Files\Microsoft ActiveSync\Wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2004-08-04 01:00 208952 C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LaunchApp]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MediaSync]
--a------ 2005-09-21 16:48 425984 C:\Program Files\Acer\Acer eConsole\MediaSync.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
--a------ 2004-08-04 01:00 59392 C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ntiMUI]
--a------ 2005-05-11 22:15 45056 c:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
--a------ 2004-08-04 01:00 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
--a------ 2004-08-04 01:00 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-04-27 09:41 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2004-11-03 00:24 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2005-09-21 20:42 90112 C:\WINDOWS\soundman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-08-26 22:14 36975 C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UDC Integration]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
--a------ 2005-05-13 08:57 53248 C:\WINDOWS\system32\VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"Symantec Core LC"=2 (0x2)
"RioMSC"=2 (0x2)
"ose"=3 (0x3)
"MDM"=2 (0x2)
"Acer Media Server"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Disabled:ActiveSync Application
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Disabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Disabled:ActiveSync RAPI Manager
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\PageBreeze\\pagebreeze.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Disabled:ActiveSync Service

S3 PhotoFrame;PhotoFrame_2.0 Device;C:\WINDOWS\system32\DRIVERS\PhotoFrame.sys [2007-07-11 23:05]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-05-29 00:08:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-30 19:30:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-30 19:32:19
ComboFix-quarantined-files.txt 2008-05-30 23:32:15
ComboFix2.txt 2008-05-30 17:26:49

Pre-Run: 55,568,039,936 bytes free
Post-Run: 55,561,621,504 bytes free

136 --- E O F --- 2008-05-30 14:00:59



Hijackthis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:35:38 PM, on 5/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: &Search - http://km.bar.need2f...earch.html?p=KM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symant...ex/symdlmgr.cab
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://cvs.pnimedia....tupv2.0.0.9.cab?
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

--
End of file - 3690 bytes

[koko_crunch]

Hey,

Could you re-do this.

Jotti File Submission:

• Please go to Jotti's malware scan
  
• Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
  
  
• C:\WINDOWS\system32\DRIVERS\PhotoFrame.sys

Then post back with complete log please.
thanks...

Edited by koko_crunch, 30 May 2008 - 11:01 PM.

[needhelp238]

Not sure what the "log" is. So i just copied and pasted the whole page. Thanks again for the help.


Service load: 0% 100%

File: PhotoFrame.sys
Status: OK(Note: file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: 65327a0a6f96bf8636ba55a2633a59c3
Packers detected: -

Scanner results
Scan taken on 31 May 2008 12:14:11 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

Powered by

Disclaimer
This service is by no means 100% safe. If this scanner says 'OK', it does not necessarily mean the file is clean. There could be a whole new virus on the loose. NEVER EVER rely on one single product only, not even this service, even though it utilizes several products. Therefore, We cannot and will not be held responsible for any damage caused by results presented by this non-profit online service.

Also, we are aware of the implications of a setup like this. We are sure this whole thing is by no means scientifically correct, since this is a fully automated service (although manual correction is possible). We are aware, in spite of efforts to proactively counter these, false positives might occur, for example. We do not consider this a very big issue, so please do not e-mail us about it. This is a simple online scan service, not the university of Wichita.

Scanning can take a while, since several scanners are being used, plus the fact some scanners use very high levels of (time consuming) heuristics. Scanners used are Linux versions, differences with Windows scanners may or may not occur. Another note: some scanners will only report one virus when scanning archives with multiple pieces of malware.

Virus definitions are updated every hour. There is a 10Mb limit per file. Please refrain from uploading tons of hex-edited or repacked variants of the same sample.

Please do not ask for viruses uploaded here, unless you work for an anti-virus vendor. They are not for trade. This is a legitimate service, not a VX site. Viruses uploaded here will be distributed to antivirus vendors without exception. Read more about this in our privacy policy. If you do not want your files to be distributed, please do not send them at all.

