Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

vx2 [Resolved] cw6

Started by x1stanc3 , Jan 23 2005 01:20 PM

This topic is locked

#1
x1stanc3

Posted 23 January 2005 - 01:20 PM

Member

Member
10 posts

I have currently run Ad-Aware, SpyBot and CWShredder.

Ad-Aware ... reboot
SpyBot ... reboot
CWShredder ... now shows no infection
HijackThis ... log following
Findit ... log following

<< HIJACKTHISLOG >>

Logfile of HijackThis v1.99.0
Scan saved at 1:10:23 PM, on 1/23/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
C:\PROGRA~1\MI948F~1\GAMECO~1\Common\SWTrayV4.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\dlsmgr\dlsmgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\Handspring\HotSync.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\cliff mccoy\Desktop\HijackThis.exe

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MI948F~1\GAMECO~1\Common\SWTrayV4.exe
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [Lexmark 3100 Series] "C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [dlsmgr] C:\Program Files\dlsmgr\dlsmgr.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HotSync.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....738&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1106387504476
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Sony SPTI Service - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: VAIO Media Music Server (Application) - Sony Corporation - C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
O23 - Service: VAIO Media Music Server (HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
O23 - Service: VAIO Media Music Server (UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (Application) - Unknown - C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
O23 - Service: VAIO Media Photo Server (UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe

<< FINDIT LOG >>

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\find

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is FCEE-9519

Directory of C:\WINDOWS\System32

01/23/2005 12:25 PM 225,956 lbbmp11n.dll
01/23/2005 12:25 PM 226,030 j4p00e7meh.dll
01/23/2005 12:14 PM 222,993 ptwrprof.dll
01/23/2005 11:46 AM 225,956 f40o0ed3eh0.dll
01/23/2005 10:47 AM 222,993 vqmdbg.dll
01/23/2005 10:10 AM 224,111 kodla.dll
01/23/2005 01:18 AM 223,086 mlvcrt.dll
01/23/2005 01:07 AM 223,781 ctcdll.dll
01/23/2005 12:44 AM 223,781 swobject.dll
01/23/2005 12:40 AM 222,600 ligif10N.dll
01/23/2005 12:37 AM 222,600 wkpui.dll
01/23/2005 12:17 AM 222,600 dpocx.dll
01/22/2005 10:23 PM 223,670 md43dmod.dll
01/22/2005 10:04 PM 222,600 wenfax.dll
01/22/2005 09:59 PM 223,295 ghmf32.dll
01/22/2005 09:43 PM 222,600 anitvo32.dll
01/22/2005 05:22 PM 222,903 kfdycc.dll
01/22/2005 02:13 PM 222,932 lv2009fme.dll
01/22/2005 12:54 PM 225,187 haetwiz.dll
01/22/2005 12:07 PM 223,161 kndfo.dll
01/11/2005 08:11 AM 401,408 m?iexec.exe
12/05/2002 08:58 PM <DIR> Microsoft
21 File(s) 4,874,243 bytes
1 Dir(s) 4,633,415,680 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is FCEE-9519

Directory of C:\WINDOWS\System32

01/22/2005 07:23 PM <DIR> vmss
01/11/2005 08:11 AM 401,408 m?iexec.exe
12/05/2002 08:00 PM 488 WindowsLogon.manifest
12/05/2002 08:00 PM 488 logonui.exe.manifest
12/05/2002 08:00 PM 749 sapi.cpl.manifest
12/05/2002 08:00 PM 749 nwc.cpl.manifest
12/05/2002 08:00 PM 749 cdplayer.exe.manifest
12/05/2002 08:00 PM 749 wuaucpl.cpl.manifest
12/05/2002 08:00 PM 749 ncpa.cpl.manifest
8 File(s) 406,129 bytes
1 Dir(s) 4,633,415,680 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C has no label.
Volume Serial Number is FCEE-9519

Directory of C:\WINDOWS\System32

01/23/2005 12:41 PM 225,956 guard.tmp
1 File(s) 225,956 bytes
0 Dir(s) 4,633,411,584 bytes free

