heur trojan mess - Cannot Update OS - SP3 cannot find CLBCATQ dll's

[Roc 65]

AVG got most of the trojan. One dll found that I was corrupt - c:windows\system32\clbdll.dll was moved to the vault by AVG, but still have issues - ran thru the 5 steps -
winXP SP3 will not load - windows cannot find clbcatq.dll or clbcatex.dll
I tried both SP3 and SP3 for IT Professionals. I'm running WinXP Home Ed.
Did not go into the COM+ fix.
-----------------------------------------------------------------------
ActiveScan.txt attached.
-----------------------------------------------------------------------
Deckard did not create an "extra.txt" file, but here's main.txt:
-----------------------------------------------------------------------

Deckard's System Scanner v20071014.68
Run by Owner on 2008-08-03 04:44:48
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:47:01 AM, on 8/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\PerfectDisk2008\PD91Agent.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {0C8C77AF-B97A-4FD3-89C0-44098F0CDE6B} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E156AAE-FA60-44A1-8E69-2E0E0030F1F6} - (no file)
O2 - BHO: (no name) - {B91C0269-E0E2-4C83-BCFF-131693EB3314} - (no file)
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O8 - Extra context menu item: Open with WordPerfect - c:\Program Files\Corel\WordPerfect Office X4\Programs\WPLauncher.hta
O15 - Trusted Zone: http://*.ameritrade.com
O15 - Trusted Zone: http://www.cbs.com
O15 - Trusted Zone: http://visitor.constantcontact.com
O15 - Trusted Zone: http://www.evite.com
O15 - Trusted Zone: http://dynamic.abc.go.com
O15 - Trusted Zone: www.seek.com.au
O15 - Trusted Zone: http://*.turbotax.com
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - http://support2.charter.com/sdccommo...ad/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager...EGetPlugin.ocx
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqna/downloads/sysinfo.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1093930840796
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn...tDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1124160269328
O16 - DPF: {85BA505F-FD01-4A91-836C-F7D502E89C9A} - http://www.evite.com/html/imageUploa...eUploader4.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/14...2/cpbrkpie.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: efcywxWn - efcywxWn.dll (file missing)
O20 - Winlogon Notify: WinCtrl32 - WinCtrl32.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LSCLFE - Unknown owner - C:\DOCUME~1\Owner\LOCALS~1\Temp\LSCLFE.exe (file missing)
O23 - Service: PD91Agent - Raxco Software, Inc. - C:\Program Files\PerfectDisk2008\PD91Agent.exe
O23 - Service: PD91Engine - Raxco Software, Inc. - C:\Program Files\PerfectDisk2008\PD91Engine.exe
O23 - Service: PD91VMDefrag - Raxco Software, Inc. - C:\Program Files\PerfectDisk2008\PD91VMDefrag.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: VLFVQCTIFWCLAQ - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Owner\LOCALS~1\Temp\VLFVQCTIFWCLAQ.exe

--
End of file - 7570 bytes

-- Files created between 2008-07-03 and 2008-08-03 -----------------------------

2008-08-03 04:10:54 0 d-------- C:\WINDOWS\Prefetch
2008-08-03 03:02:27 1845248 --a------ C:\WINDOWS\system32\win32k.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-08-02 20:24:26 0 d-------- C:\Program Files\Panda Security
2008-08-02 18:52:05 0 d-------- C:\WINDOWS\system32\dll
2008-08-02 18:03:44 0 d-------- C:\WINDOWS\system32\scripting
2008-08-02 18:03:39 0 d-------- C:\WINDOWS\l2schemas
2008-08-02 18:03:38 0 d-------- C:\WINDOWS\system32\en
2008-08-02 16:22:01 0 d-------- C:\WINDOWS\system32\CatRoot_bak
2008-08-02 14:34:36 0 d-------- C:\Documents and Settings\Administrator\Application Data\Uniblue
2008-08-02 14:05:01 0 d-------- C:\Program Files\Common Files\AnswerWorks 4.0
2008-07-27 19:37:17 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-27 12:25:06 0 d--h----- C:\$AVG8.VAULT$
2008-07-27 12:22:07 0 d-------- C:\WINDOWS\system32\drivers\Avg
2008-07-27 12:21:43 0 d-------- C:\Program Files\AVG
2008-07-27 12:21:43 0 d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-07-26 14:09:43 14417920 --a------ C:\Documents and Settings\Owner\ntuser.dat
2008-07-24 22:20:00 638976 --ahs---- C:\WINDOWS\system32\SvCeKnmp.ini2
2008-07-24 22:11:25 0 d-------- C:\Documents and Settings\Owner\Application Data\rhcgo2j0e3cg
2008-07-24 20:22:59 0 d-------- C:\Webstar Cable Modem Drivers
2008-07-23 23:38:16 0 d-------- C:\Program Files\PerformanceTest
2008-07-23 22:31:38 0 d-------- C:\Program Files\WinImage
2008-07-21 2318 0 d-------- C:\WINDOWS\system32\NtmsData
2008-07-20 21:39:55 0 --a------ C:\WINDOWS\ativpsrm.bin
2008-07-20 21:08:23 0 d-------- C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
2008-07-20 20:58:14 0 d-------- C:\WINDOWS\Logs
2008-07-15 19:42:09 0 d-------- C:\Program Files\HP
2008-07-15 19:00:14 0 d-------- C:\temp
2008-07-14 12:32:21 0 d-------- C:\Program Files\Quick Screen Capture
2008-07-14 12:32:21 0 d-------- C:\MyCaptures
2008-07-12 19:18:28 0 d-------- C:\Documents and Settings\Owner\Application Data\Opera
2008-07-12 18:01:56 0 d-------- C:\Program Files\Microsoft ActiveSync
2008-07-12 17:54:42 0 d-------- C:\Program Files\Microsoft.NET
2008-07-12 17:51:58 0 dr-h----- C:\MSOCache
2008-07-12 12:40:54 0 d-------- C:\Program Files\iTunes