Sponsored by HotelScraper.com.
--------------------------------------------------------------------------------


Statistics
Last file scanned at least one scanner reported something about: 鸽子免杀.exe (MD5: 3ce3ba7456221ee4de909e6258d9967c, size: 737792 bytes), detected by:

Scanner Malware name
A-Squared X
AntiVir BDS/WinRem
ArcaVir X
Avast Win32:Hupigon-BQO
AVG Antivirus Pakes.L
BitDefender X
ClamAV X
CPsecure BackDoor.W32.PcClient.cah
Dr.Web X
F-Prot Antivirus X
F-Secure Anti-Virus X
Fortinet X
Ikarus Virus.Win32.Virtualizer
Kaspersky Anti-Virus X
NOD32 X
Norman Virus Control X
Panda Antivirus X
Sophos Antivirus X
VirusBuster X
VBA32 X


You're free to (mis)interpret these automated, flawed statistics at your own discretion. For antivirus comparisons, visit AV comparatives
We are not affiliated with any third parties that conduct tests using this service.

[koko_crunch]

Looks good.

Next,

Download and scan with SUPERAntiSpyware Free for Home Users

• Double-click SUPERAntiSpyware.exe and use the default settings for installation.
• An icon will be created on your desktop. Double-click that icon to launch the program.
• If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
• Under "Configuration and Preferences", click the Preferences button.
• Click the Scanning Control tab.
• Under Scanner Options make sure the following are checked (leave all others unchecked):
  • Close browsers before scanning.
  • Scan for tracking cookies.
  • Terminate memory threats before quarantining.
• Click the "Close" button to leave the control center screen.
• Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
• On the left, make sure you check C:\Fixed Drive.
• On the right, under "Complete Scan", choose Perform Complete Scan.
• Click "Next" to start the scan. Please be patient while it scans your computer.
• After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
• Make sure everything has a checkmark next to it and click "Next".
• A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
• If asked if you want to reboot, click "Yes".
• To retrieve the removal information after reboot, launch SUPERAntispyware again.
  • Click Preferences, then click the Statistics/Logs tab.
  • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
  • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
  • Please copy and paste the Scan Log results in your next reply.
• Click Close to exit the program.

[needhelp238]

When the computer rebooted it did a system check. It said something was "FAT". But it loaded ok, so i don't know if that is important.



SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/01/2008 at 09:06 AM

Application Version : 4.1.1046

Core Rules Database Version : 3472
Trace Rules Database Version: 1463

Scan type : Complete Scan
Total Scan Time : 00:41:59

Memory items scanned : 331
Memory threats detected : 0
Registry items scanned : 5336
Registry threats detected : 0
File items scanned : 53147
File threats detected : 171

Adware.Tracking Cookie
C:\Documents and Settings\Cliff and Micky\Cookies\cliff and [email protected][1].txt
C:\Documents and Settings\Cliff and Micky\Cookies\cliff and [email protected][1].txt
C:\Documents and Settings\Cliff and Micky\Cookies\cliff and micky@doubleclick[1].txt
C:\Documents and Settings\Cliff and Micky\Cookies\cliff and micky@eyewonder[2].txt
C:\Documents and Settings\Cliff and Micky\Cookies\cliff and micky@atdmt[2].txt
C:\Documents and Settings\Cliff and Micky\Cookies\cliff and micky@questionmarket[2].txt
C:\Documents and Settings\Cliff and Micky\Cookies\cliff and micky@advertising[2].txt
C:\Documents and Settings\Cliff and Micky\Cookies\cliff and micky@tacoda[1].txt
C:\Documents and Settings\Cliff and Micky\Cookies\cliff and micky@mediaplex[1].txt
C:\Documents and Settings\Cliff and Micky\Cookies\cliff and [email protected][1].txt
C:\Documents and Settings\Cliff and Micky\Cookies\cliff and [email protected][1].txt
C:\Documents and Settings\Cliff and Micky\Cookies\cliff and [email protected][1].txt
C:\Documents and Settings\Cliff and Micky\Cookies\cliff and [email protected][1].txt
C:\Documents and Settings\Cliff and Micky\Cookies\cliff and micky@interclick[1].txt
C:\Documents and Settings\Cliff and Micky\Cookies\cliff and micky@revsci[1].txt
C:\Documents and Settings\Cliff and Micky\Cookies\cliff and [email protected][2].txt
C:\Documents and Settings\Cliff and Micky\Cookies\cliff and micky@insightexpressai[2].txt
C:\Documents and Settings\Cliff and Micky\Cookies\cliff and micky@collective-media[2].txt
C:\Documents and Settings\Cliff and Micky\Cookies\cliff and micky@specificclick[2].txt
C:\Documents and Settings\Cliff and Micky\Cookies\cliff and [email protected][2].txt
C:\Documents and Settings\Cliff and Micky\Cookies\cliff and micky@2o7[1].txt
C:\Documents and Settings\LocalService\Cookies\[email protected][1].txt