------ Temp Files in System32 Directory ------

Volume in drive C has no label.
Volume Serial Number is FCEE-9519

Directory of C:\WINDOWS\System32

01/23/2005 12:41 PM 225,956 guard.tmp
08/29/2002 06:00 AM 2,577 CONFIG.TMP
2 File(s) 228,533 bytes
0 Dir(s) 4,633,411,584 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{585BD4F1-1366-489F-954C-DBFF2CF1762A}"=""

------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Telephony]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\f40o0ed3eh0.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

------------- Locate.com Results -------------

C:\WINDOWS\SYSTEM32\
anitvo32.dll Sat Jan 22 2005 9:43:42p ..S.R 222,600 217.38 K
ctcdll.dll Sun Jan 23 2005 1:07:28a ..S.R 223,781 218.54 K
dpocx.dll Sun Jan 23 2005 12:17:34a ..S.R 222,600 217.38 K
f40o0e~1.dll Sun Jan 23 2005 11:46:18a ..S.R 225,956 220.66 K
ghmf32.dll Sat Jan 22 2005 9:59:16p ..S.R 223,295 218.06 K
haetwiz.dll Sat Jan 22 2005 12:54:32p ..S.R 225,187 219.91 K
j4p00e~1.dll Sun Jan 23 2005 12:26:00p ..S.R 226,030 220.73 K
kfdycc.dll Sat Jan 22 2005 5:22:36p ..S.R 222,903 217.68 K
kndfo.dll Sat Jan 22 2005 12:07:44p ..S.R 223,161 217.93 K
kodla.dll Sun Jan 23 2005 10:10:34a ..S.R 224,111 218.86 K
lbbmp11n.dll Sun Jan 23 2005 12:26:00p ..S.R 225,956 220.66 K
ligif10n.dll Sun Jan 23 2005 12:40:48a ..S.R 222,600 217.38 K
lv2009~1.dll Sat Jan 22 2005 2:13:22p ..S.R 222,932 217.71 K
md43dmod.dll Sat Jan 22 2005 10:23:12p ..S.R 223,670 218.43 K
mlvcrt.dll Sun Jan 23 2005 1:18:32a ..S.R 223,086 217.86 K
miexec~1.exe Tue Jan 11 2005 8:11:36a ..SHR 401,408 392.00 K
ptwrprof.dll Sun Jan 23 2005 12:14:08p ..S.R 222,993 217.77 K
swobject.dll Sun Jan 23 2005 12:44:10a ..S.R 223,781 218.54 K
vqmdbg.dll Sun Jan 23 2005 10:47:22a ..S.R 222,993 217.77 K
wenfax.dll Sat Jan 22 2005 10:04:34p ..S.R 222,600 217.38 K
wkpui.dll Sun Jan 23 2005 12:37:48a ..S.R 222,600 217.38 K

21 items found: 21 files, 0 directories.
Total of file sizes: 4,874,243 bytes 4.65 M

-------- Strings.exe Qoologic Results --------

--------- Strings.exe Aspack Results ---------

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe"
"AtiPTA"="atiptaxx.exe"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"Mouse Suite 98 Daemon"="ICO.EXE"
"HKSERV.EXE"="C:\\Program Files\\Sony\\HotKey Utility\\HKserv.exe"
"ezShieldProtector for Px"="C:\\WINDOWS\\System32\\ezSP_Px.exe"
"Lexmark X5100 Series"="\"C:\\Program Files\\Lexmark X5100 Series\\lxbabmgr.exe\""
"SideWinderTrayV4"="C:\\PROGRA~1\\MI948F~1\\GAMECO~1\\Common\\SWTrayV4.exe"
"MediaFace Integration"="C:\\Program Files\\Fellowes\\MediaFACE 4.0\\SetHook.exe"
"Lexmark 3100 Series"="\"C:\\Program Files\\Lexmark 3100 Series\\lxbrbmgr.exe\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"AVG7_EMC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgemc.exe"
"dlsmgr"="C:\\Program Files\\dlsmgr\\dlsmgr.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

Thanks!