-- Find3M Report ---------------------------------------------------------------

2008-08-03 03:54:15 0 d-------- C:\Program Files\Messenger
2008-08-03 03:49:21 0 d-------- C:\Program Files\Windows NT
2008-08-03 03:49:18 0 d-------- C:\Program Files\Movie Maker
2008-08-03 01:38:29 0 d-------- C:\Program Files\SpywareBlaster
2008-08-02 20:16:40 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-08-02 20:02:23 0 d-------- C:\Program Files\CopyToDVD
2008-08-02 20:00:45 0 d-------- C:\Program Files\Canon Creative
2008-08-02 19:52:21 0 d-------- C:\Documents and Settings\Owner\Application Data\Corel
2008-08-02 19:51:44 0 d-------- C:\Program Files\Common Files
2008-08-02 19:42:12 0 d-------- C:\Program Files\ItsDeductibleEX
2008-08-02 14:19:16 0 d-------- C:\Program Files\MSN Encarta Plus
2008-08-02 14:15:33 0 d-------- C:\Program Files\Downloads
2008-08-02 14:05:01 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-08-02 13:32:00 0 d-------- C:\Program Files\Bonjour
2008-07-20 17:30:59 0 d-------- C:\Program Files\Doom 3
2008-07-12 17:54:41 0 d-------- C:\Program Files\Windows Messaging
2008-07-12 12:41:12 0 d-------- C:\Program Files\iPod
2008-07-12 12:38:39 0 d-------- C:\Program Files\QuickTime
2008-07-01 13:47:24 0 d-------- C:\Documents and Settings\Owner\Application Data\CopyToDvd
2008-06-02 21:05:00 593920 --a------ C:\WINDOWS\system32\ati2sgag.exe <Not Verified; ; ATI Smart>
2008-05-16 22:27:47 73216 --a------ C:\WINDOWS\ST6UNST.EXE <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows>

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0C8C77AF-B97A-4FD3-89C0-44098F0CDE6B}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7E156AAE-FA60-44A1-8E69-2E0E0030F1F6}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B91C0269-E0E2-4C83-BCFF-131693EB3314}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PS2"="C:\WINDOWS\system32\ps2.exe" [09/12/2003 11:13 PM]
"AGRSMMSG"="AGRSMMSG.exe" [03/04/2005 12:01 PM C:\WINDOWS\AGRSMMSG.exe]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [07/25/2003 10:14 AM]
"WMC_AutoUpdate"="" []
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [07/10/2008 09:47 AM]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [07/27/2008 12:21 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [10/18/2006 09:05 PM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [07/07/2008 09:42 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ALUAlert"=C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe
"Symantec NetDriver Warning"=C:\PROGRA~1\SYMNET~1\SNDWarn.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcywxWn]
efcywxWn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WinCtrl32]
WinCtrl32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\pmnKeCvS
"Notification Packages"= scecli scecli

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winvy14.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Wireless Configuration Utility HW.14.lnk]
backup=C:\WINDOWS\pss\Wireless Configuration Utility HW.14.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\advap32]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyLinkAdvisor]
"C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lphclo2j0e3cg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickFinder Scheduler]
"c:\Program Files\Corel\WordPerfect Office X4\Programs\QFSCHD140.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMrhcgo2j0e3cg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2]
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]

-- End of Deckard's System Scanner: finished at 2008-08-03 04:47:49 ------------

[amateur]

Hello and welcome to TSF.

Sorry for the delayed response. If you have not received help elsewhere and still need help please post a fresh main.txt produced by the Deckard's System Scanner, as it has been a while since you posted.