Adware.180solutions/Seekmo/Zango
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP531\A0040694.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP531\A0040695.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP531\A0040696.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP531\A0040697.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP531\A0040698.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP531\A0040699.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP531\A0040701.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP531\A0040702.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP531\A0040704.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP531\A0040705.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP531\A0040706.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP531\A0040707.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP531\A0040708.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP531\A0040709.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP531\A0040710.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP531\A0040711.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP531\A0040712.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP531\A0040721.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP532\A0040763.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP532\A0040787.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP534\A0040858.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP537\A0040956.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP538\A0041040.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP539\A0041081.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP540\A0041132.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP541\A0041188.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP544\A0041363.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP546\A0041469.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP546\A0041470.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP546\A0041471.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP546\A0041472.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP546\A0041474.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP546\A0041475.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP546\A0041477.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP546\A0041478.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP546\A0041479.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP546\A0041480.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP546\A0041481.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP546\A0041482.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP546\A0041483.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP546\A0041484.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP546\A0041485.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP546\A0041493.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP546\A0041495.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP546\A0041496.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP547\A0041565.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP547\A0041566.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP547\A0041567.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP547\A0041569.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP547\A0041570.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP547\A0041572.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP547\A0041573.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP547\A0041574.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP547\A0041575.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP547\A0041576.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP547\A0041577.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP547\A0041578.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP547\A0041579.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP547\A0041580.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP547\A0041588.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP547\A0041590.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP547\A0041591.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP547\A0041592.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP550\A0041755.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP581\A0042485.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP581\A0042486.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP581\A0042487.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP581\A0042488.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP581\A0042489.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP581\A0042490.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP581\A0042492.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP581\A0042493.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP581\A0042495.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP581\A0042496.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP581\A0042497.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP581\A0042498.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP581\A0042499.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP581\A0042500.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP581\A0042501.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP581\A0042502.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP581\A0042503.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP581\A0042512.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP583\A0042555.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP583\A0042556.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP590\A0044705.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP590\A0044706.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP590\A0044707.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP590\A0044709.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP590\A0044710.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP590\A0044712.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP590\A0044713.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP590\A0044714.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP590\A0044715.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP590\A0044716.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP590\A0044717.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP590\A0044718.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP590\A0044719.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP590\A0044720.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP590\A0044728.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP590\A0044729.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP590\A0044752.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP590\A0044753.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP592\A0045793.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP593\A0045827.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP594\A0045857.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP594\A0045858.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP594\A0045859.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP594\A0045860.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP594\A0045861.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP595\A0045892.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP595\A0045893.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP595\A0045894.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP595\A0045895.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP595\A0045896.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP595\A0045897.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP595\A0045899.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP595\A0045901.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP595\A0045902.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP595\A0045903.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP595\A0045904.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP595\A0045905.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP595\A0045906.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP595\A0045907.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP595\A0045908.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP595\A0045909.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP595\A0045918.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP598\A0046961.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP600\A0047010.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP600\A0047011.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP600\A0047012.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP600\A0047013.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP600\A0047014.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP600\A0047016.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP600\A0047018.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP600\A0047019.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP600\A0047020.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP600\A0047021.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP600\A0047022.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP600\A0047023.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP600\A0047024.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP600\A0047025.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP600\A0047034.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP600\A0047035.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP600\A0047036.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP600\A0047096.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP600\A0047097.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP600\A0047098.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP602\A0047241.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AA9B38FB-1993-42C2-A0DD-3F494A22996B}\RP603\A0047757.DLL

[koko_crunch]

We're almost done here. May I ask, how's your computer running? Are there other issues you wish to address?