#2
coachwife6

Posted 23 January 2005 - 01:57 PM

SuperStar

Retired Staff
11,413 posts

1. Download the Pocket Killbox.
2. Unzip the contents of KillBox.zip to a convenient location.
3. Double-click on KillBox.exe.
4. Click "Replace on Reboot" and check the "Use Dummy" box.
5. Paste this file into the top "Full Path of File to Delete" box.
* C:\WINDOWS\System32\lbbmp11n.dll
6. Click the "Delete File" button which looks like a stop sign.
7. Click "Yes" at the Replace on Reboot prompt.
8. Click "No" at the Pending Operations prompt.
9. Repeat steps 4-8 above for these files:

* C:\WINDOWS\System32/j4p00e7meh.dll
* C:\WINDOWS\System32\ptwrprof.dll
* C:\WINDOWS\System32\ f40o0ed3eh0.dll
* C:\WINDOWS\System32\vqmdbg.dll
* C:\WINDOWS\System32\kodla.dll
* C:\WINDOWS\System32\mlvcrt.dll
* C:\WINDOWS\System32\ctcdll.dll
* C:\WINDOWS\System32\ swobject.dll
* C:\WINDOWS\System32\ligif10N.dll
* C:\WINDOWS\System32\wkpui.dll
* C:\WINDOWS\System32\dpocx.dll
* C:\WINDOWS\System32\md43dmod.dll
* C:\WINDOWS\System32\wenfax.dll
* C:\WINDOWS\System32\ghmf32.dll
* C:\WINDOWS\System32\anitvo32.dll
* C:\WINDOWS\System32\kfdycc.dll
* C:\WINDOWS\System32\lv2009fme.dll
* C:\WINDOWS\System32\haetwiz.dll
* C:\WINDOWS\System32\kndfo.dll

10. Click "Replace on Reboot" and check the "Use Dummy" box.
11. Paste this file into the top "Full Path of File to Delete" box.
* C:\WINDOWS\System32\Guard.tmp
12. Click the "Delete File" button which looks like a stop sign.
13. Click "Yes" at the Replace on Reboot prompt.
14. Click "Yes" at the Pending Operations prompt to restart your computer.
15. Double-click on find.bat and post the new output.txt. :tazz:

#3
x1stanc3

Posted 23 January 2005 - 02:30 PM

Member

Topic Starter
Member
10 posts

Done! ... without errors.

<< FINDIT LOG >>

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\find

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is FCEE-9519

Directory of C:\WINDOWS\System32

01/11/2005 08:11 AM 401,408 m?iexec.exe
12/05/2002 08:58 PM <DIR> Microsoft
1 File(s) 401,408 bytes
1 Dir(s) 4,638,224,384 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is FCEE-9519

Directory of C:\WINDOWS\System32

01/22/2005 07:23 PM <DIR> vmss
01/11/2005 08:11 AM 401,408 m?iexec.exe
12/05/2002 08:00 PM 488 WindowsLogon.manifest
12/05/2002 08:00 PM 488 logonui.exe.manifest
12/05/2002 08:00 PM 749 sapi.cpl.manifest
12/05/2002 08:00 PM 749 nwc.cpl.manifest
12/05/2002 08:00 PM 749 cdplayer.exe.manifest
12/05/2002 08:00 PM 749 wuaucpl.cpl.manifest
12/05/2002 08:00 PM 749 ncpa.cpl.manifest
8 File(s) 406,129 bytes
1 Dir(s) 4,638,224,384 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C has no label.
Volume Serial Number is FCEE-9519

Directory of C:\WINDOWS\System32

01/23/2005 02:14 PM 56 guard.tmp
1 File(s) 56 bytes
0 Dir(s) 4,638,220,288 bytes free

------ Temp Files in System32 Directory ------

Volume in drive C has no label.
Volume Serial Number is FCEE-9519

Directory of C:\WINDOWS\System32

01/23/2005 02:14 PM 56 guard.tmp
08/29/2002 06:00 AM 2,577 CONFIG.TMP
2 File(s) 2,633 bytes
0 Dir(s) 4,638,220,288 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{585BD4F1-1366-489F-954C-DBFF2CF1762A}"=""