[Roc 65]

Thank you for your reply. Here's a fresh post:

Deckard's System Scanner v20071014.68
Run by Owner on 2008-08-10 11:16:42
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:19, on 2008-08-10
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\PerfectDisk2008\PD91Agent.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {0C8C77AF-B97A-4FD3-89C0-44098F0CDE6B} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E156AAE-FA60-44A1-8E69-2E0E0030F1F6} - (no file)
O2 - BHO: (no name) - {B91C0269-E0E2-4C83-BCFF-131693EB3314} - (no file)
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O8 - Extra context menu item: Open with WordPerfect - c:\Program Files\Corel\WordPerfect Office X4\Programs\WPLauncher.hta
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O15 - Trusted Zone: http://*.ameritrade.com
O15 - Trusted Zone: http://www.cbs.com
O15 - Trusted Zone: http://visitor.constantcontact.com
O15 - Trusted Zone: http://www.evite.com
O15 - Trusted Zone: http://dynamic.abc.go.com
O15 - Trusted Zone: www.seek.com.au
O15 - Trusted Zone: http://*.turbotax.com
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - http://support2.charter.com/sdccommo...ad/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager...EGetPlugin.ocx
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqna/downloads/sysinfo.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1093930840796
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn...tDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1124160269328
O16 - DPF: {85BA505F-FD01-4A91-836C-F7D502E89C9A} - http://www.evite.com/html/imageUploa...eUploader4.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/14...2/cpbrkpie.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: efcywxWn - efcywxWn.dll (file missing)
O20 - Winlogon Notify: WinCtrl32 - WinCtrl32.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LSCLFE - Unknown owner - C:\DOCUME~1\Owner\LOCALS~1\Temp\LSCLFE.exe (file missing)
O23 - Service: PD91Agent - Raxco Software, Inc. - C:\Program Files\PerfectDisk2008\PD91Agent.exe
O23 - Service: PD91Engine - Raxco Software, Inc. - C:\Program Files\PerfectDisk2008\PD91Engine.exe
O23 - Service: PD91VMDefrag - Raxco Software, Inc. - C:\Program Files\PerfectDisk2008\PD91VMDefrag.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: VLFVQCTIFWCLAQ - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Owner\LOCALS~1\Temp\VLFVQCTIFWCLAQ.exe

--
End of file - 8092 bytes

-- Files created between 2008-07-10 and 2008-08-10 -----------------------------

2008-08-10 10:50:56 0 d-------- C:\WINDOWS\LastGood
2008-08-03 13:47:12 0 d-------- C:\cmdcons
2008-08-03 13:43:08 68096 --a------ C:\WINDOWS\zip.exe
2008-08-03 13:43:08 49152 --a------ C:\WINDOWS\VFind.exe
2008-08-03 13:43:08 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-08-03 13:43:08 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-08-03 13:43:08 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-08-03 13:43:08 98816 --a------ C:\WINDOWS\sed.exe
2008-08-03 13:43:08 80412 --a------ C:\WINDOWS\grep.exe
2008-08-03 13:43:08 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-08-03 12:09:53 0 d-------- C:\Program Files\Western Digital
2008-08-03 04:10:54 0 d-------- C:\WINDOWS\Prefetch
2008-08-03 03:02:27 1845248 --a------ C:\WINDOWS\system32\win32k.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-08-02 20:24:26 0 d-------- C:\Program Files\Panda Security
2008-08-02 18:52:05 0 d-------- C:\WINDOWS\system32\dll
2008-08-02 18:03:44 0 d-------- C:\WINDOWS\system32\scripting
2008-08-02 18:03:39 0 d-------- C:\WINDOWS\l2schemas
2008-08-02 18:03:38 0 d-------- C:\WINDOWS\system32\en
2008-08-02 16:22:01 0 d-------- C:\WINDOWS\system32\CatRoot_bak
2008-08-02 14:34:36 0 d-------- C:\Documents and Settings\Administrator\Application Data\Uniblue
2008-08-02 14:05:01 0 d-------- C:\Program Files\Common Files\AnswerWorks 4.0
2008-07-27 19:37:17 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-27 12:25:06 0 d--h----- C:\$AVG8.VAULT$
2008-07-27 12:22:07 0 d-------- C:\WINDOWS\system32\drivers\Avg
2008-07-27 12:21:43 0 d-------- C:\Program Files\AVG
2008-07-27 12:21:43 0 d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-07-26 14:09:43 14417920 --a------ C:\Documents and Settings\Owner\ntuser.dat
2008-07-24 22:20:00 638976 --ahs---- C:\WINDOWS\system32\SvCeKnmp.ini2
2008-07-24 22:11:25 0 d-------- C:\Documents and Settings\Owner\Application Data\rhcgo2j0e3cg
2008-07-24 20:22:59 0 d-------- C:\Webstar Cable Modem Drivers
2008-07-23 23:38:16 0 d-------- C:\Program Files\PerformanceTest
2008-07-23 22:31:38 0 d-------- C:\Program Files\WinImage
2008-07-21 2318 0 d-------- C:\WINDOWS\system32\NtmsData
2008-07-20 21:39:55 0 --a------ C:\WINDOWS\ativpsrm.bin
2008-07-20 21:08:23 0 d-------- C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
2008-07-20 20:58:14 0 d-------- C:\WINDOWS\Logs
2008-07-15 19:42:09 0 d-------- C:\Program Files\HP
2008-07-15 19:00:14 0 d-------- C:\temp
2008-07-14 12:32:21 0 d-------- C:\Program Files\Quick Screen Capture
2008-07-14 12:32:21 0 d-------- C:\MyCaptures
2008-07-12 19:18:28 0 d-------- C:\Documents and Settings\Owner\Application Data\Opera
2008-07-12 18:01:56 0 d-------- C:\Program Files\Microsoft ActiveSync
2008-07-12 17:54:42 0 d-------- C:\Program Files\Microsoft.NET
2008-07-12 17:51:58 0 dr-h----- C:\MSOCache
2008-07-12 12:40:54 0 d-------- C:\Program Files\iTunes