Next,

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

then,

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

• Close all other windows before proceeding.
• Double-click on dss.exe and follow the prompts.
• When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

[needhelp238]

Everything on the computer seems to be working well. All pop ups and window alerts have stopped. Thank you.


Main.txt

Deckard's System Scanner v20071014.68
Run by Cliff and Micky on 2008-06-01 16:23:12
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 2 Restore Point(s) --
2: 2008-06-01 20:23:17 UTC - RP2 - Deckard's System Scanner Restore Point
1: 2008-06-01 20:21:47 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 192 MiB (512 MiB recommended).


-- HijackThis (run as Cliff and Micky.exe) -------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:24:11 PM, on 6/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Cliff and Micky\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Cliff and Micky.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: &Search - http://km.bar.need2f...earch.html?p=KM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symant...ex/symdlmgr.cab
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://cvs.pnimedia....tupv2.0.0.9.cab?
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

--
End of file - 4022 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 UBHelper - c:\windows\system32\drivers\ubhelper.sys
R3 Afc (PPdus ASPI Shell) - c:\windows\system32\drivers\afc.sys <Not Verified; Arcsoft, Inc.; Arcsoft® ASPI Shell>
R3 NTIDrvr (Upper Class Filter Driver) - c:\windows\system32\drivers\ntidrvr.sys <Not Verified; NewTech Infosystems, Inc.; >

S3 catchme - c:\combofix\catchme.sys (file missing)
S3 PhotoFrame (PhotoFrame_2.0 Device) - c:\windows\system32\drivers\photoframe.sys <Not Verified; ; PhotoFrame_2.0>
S3 ZDPNDIS5 (ZDPNDIS5 NDIS Protocol Driver) - c:\windows\system32\zdpndis5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S4 Acer Media Server - "c:\program files\acer\acer econsole\mediaserverservice.exe" <Not Verified; Acer Inc.; Acer Media Server>
S4 RioMSC (Rio MSC Manager) - c:\windows\system32\riomsc.exe <Not Verified; Digital Networks North America, Inc.; Rio Mass Storage Class Device Manager>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-05-28 20:08:05 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-05-01 and 2008-06-01 -----------------------------

2008-06-01 08:21:07 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-01 08:20:52 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-06-01 08:20:52 0 d-------- C:\Documents and Settings\Cliff and Micky\Application Data\SUPERAntiSpyware.com
2008-05-30 14:28:57 0 dr-h----- C:\Documents and Settings\Cliff and Micky\Recent
2008-05-30 13:16:11 68096 --a------ C:\WINDOWS\zip.exe
2008-05-30 13:16:11 49152 --a------ C:\WINDOWS\VFind.exe
2008-05-30 13:16:11 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-30 13:16:11 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-30 13:16:11 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-30 13:16:11 98816 --a------ C:\WINDOWS\sed.exe
2008-05-30 13:16:11 80412 --a------ C:\WINDOWS\grep.exe
2008-05-30 13:16:11 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-30 09:46:40 0 d-------- C:\VundoFix Backups
2008-05-30 09:26:21 0 d-------- C:\Documents and Settings\Cliff and Micky\Application Data\Malwarebytes
2008-05-30 09:26:08 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-30 09:26:07 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-30 00:18:19 0 d-------- C:\Program Files\Trend Micro
2008-05-29 19:05:45 0 dr-h----- C:\$VAULT$.AVG


-- Find3M Report ---------------------------------------------------------------

2008-06-01 14:01:52 0 d-------- C:\Documents and Settings\Cliff and Micky\Application Data\Adobe
2008-06-01 13:27:54 0 d-------- C:\Program Files\e-Sword
2008-06-01 08:20:26 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-01 08:19:49 0 d-------- C:\Documents and Settings\Cliff and Micky\Application Data\AVG7
2008-04-04 08:52:22 0 d-------- C:\Documents and Settings\Cliff and Micky\Application Data\gtk-2.0
2008-04-02 20:59:10 0 d-------- C:\Documents and Settings\Cliff and Micky\Application Data\FileZilla