------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Syncmgr]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\j4p00e7meh.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

------------- Locate.com Results -------------

C:\WINDOWS\SYSTEM32\
miexec~1.exe Tue Jan 11 2005 8:11:36a ..SHR 401,408 392.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 401,408 bytes 392.00 K

-------- Strings.exe Qoologic Results --------

--------- Strings.exe Aspack Results ---------

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe"
"AtiPTA"="atiptaxx.exe"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"Mouse Suite 98 Daemon"="ICO.EXE"
"HKSERV.EXE"="C:\\Program Files\\Sony\\HotKey Utility\\HKserv.exe"
"ezShieldProtector for Px"="C:\\WINDOWS\\System32\\ezSP_Px.exe"
"Lexmark X5100 Series"="\"C:\\Program Files\\Lexmark X5100 Series\\lxbabmgr.exe\""
"SideWinderTrayV4"="C:\\PROGRA~1\\MI948F~1\\GAMECO~1\\Common\\SWTrayV4.exe"
"MediaFace Integration"="C:\\Program Files\\Fellowes\\MediaFACE 4.0\\SetHook.exe"
"Lexmark 3100 Series"="\"C:\\Program Files\\Lexmark 3100 Series\\lxbrbmgr.exe\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"AVG7_EMC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgemc.exe"
"dlsmgr"="C:\\Program Files\\dlsmgr\\dlsmgr.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

Thanks

#4
coachwife6

Posted 23 January 2005 - 02:52 PM

SuperStar

Retired Staff
11,413 posts

Run the pocket killbox and get rid of these, using previous instructions.

*C:\\WINDOWS\\system32\\j4p00e7meh.dll
*C:\\WINDOWS\\system32\\guard.tmp

Copy and paste this text into a text editor such as Notepad.

Save this text as FixVX2.reg. Make sure the "Save as type:" is "All Files (*.*)" and save it to your desktop.

Double-click on FixVX2.reg. When it asks you to merge the information to the registry click Yes.

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{585BD4F1-1366-489F-954C-DBFF2CF1762A}"=-

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Syncmgr]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dlsmgr"=-

Download http://www.downloads...g/VX2Finder.exe and use the Restore Policy button

Then copy & paste the text in bold below into notepad and save it as recyclerem.bat
(Set filetype to "All Files")

attrib -r -s -h %systemdrive%\Recycler
del %systemdrive%\Recycler
attrib -r -s -h %systemdrive%\Recycled
del %systemdrive%\Recycled
shutdown /r /t 0 /f

Close all programs and doubleclick recyclerem.bat

Post back with a HijackThis log.

Restart computer again. :tazz:

#5
x1stanc3

Posted 23 January 2005 - 03:13 PM

Member

Topic Starter
Member
10 posts

Done! ... without errors

<< HIJACKTHIS LOG >>

Logfile of HijackThis v1.99.0
Scan saved at 3:10:00 PM, on 1/23/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
C:\PROGRA~1\MI948F~1\GAMECO~1\Common\SWTrayV4.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\Handspring\HotSync.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\cliff mccoy\Desktop\HijackThis.exe

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MI948F~1\GAMECO~1\Common\SWTrayV4.exe
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [Lexmark 3100 Series] "C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HotSync.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....738&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1106387504476
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Sony SPTI Service - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: VAIO Media Music Server (Application) - Sony Corporation - C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
O23 - Service: VAIO Media Music Server (HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
O23 - Service: VAIO Media Music Server (UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (Application) - Unknown - C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
O23 - Service: VAIO Media Photo Server (UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe

#6
coachwife6

Posted 23 January 2005 - 05:13 PM

SuperStar

Retired Staff
11,413 posts

Looks good. How is it running?

#7
x1stanc3

Posted 23 January 2005 - 06:55 PM

Member

Topic Starter
Member
10 posts

So far so good.....

I've run Ad-Ware, Spybot, and AVG with nothing being found.

I'm going to run a few more tests before restoring system restore and updating to SP2.

I'll let you know what I find...