-- Find3M Report ---------------------------------------------------------------

2008-08-04 22:31:38 0 d-------- C:\Documents and Settings\Owner\Application Data\Apple Computer
2008-08-03 13:19:35 0 d-------- C:\Program Files\Java
2008-08-03 13:15:15 0 d-------- C:\Program Files\iConcepts Photo Frame
2008-08-03 12:23:28 0 d-------- C:\Program Files\Canon Creative
2008-08-03 12:10:25 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-08-03 03:54:15 0 d-------- C:\Program Files\Messenger
2008-08-03 03:49:21 0 d-------- C:\Program Files\Windows NT
2008-08-03 03:49:18 0 d-------- C:\Program Files\Movie Maker
2008-08-03 01:38:29 0 d-------- C:\Program Files\SpywareBlaster
2008-08-02 20:16:40 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-08-02 20:02:23 0 d-------- C:\Program Files\CopyToDVD
2008-08-02 19:52:21 0 d-------- C:\Documents and Settings\Owner\Application Data\Corel
2008-08-02 19:51:44 0 d-------- C:\Program Files\Common Files
2008-08-02 19:42:12 0 d-------- C:\Program Files\ItsDeductibleEX
2008-08-02 14:19:16 0 d-------- C:\Program Files\MSN Encarta Plus
2008-08-02 14:15:33 0 d-------- C:\Program Files\Downloads
2008-08-02 13:32:00 0 d-------- C:\Program Files\Bonjour
2008-07-20 17:30:59 0 d-------- C:\Program Files\Doom 3
2008-07-12 17:54:41 0 d-------- C:\Program Files\Windows Messaging
2008-07-12 12:41:12 0 d-------- C:\Program Files\iPod
2008-07-12 12:38:39 0 d-------- C:\Program Files\QuickTime
2008-07-01 13:47:24 0 d-------- C:\Documents and Settings\Owner\Application Data\CopyToDvd
2008-06-02 21:05:00 593920 --a------ C:\WINDOWS\system32\ati2sgag.exe <Not Verified; ; ATI Smart>
2008-05-16 22:27:47 73216 --a------ C:\WINDOWS\ST6UNST.EXE <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0C8C77AF-B97A-4FD3-89C0-44098F0CDE6B}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7E156AAE-FA60-44A1-8E69-2E0E0030F1F6}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B91C0269-E0E2-4C83-BCFF-131693EB3314}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2003-09-12 23:13]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 12:01 C:\WINDOWS\AGRSMMSG.exe]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-25 10:14]
"WMC_AutoUpdate"="" []
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 09:47]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-27 12:21]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 09:42]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ALUAlert"=C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe
"Symantec NetDriver Warning"=C:\PROGRA~1\SYMNET~1\SNDWarn.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcywxWn]
efcywxWn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WinCtrl32]
WinCtrl32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\pmnKeCvS
"Notification Packages"= scecli scecli

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winvy14.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Wireless Configuration Utility HW.14.lnk]
backup=C:\WINDOWS\pss\Wireless Configuration Utility HW.14.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\advap32]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyLinkAdvisor]
"C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lphclo2j0e3cg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickFinder Scheduler]
"c:\Program Files\Corel\WordPerfect Office X4\Programs\QFSCHD140.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMrhcgo2j0e3cg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2]
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]


-- End of Deckard's System Scanner: finished at 2008-08-10 11:21:12 ------------

[amateur]