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 01:00 AM]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [11/13/2006 01:39 PM]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [05/13/2008 12:43 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [05/13/2008 10:13 AM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ePad995.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ePad995.lnk
backup=C:\WINDOWS\pss\ePad995.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AspireService]
C:\Program Files\Acer\Acer eMode Management\AspireService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BAloud4]
C:\Program Files\Texthelp Systems\Browsealoud\4.0\BAloud4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eRecoveryService]
C:\Acer\Empowering Technology\eRecovery\Monitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
"C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LaunchApp]
Alaunch

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MediaSync]
C:\Program Files\Acer\Acer eConsole\MediaSync.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ntiMUI]
c:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UDC Integration]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"Symantec Core LC"=2 (0x2)
"RioMSC"=2 (0x2)
"ose"=3 (0x3)
"MDM"=2 (0x2)
"Acer Media Server"=2 (0x2)




-- End of Deckard's System Scanner: finished at 2008-06-01 16:24:53 ------------


extra.txt



Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Sempron™ Processor 3300+
Percentage of Memory in Use: 76%
Physical Memory (total/avail): 191.48 MiB / 44.13 MiB
Pagefile Memory (total/avail): 465.04 MiB / 208.38 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1932.73 MiB

C: is Fixed (NTFS) - 72.33 GiB total, 51.47 GiB free.
D: is Fixed (FAT32) - 72.8 GiB total, 72.8 GiB free.
E: is CDROM (UDF)
F: is Removable (FAT)
G: is Removable (No Media)
H: is Removable (No Media)
I: is Removable (No Media)

\\.\PHYSICALDRIVE0 - WDC WD1600JS-22MHB0 - 149.05 GiB - 3 partitions
\PARTITION0 - Unknown - 3.9 GiB
\PARTITION1 (bootable) - Installable File System - 72.33 GiB - C:
\PARTITION2 - Unknown - 72.82 GiB - D:

\\.\PHYSICALDRIVE2 - Generic USB CF Reader USB Device

\\.\PHYSICALDRIVE4 - Generic USB MS Reader USB Device

\\.\PHYSICALDRIVE1 - Generic USB SD Reader USB Device - 1937.53 MiB - 1 partition
\PARTITION0 (bootable) - MS-DOS V4 Huge - 1938.38 MiB - F:

\\.\PHYSICALDRIVE3 - Generic USB SM Reader USB Device



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.