Thanks for the assistance. :tazz:

#8
coachwife6

Posted 23 January 2005 - 06:57 PM

SuperStar

Retired Staff
11,413 posts

Rock on.

Glad to be of assistance.

Congratulations! Your system is CLEAN :tazz:

How do you prevent spyware from being installed again? We strongly recommend installing SpywareBlaster (it's free for personal use) Click Here.

Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests.
Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
Restrict the actions of potentially dangerous sites in Internet Explorer.
Consumes no system resources.

Download, run, check for updates, download updates, select all, protect against checked. All done. Check for updates every couple of weeks. If you have any errors running the program like a missing file see the link at the bottom of the javacool page.

It's also very important to keep your system up to date to avoid unnecessary security risks. Click Here to make sure that you have the latest patches for Windows.

These next two steps are optional, but will provide the greatest protection.
1. Use ANY browser besides Internet Explorer, almost every exploit is crafted to take advantage of an IE weakness. We usually recommend FireFox

.
2. Install Sun's Java. It's much more secure than Microsoft's Java Virtual Machine .

It's okay to delete the Hijack This folder if everything is working okay.

After doing all these, your system will be thoroughly protected from future threats.

#9
x1stanc3

Posted 23 January 2005 - 08:57 PM

Member

Topic Starter
Member
10 posts

Ok...

I'm still working with a few problems....

I've run Microsoft's Spyware Beta and it picks up SearchMiracle.Elitebar....

It is apparently not running but is still residing in the add/remove programs dialog.

Any suggestions?

I have also tried to use Windows Update with no luck...

It seems that after downloading the security updates it fails to install for some reason without giving any error message or explanation...

I'm currently updating every thing from Sony VAIO....

Thanks

#10
coachwife6

Posted 23 January 2005 - 09:08 PM

SuperStar

Retired Staff
11,413 posts

Can you uninstall it through add/remove or is it already removed, but the icon still remains? There is a mechanism to remove the icon in XP after the program has been removed, but I can't remember how to do it.

Where is it picking up the miraclesearchelite bar? You can turn off system restore and delete your temp. files.

#11
x1stanc3

Posted 23 January 2005 - 09:17 PM

Member

Topic Starter
Member
10 posts

Yeah thats it....

It just remains in the add/remove dialog without actually being installed...

It's shows two registry keys and I assume the third is coming from the add/remove dialog entry...

It says that it removed them...

I deleted all the temp files already with the exception of one persistant file JETA7F9.tmp ....

I am almost done updating VAIO and I'll run the scan again to see if it is still resident....

Should I maybe try killbox on the tmp file?

Thanks

#12
coachwife6

Posted 23 January 2005 - 09:48 PM

SuperStar

Retired Staff
11,413 posts

I would use the killbox to try and remove it.

If you still have trouble updating windows ---- I don't know if this is the best advice, but this is how I finally got mine to update after about a year of trying. It was showing that it wasn't downloaded, but it was in my add/remove programs list. I uninstalled it and then downloaded it and then it worked. I'm not saying that's the best way to go, but sometimes the updates are rather finicky.

#13
x1stanc3

Posted 24 January 2005 - 12:10 AM

Member

Topic Starter
Member
10 posts

Turns out there are a multitude of programs out there which claim to fix the add/remove dialog error; however, I have a tendancy not to trust unknown applications...

The manual fix I found for it was really quite simple. I just needed to remove an entry in the registry...

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Every program that appears in the add/remove dialog has its own entry under the above path.

As far as the persistant temp file is concerned, it seems as though it is something non-malicious. It exists after every reboot as a different but similar name.

I'm still working on the Windows Update situation. The computer I'm working on has SP1 installed and I'm in the process of downloading SP1a which was suggested in the pinned topic; however, I had to select the option provided for users of browsers other than IE. I overlooked this during the first attempt to download considering that I was using IE... :thumbsup:

I'll post back with an update after I get SP1a and/or SP2 downloaded and installed.