Hi,

Please re-scan with HijackThis and put a checkmark against the following entries:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: (no name) - {0C8C77AF-B97A-4FD3-89C0-44098F0CDE6B} - (no file)
O2 - BHO: (no name) - {7E156AAE-FA60-44A1-8E69-2E0E0030F1F6} - (no file)
O2 - BHO: (no name) - {B91C0269-E0E2-4C83-BCFF-131693EB3314} - (no file)
O20 - Winlogon Notify: efcywxWn - efcywxWn.dll (file missing)
O20 - Winlogon Notify: WinCtrl32 - WinCtrl32.dll (file missing)
O23 - Service: LSCLFE - Unknown owner - C:\DOCUME~1\Owner\LOCALS~1\Temp\LSCLFE.exe (file missing)

It may be helpful to know that when you put an item in your Trusted Zone, it has pretty much full access to your computer... Are you sure you trust this site to that degree?? If you're not sure, and/or you do not need these in your trusted zone to facilitate access, or you did not knowingly permit this access yourself, then please check the following O15 entries too:

O15 - Trusted Zone: http://*.ameritrade.com
O15 - Trusted Zone: http://www.cbs.com
O15 - Trusted Zone: http://visitor.constantcontact.com
O15 - Trusted Zone: http://www.evite.com
O15 - Trusted Zone: http://dynamic.abc.go.com
O15 - Trusted Zone: www.seek.com.au
O15 - Trusted Zone: http://*.turbotax.com

Close all browsers and windows other than HijackThis and click on "fix checked".

======================================

Click here to download Combofix. Do not run it yet.

* IMPORTANT !!! Place combofix.exe on your Desktop

======================================

Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System



Download the file & save it as it's originally named, next to ComboFix.exe.



Now close all open windows and programs, including all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

• Drag the setup package onto ComboFix.exe and drop it.
  
• Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
  
• At the next prompt, click 'Yes' to run the full ComboFix scan.
  
  
  
• When the tool is finished, it will produce a report for you.

Please post the C:\ComboFix.txt along with a new HijackThis log for further review.

[Roc 65]

After dropping the sp2 file onto ComboFix

ComboFix screen notes "scanning for infected files....
pop-up box says "could not find ATTRIB.CF.EXE..." then offers to scan for the file. I hit scan and it failed so it hit cancel

ComboFix screen notes "the system cannot find file specified.
SED: Can't read c:\Boot.bak: no such file or directory
Access is denied"

Also, my internet connection failed, so I went to the kids pc to post this log

[amateur]

Hi,

Please check if there's a bug text at the following location, and post it's contents please if present.

C:\Bug.txt

==================================

Delete the present copy of combofix from your desktop and download a fresh copy. You can download it on a removable medium and transfer it to your desktop if you're still unable to access the internet.

Please make sure that your security tools and your antivirus is disabled prior to running of Combofix. Please refer to this page if you're unsure about how to disable them.

Click the Windows 'Start' button > Select 'Run' - then copy/paste the following text in bold (exactly as it is below) into the run box & click OK. (be sure to include the quote marks)

"%userprofile%\desktop\combofix.exe" /killall

Post the C:\ComboFix.txt it produces

[Roc 65]

C:\bug.txt
(also found in c:\documents and settings\owner\recent - bug.txt)



----------------------

PUSHD "C:\327882R2FWJFW\"

IF NOT EXIST C:\WINDOWS\system32\cmd.exe GOTO Not_NT

VER 1>temp00

FIND.exe "Microsoft Windows [Version 5.2.3790]" temp00 1>null

IF NOT ERRORLEVEL 1 GOTO Not_NT

FIND.exe "Windows XP" temp00 1>null

Del temp00

PV -o"%i\t%l" | SED "/\t.*\\nircmd\.inf$/!d; s///; s/./@pv -kfi &/" 1>temp00.bat

CALL temp00.bat

DEL temp00.bat 2>null

=============================================

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Owner\Application Data
CFLDR=327882R2FWJFW
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_02\lib\ext\QTJava.zip;C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip;C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=YOUR-C8BH3JAGLT
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Owner
KMD=CF29350.exe
LOGONSERVER=\\YOUR-C8BH3JAGLT
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\327882R2FWJFW;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;c:\Python22;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\Common Files\Adobe\AGL;C:\Program Files\QuickTime\QTSystem;C:\Program Files\Pinnacle\Shared Files;C:\Program Files\Pinnacle\Shared Files\Filter
PATHEXT=.cfexe;.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 10 Stepping 0, AuthenticAMD
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0a00
ProgramFiles=C:\Program Files
PROMPT=$
QTJAVA=C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip
SESSIONNAME=Console
sfxname=C:\Documents and Settings\Owner\desktop\combofix.exe
SYSTEM=C:\WINDOWS\system32
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
TMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
USERDOMAIN=YOUR-C8BH3JAGLT
USERNAME=Owner
USERPROFILE=C:\Documents and Settings\Owner
windir=C:\WINDOWS

=============================================

IF NOT DEFINED sfxname GOTO END

IF /I "C:\327882R2FWJFW" NEQ "C:\327882R2FWJFW" GOTO Abort

IF EXIST "C:\DOCUME~1\Owner\LOCALS~1\Temp\327882R2FWJFW327882R2FWJFW.log" DEL "C:\DOCUME~1\Owner\LOCALS~1\Temp\327882R2FWJFW327882R2FWJFW.log"

-----------------------



ComboFix:

"Windows cannot open this file

Attrib.cfexe (last time I thought it was Attrib.cf.exe)

To open this file, Windows needs to know what program created it. Windows can go online to look it up automatically, or you can manually select from a list of programs on your computer.