FW: Norton Internet Worm Protection v2005 (Symantec)
AV: AVG 7.5.524 v7.5.524 (Grisoft)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\Acer\\Acer eConsole\\MediaServerService.exe"="C:\\Program Files\\Acer\\Acer eConsole\\MediaServerService.exe:LocalSubNet:Disabled:Acer Media Server"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Disabled:ActiveSync Application"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Disabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Disabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Disabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Disabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Disabled:avginet.exe"
"C:\\Program Files\\Acer\\Acer eConsole\\eConsole.exe"="C:\\Program Files\\Acer\\Acer eConsole\\eConsole.exe:LocalSubNet:Disabled:eConsole"
"C:\\Program Files\\Acer\\Acer eConsole\\MediaSync.exe"="C:\\Program Files\\Acer\\Acer eConsole\\MediaSync.exe:LocalSubNet:Disabled:Media Synchoronizer"
"C:\\Program Files\\PageBreeze\\pagebreeze.exe"="C:\\Program Files\\PageBreeze\\pagebreeze.exe:*:Disabled:pagebreeze"
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Cliff and Micky\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_05\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=CLIFF
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Cliff and Micky
LOGONSERVER=\\CLIFF
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\QuickTime\QTSystem;C:\Program Files\Microsoft Office\OFFICE11\Business Contact Manager\IM;C:\Program Files\Microsoft SQL Server\80\Tools\Binn;C:\Program Files\Microsoft Office\OFFICE11\Business Contact Manager;;C:\PROGRA~1\COMMON~1\MUVEET~1\030625
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 44 Stepping 2, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=2c02
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_05\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\CLIFFA~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\CLIFFA~1\LOCALS~1\Temp
USERDOMAIN=CLIFF
USERNAME=Cliff and Micky
USERPROFILE=C:\Documents and Settings\Cliff and Micky
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Cliff and Micky (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Acer eConsole --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EC028E6B-F3F1-4192-B63E-A7C97302ED5A}\setup.exe" -l0x9
Acer eMode Management --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{65CDEC30-4BF4-48FB-8059-9FC480E4E94F}\setup.exe" -l0x9
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Download Manager 2.2 (Remove Only) --> "C:\Program Files\Common Files\Adobe\ESD\uninst.exe"
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 7.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70000000000}
Apple Software Update --> MsiExec.exe /I{A260B422-70E1-41E2-957D-F76FA21266D5}
Araneae 5.0.0 --> "C:\Program Files\Araneae 5\unins000.exe"
AVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
Business Contact Manager for Outlook 2003 --> MsiExec.exe /I{66563AD8-637B-407F-BCA7-0233A16891AB}
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
Dell Photo Printer 720 --> C:\WINDOWS\system32\spool\drivers\w32x86\3\DLBCUN5C.EXE -dDell Photo Printer 720
Dell Photo Printer 720 Logger --> C:\Program Files\Dell Photo Printer 720\dlbcunst.exe
e-Sword --> MsiExec.exe /I{987BFB2B-2671-49B3-98BE-1B684B9CAFD0}
ePad995 --> C:\Program Files\ePad995\thinsetup.exe - uninstall
FileZilla Client 3.0.3 --> C:\Program Files\FileZilla Client\uninstall.exe
GIMP 2.4.1 --> "C:\Program Files\GIMP-2.0\setup\unins000.exe"
Google Earth --> MsiExec.exe /I{1E04F83B-2AB9-4301-9EF7-E86307F79C72}
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hockey Pong --> C:\WINDOWS\system32\GKSUI16.EXE C:\Program Files\Hockey Pong\UNINSTAL.DAT
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
J2SE Runtime Environment 5.0 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150050}
Jasc Paint Shop Pro 8 Dell Edition --> MsiExec.exe /I{81A34902-9D0B-4920-A25C-4CDC5D14B328}
Juice 2.2 --> C:\Program Files\Juice\uninst.exe
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft ActiveSync --> MsiExec.exe /I{99052DB7-9592-4522-A558-5417BBAD48EE}
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{91110409-6000-11D3-8CFE-0150048383C9}
Microsoft Text-to-Speech Engine 4.0 (English) --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\msTTSf22.inf, Uninstall
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Netflix Movie Viewer --> MsiExec.exe /X{BCE72AED-3332-4863-9567-C5DCB9052CA2}
NTI Backup NOW! 4 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{385979FE-DC4F-4140-8EAD-A59625000D72} /l1033 BUN4
NTI CD & DVD-Maker --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{1577A05B-EE62-4BBC-9DB7-FE748FA44EC2} /l1033 CDM7
NTI HomeVideo-Maker --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B8A6F713-D72D-47AD-A92D-B5C0E13F98C1}\setup.exe" -l0x9
NXPowerLite --> MsiExec.exe /I{076A2323-68F0-4359-9D17-030882B70514}
OmniFormat --> C:\Program Files\omniformat\thinsetup.exe - uninstall
PageBreeze Free HTML Editor --> C:\PROGRA~1\PAGEBR~1\UNWISE.EXE C:\PROGRA~1\PAGEBR~1\INSTALL.LOG
Pdf995 --> C:\Program Files\pdf995\setup.exe uninstall
PhotoFrame_V1.5 --> C:\Program Files\PhotoFrame_V1.5\uninst.exe
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
QuickTime --> MsiExec.exe /I{08094E03-AFE4-4853-9D31-6D0743DF5328}
ReadingPlanner --> C:\Program Files\ReadingPlanner\uninstall.exe
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" -l0x9 -removeonly
Rio Internet Update --> MsiExec.exe /X{493F2531-C2E5-4B73-8B11-66E9CFDA9AFA}
Rio Music Manager --> MsiExec.exe /X{282EF7E3-AE54-48AE-A11D-27F512F23AB3}
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Symantec KB-DocID:2003093015493306 --> MsiExec.exe /I{08C5815C-2C6E-44f8-8748-0E61BC9AFB68}
Text-Reader Speaker component --> C:\Program Files\fabamusic\fmMp3Splitter\uninstall.exe
Universal Document Converter --> "C:\Program Files\Universal Document Converter\unins000.exe"
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Wireless 802.11g USB Adapter --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{703FBBAA-ED01-498D-86D5-559C4725CD63} /l1033