Thanks again for all the assistance. :tazz:

#14
coachwife6

Posted 24 January 2005 - 03:29 AM

SuperStar

Retired Staff
11,413 posts

Give me another find and fix log to make sure we got rid of that guard.tmp file. :tazz:

#15
x1stanc3

Posted 24 January 2005 - 11:13 AM

Member

Topic Starter
Member
10 posts

fix log

Did you mean Hijackthis?

<< HIJACKTHIS LOG >>

Logfile of HijackThis v1.99.0
Scan saved at 9:21:00 AM, on 1/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
C:\PROGRA~1\MI948F~1\GAMECO~1\Common\SWTrayV4.exe
C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Handspring\HotSync.exe
C:\Documents and Settings\cliff mccoy\Desktop\hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MI948F~1\GAMECO~1\Common\SWTrayV4.exe
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [Lexmark 3100 Series] "C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HotSync.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....738&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1106387504476
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Sony SPTI Service - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: VAIO Media Music Server (Application) - Sony Corporation - C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
O23 - Service: VAIO Media Music Server (HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
O23 - Service: VAIO Media Music Server (UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (Application) - Unknown - C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
O23 - Service: VAIO Media Photo Server (UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe

<< FINDIT LOG >>

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\find

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is FCEE-9519

Directory of C:\WINDOWS\System32

01/11/2005 08:11 AM 401,408 m?iexec.exe
12/05/2002 08:58 PM <DIR> Microsoft
1 File(s) 401,408 bytes
1 Dir(s) 3,860,873,216 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is FCEE-9519

Directory of C:\WINDOWS\System32

01/22/2005 07:23 PM <DIR> vmss
01/11/2005 08:11 AM 401,408 m?iexec.exe
12/05/2002 08:00 PM 488 WindowsLogon.manifest
12/05/2002 08:00 PM 488 logonui.exe.manifest
12/05/2002 08:00 PM 749 sapi.cpl.manifest
12/05/2002 08:00 PM 749 nwc.cpl.manifest
12/05/2002 08:00 PM 749 cdplayer.exe.manifest
12/05/2002 08:00 PM 749 wuaucpl.cpl.manifest
12/05/2002 08:00 PM 749 ncpa.cpl.manifest
8 File(s) 406,129 bytes
1 Dir(s) 3,860,873,216 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C has no label.
Volume Serial Number is FCEE-9519

Directory of C:\WINDOWS\System32

01/23/2005 02:58 PM 56 guard.tmp
1 File(s) 56 bytes
0 Dir(s) 3,860,869,120 bytes free

------ Temp Files in System32 Directory ------

Volume in drive C has no label.
Volume Serial Number is FCEE-9519

Directory of C:\WINDOWS\System32

01/23/2005 02:58 PM 56 guard.tmp
08/29/2002 06:00 AM 2,577 CONFIG.TMP
2 File(s) 2,633 bytes
0 Dir(s) 3,860,869,120 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

------------- Locate.com Results -------------

C:\WINDOWS\SYSTEM32\
miexec~1.exe Tue Jan 11 2005 8:11:36a ..SHR 401,408 392.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 401,408 bytes 392.00 K

-------- Strings.exe Qoologic Results --------

--------- Strings.exe Aspack Results ---------

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe"
"AtiPTA"="atiptaxx.exe"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"Mouse Suite 98 Daemon"="ICO.EXE"
"HKSERV.EXE"="C:\\Program Files\\Sony\\HotKey Utility\\HKserv.exe"
"ezShieldProtector for Px"="C:\\WINDOWS\\System32\\ezSP_Px.exe"
"Lexmark X5100 Series"="\"C:\\Program Files\\Lexmark X5100 Series\\lxbabmgr.exe\""
"SideWinderTrayV4"="C:\\PROGRA~1\\MI948F~1\\GAMECO~1\\Common\\SWTrayV4.exe"
"MediaFace Integration"="C:\\Program Files\\Fellowes\\MediaFACE 4.0\\SetHook.exe"
"Lexmark 3100 Series"="\"C:\\Program Files\\Lexmark 3100 Series\\lxbrbmgr.exe\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"AVG7_EMC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgemc.exe"
"gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

Thanks