What do you want to do?"

I searched for the file above (searched c: drive for attrib) and found the follwoing instances:

c:\327882R2FWJFW - Attribcf.exe
c:\combofix - Attribcf.exe
c:\windows\I386 - attrib.ex_
c:\windows\system32 - attrib.exe
c:\windows\system32\dllcache - attrib.exe

[amateur]

Hi,

Go to My Computer> Tools> Folder Options> View>"Uncheck" Hide protected operating system files. Click Apply>OK.

==============================

Using Windows Explorer (right click on Start, click on Explore) navigate and locate the following file in bold:

c:\windows\system32\VERSION.dll. Right click on it and choose "copy". Next, right click an empty space in the same pane and choose "paste". You should see a new file at the end of the list called "copy of Version.dll". Now, right click copy of Version.dll and choose rename. Rename it to clbdll.dll.

Then, run Combofix and post the log it produces please.

[Roc 65]

when trying to rename copy of version.dll to clbdll.dll it said "cannot rename file. cannot read from the source or file disk"

[amateur]

OK.

Quote:

AVG got most of the trojan. One dll found that I was corrupt - c:windows\system32\clbdll.dll was moved to the vault by AVG

Please try restoring this file, clbdll.dll from the vault. If clbcatq.dll or clbcatex.dll are there, restore them too. Then run Combofix as below:

Delete your existing Combo-Fix.exe, and the folder C:\Combofix (if present). Then download a fresh copy of Combofix from any of the links below. You must rename it before saving it. Save it to your desktop. You can use a removable medium to transfer it to the computer if you're having problem with internet connection.

Link 1
Link 2
Link 3





--------------------------------------------------------------------




Double click on Combo-Fix.exe & follow the prompts.

• When finished, it will produce a report for you.
• Please post the C:ComboFix.txt along with a HijackThis log so we can continue cleaning the system.

[Roc 65]

Not sure what you mean by "restoring this file from "the vault"". What is "the vault".?

[amateur]

Hi,

'Vault' is the term you've used in your first post as I've quoted it. I don't have AVG, therefore I took your word for it. It may be the 'quarantine'.

Press Start->Run, copy/paste the following command into the box and press OK:

cmd /c dir C:\*.* /L /A /B /S|Find "clbdll.dll" >> "%userprofile%\desktop\look.txt"

A file called look.txt should appear on your Desktop. Please post the contents of that file.

[Roc 65]

The look.txt is empty

I found several entries of clbdll.dll in the AVG that were "infected" and contained in windows/system32. clbcatq.dll or clbcatex.dll were not there.
Should I just pick one of the clbdll files and restore it? Maybe I should use the latest or earliest entry? Will that bring a virus back?

[amateur]

Quote:

Originally Posted by Roc 65

I found several entries of clbdll.dll in the AVG that were "infected" and contained in windows/system32. clbcatq.dll or clbcatex.dll were not there.
Should I just pick one of the clbdll files and restore it? Maybe I should use the latest or earliest entry? Will that bring a virus back?

Yes, please restore it. Don't worry about bringing back the virus. The system is still infected anyway. Remember to disable your antivirus otherwise it may quarantine it again. Then, run the combofix as instructed in my above post. Combofix, hopefully, should be able to fix the problem once the file is restored.

Edit: the earliest entry should be fine.

[Roc 65]

I tried to restore clbdll from the vault and it kept failing. I tried to disable AVG and it's near impossible without going into task manager and ending all avg* processes I could find.

Anyway, I removed old CombFix and downloaded new. It then updated itself. I ran combofix and it gave a warning that it could not open attrib.cfexe. I tried letting it search the web and I continued to get the same message repeatedly. I was able to keep going through the error messages and get ComboFix to complete and reboot my machine. If needed, I can uninstall AVG and Spybot. Unfortunately I am still at a loss. It then gave the same error messages, but I was able to get it to create a log file:



ComboFix 08-08-13.01 - Owner 2008-08-14 20:18:35.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1603 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\Combo-Fix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner\Application Data\rhcgo2j0e3cg
C:\kmd.exe
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\system32\_004002_.tmp.dll
C:\WINDOWS\system32\_004003_.tmp.dll
C:\WINDOWS\system32\_004004_.tmp.dll
C:\WINDOWS\system32\_004005_.tmp.dll
C:\WINDOWS\system32\_004013_.tmp.dll
C:\WINDOWS\system32\_004014_.tmp.dll
C:\WINDOWS\system32\_004016_.tmp.dll
C:\WINDOWS\system32\_004017_.tmp.dll
C:\WINDOWS\system32\_004020_.tmp.dll
C:\WINDOWS\system32\_004021_.tmp.dll
C:\WINDOWS\system32\_004023_.tmp.dll
C:\WINDOWS\system32\_004024_.tmp.dll
C:\WINDOWS\system32\_004025_.tmp.dll
C:\WINDOWS\system32\_004026_.tmp.dll
C:\WINDOWS\system32\_004027_.tmp.dll
C:\WINDOWS\system32\_004030_.tmp.dll
C:\WINDOWS\system32\_004031_.tmp.dll
C:\WINDOWS\system32\_004035_.tmp.dll
C:\WINDOWS\system32\_004036_.tmp.dll
C:\WINDOWS\system32\_004038_.tmp.dll
C:\WINDOWS\system32\_004041_.tmp.dll
C:\WINDOWS\system32\_004043_.tmp.dll
C:\WINDOWS\system32\_004044_.tmp.dll
C:\WINDOWS\system32\_004045_.tmp.dll
C:\WINDOWS\system32\_004046_.tmp.dll
C:\WINDOWS\system32\_004049_.tmp.dll
C:\WINDOWS\system32\_004050_.tmp.dll
C:\WINDOWS\system32\_004051_.tmp.dll
C:\WINDOWS\system32\_004052_.tmp.dll
C:\WINDOWS\system32\_004053_.tmp.dll
C:\WINDOWS\system32\_004058_.tmp.dll
C:\WINDOWS\system32\_004060_.tmp.dll
C:\WINDOWS\system32\_006211_.tmp.dll
C:\WINDOWS\system32\_006212_.tmp.dll
C:\WINDOWS\system32\_006213_.tmp.dll
C:\WINDOWS\system32\_006214_.tmp.dll
C:\WINDOWS\system32\_006222_.tmp.dll
C:\WINDOWS\system32\_006223_.tmp.dll
C:\WINDOWS\system32\_006224_.tmp.dll
C:\WINDOWS\system32\_006226_.tmp.dll
C:\WINDOWS\system32\_006227_.tmp.dll
C:\WINDOWS\system32\_006230_.tmp.dll
C:\WINDOWS\system32\_006231_.tmp.dll
C:\WINDOWS\system32\_006233_.tmp.dll
C:\WINDOWS\system32\_006234_.tmp.dll
C:\WINDOWS\system32\_006235_.tmp.dll
C:\WINDOWS\system32\_006236_.tmp.dll
C:\WINDOWS\system32\_006237_.tmp.dll
C:\WINDOWS\system32\_006238_.tmp.dll
C:\WINDOWS\system32\_006240_.tmp.dll
C:\WINDOWS\system32\_006241_.tmp.dll
C:\WINDOWS\system32\_006245_.tmp.dll
C:\WINDOWS\system32\_006246_.tmp.dll
C:\WINDOWS\system32\_006248_.tmp.dll
C:\WINDOWS\system32\_006251_.tmp.dll
C:\WINDOWS\system32\_006253_.tmp.dll
C:\WINDOWS\system32\_006254_.tmp.dll
C:\WINDOWS\system32\_006255_.tmp.dll
C:\WINDOWS\system32\_006256_.tmp.dll
C:\WINDOWS\system32\_006257_.tmp.dll
C:\WINDOWS\system32\_006260_.tmp.dll
C:\WINDOWS\system32\_006261_.tmp.dll
C:\WINDOWS\system32\_006262_.tmp.dll
C:\WINDOWS\system32\_006263_.tmp.dll
C:\WINDOWS\system32\_006264_.tmp.dll
C:\WINDOWS\system32\_006269_.tmp.dll
C:\WINDOWS\system32\_006271_.tmp.dll
C:\WINDOWS\system32\_006272_.tmp.dll
C:\WINDOWS\system32\avytrpit.ini
C:\WINDOWS\system32\clbdll.dll
C:\WINDOWS\system32\clbdll.old
C:\WINDOWS\system32\clbinit.dll
C:\WINDOWS\system32\drivers\clbdriver.sys
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\rlyajfrm.ini
C:\WINDOWS\system32\SvCeKnmp.ini
C:\WINDOWS\system32\SvCeKnmp.ini2

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CLBDRIVER


((((((((((((((((((((((((( Files Created from 2008-07-15 to 2008-08-15 )))))))))))))))))))))))))))))))
.