-- Application Event Log -------------------------------------------------------

Event Record #/Type242 / Warning
Event Submitted/Written: 06/01/2008 04:20:19 PM
Event ID/Source: 32068 / Microsoft Fax
Event Description:
The outgoing routing rule is not valid because it cannot find a valid device. The outgoing faxes that use this rule will not be routed. Verify that the targeted device or devices (if routed to a group of devices) is connected and installed correctly, and turned on. If routed to a group, verify that the group is configured correctly.
Country/region code: '*'
Area code: '*'

Event Record #/Type241 / Warning
Event Submitted/Written: 06/01/2008 04:20:19 PM
Event ID/Source: 32026 / Microsoft Fax
Event Description:
Fax Service failed to initialize any assigned fax devices (virtual or TAPI).
No faxes can be sent or received until a fax device is installed.

Event Record #/Type240 / Warning
Event Submitted/Written: 06/01/2008 04:20:08 PM
Event ID/Source: 19011 / MSSQL$MICROSOFTBCM
Event Description:
(SpnRegister) : Error 1355

Event Record #/Type238 / Warning
Event Submitted/Written: 06/01/2008 00:51:01 PM
Event ID/Source: 32068 / Microsoft Fax
Event Description:
The outgoing routing rule is not valid because it cannot find a valid device. The outgoing faxes that use this rule will not be routed. Verify that the targeted device or devices (if routed to a group of devices) is connected and installed correctly, and turned on. If routed to a group, verify that the group is configured correctly.
Country/region code: '*'
Area code: '*'

Event Record #/Type237 / Warning
Event Submitted/Written: 06/01/2008 00:51:01 PM
Event ID/Source: 32026 / Microsoft Fax
Event Description:
Fax Service failed to initialize any assigned fax devices (virtual or TAPI).
No faxes can be sent or received until a fax device is installed.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type23648 / Error
Event Submitted/Written: 06/01/2008 04:21:02 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1058" attempting to start the service MDM with arguments ""
in order to run the server:
{0C0A3666-30C9-11D0-8F20-00805F2CD064}

Event Record #/Type23647 / Error
Event Submitted/Written: 06/01/2008 04:20:45 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1058" attempting to start the service MDM with arguments ""
in order to run the server:
{0C0A3666-30C9-11D0-8F20-00805F2CD064}

Event Record #/Type23620 / Error
Event Submitted/Written: 06/01/2008 00:57:44 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1058" attempting to start the service MDM with arguments ""
in order to run the server:
{0C0A3666-30C9-11D0-8F20-00805F2CD064}

Event Record #/Type23618 / Error
Event Submitted/Written: 06/01/2008 00:51:21 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1058" attempting to start the service MDM with arguments ""
in order to run the server:
{0C0A3666-30C9-11D0-8F20-00805F2CD064}

Event Record #/Type23598 / Error
Event Submitted/Written: 06/01/2008 00:47:49 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1058" attempting to start the service MDM with arguments ""
in order to run the server:
{0C0A3666-30C9-11D0-8F20-00805F2CD064}



-- End of Deckard's System Scanner: finished at 2008-06-01 16:24:53 ------------

[koko_crunch]

That's good to hear...
Now for one final scan to make sure we didn't miss any bad file.

But before you do,

Follow these steps to uninstall Combofix and tools used in the removal of malware

• Click START then RUN
• Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  

Next,

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Finally,

Please go HERE to run Panda's ActiveScan

• Once you are on the Panda site click the Scan your PC button
• A new window will open...click the Check Now button
• Enter your Country
• Enter your State/Province
• Enter your e-mail address and click send
• Select either Home User or Company
• Click the big Scan Now button
• If it wants to install an ActiveX component allow it
• It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
• When download is complete, click on My Computer to start the scan
• When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report