2008-08-11 17:57 . 2004-08-04 03:56 18,944 --a------ C:\WINDOWS\system32\Copy of version.dll
2008-08-03 12:09 . 2008-08-03 12:09 <DIR> d-------- C:\Program Files\Western Digital
2008-08-03 03:15 . 2008-04-14 05:40 177,152 --a------ C:\WINDOWS\system32\SETF3C.tmp
2008-08-03 03:15 . 2008-04-14 05:41 24,576 --a------ C:\WINDOWS\system32\SETF60.tmp
2008-08-03 03:14 . 2008-04-14 05:42 354,304 --a------ C:\WINDOWS\system32\SETF09.tmp
2008-08-03 03:14 . 2008-04-14 05:42 121,856 --a------ C:\WINDOWS\system32\SETF00.tmp
2008-08-03 03:14 . 2008-04-14 05:42 80,896 --a------ C:\WINDOWS\system32\SETF04.tmp
2008-08-03 03:14 . 2008-04-14 05:42 75,776 --a------ C:\WINDOWS\system32\SETF14.tmp
2008-08-03 03:14 . 2008-04-14 05:42 15,872 --a------ C:\WINDOWS\system32\SETF0D.tmp
2008-08-03 03:14 . 2008-04-14 05:42 6,656 --a------ C:\WINDOWS\system32\SETF01.tmp
2008-08-03 03:09 . 2008-04-14 05:42 8,461,312 --a------ C:\WINDOWS\system32\SET1E5.tmp
2008-08-03 03:08 . 2008-04-14 05:42 727,040 --a------ C:\WINDOWS\system32\SET15C.tmp
2008-08-03 03:06 . 2006-12-29 00:31 19,569 --a------ C:\WINDOWS\003478_.tmp
2008-08-03 03:02 . 2007-10-25 23:34 8,460,288 --a------ C:\WINDOWS\system32\dllcache\shell32.dll
2008-08-02 20:24 . 2008-08-02 20:24 <DIR> d-------- C:\Program Files\Panda Security
2008-08-02 20:24 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
2008-08-02 19:06 . 2008-08-02 19:06 0 --------- C:\WINDOWS\system32\HFXF72.tmp
2008-08-02 18:52 . 2008-08-02 18:52 <DIR> d-------- C:\WINDOWS\system32\dll
2008-08-02 17:59 . 2008-04-14 05:41 1,267,200 --a------ C:\WINDOWS\system32\SET3FD.tmp
2008-08-02 17:58 . 2008-04-14 05:42 8,461,312 --a------ C:\WINDOWS\system32\SET20B.tmp
2008-08-02 17:57 . 2008-04-14 05:42 727,040 --a------ C:\WINDOWS\system32\SET1AF.tmp
2008-08-02 17:55 . 2006-12-29 00:31 19,569 --a------ C:\WINDOWS\005687_.tmp
2008-08-02 17:51 . 2004-08-04 02:00 71,040 --------- C:\WINDOWS\system32\drivers\_003977_.tmp.dll
2008-08-02 16:22 . 2008-08-03 03:46 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-08-02 14:34 . 2008-08-02 15:21 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Uniblue
2008-08-02 14:05 . 2008-08-02 14:05 <DIR> d-------- C:\Program Files\Common Files\AnswerWorks 4.0
2008-07-27 19:37 . 2008-07-27 19:37 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-27 19:37 . 2008-08-03 19:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-27 12:25 . 2008-08-14 19:15 <DIR> d--h----- C:\$AVG8.VAULT$
2008-07-27 12:22 . 2008-08-14 19:56 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-07-27 12:22 . 2008-07-27 12:22 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-07-27 12:22 . 2008-07-27 12:22 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-07-27 12:22 . 2008-07-27 12:22 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-07-27 12:21 . 2008-07-27 12:21 <DIR> d-------- C:\Program Files\AVG
2008-07-27 12:21 . 2008-07-27 12:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-07-24 23:04 . 2008-07-24 23:04 <DIR> d-------- C:\Deckard
2008-07-24 22:14 . 2004-02-12 20:59 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-07-24 20:22 . 2008-07-24 20:23 <DIR> d-------- C:\Webstar Cable Modem Drivers
2008-07-23 23:38 . 2008-07-23 23:38 <DIR> d-------- C:\Program Files\PerformanceTest
2008-07-23 22:31 . 2008-07-23 22:31 <DIR> d-------- C:\Program Files\WinImage
2008-07-21 23:06 . 2008-07-22 00:54 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-07-20 21:39 . 2008-07-20 21:39 0 --a------ C:\WINDOWS\ativpsrm.bin
2008-07-20 21:08 . 2008-07-20 21:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
2008-07-20 21:05 . 2008-05-30 14:11 3,850,760 --a------ C:\WINDOWS\system32\D3DX9_38.dll
2008-07-20 21:05 . 2008-05-30 14:11 1,491,992 --a------ C:\WINDOWS\system32\D3DCompiler_38.dll
2008-07-20 21:05 . 2008-05-30 14:19 507,400 --a------ C:\WINDOWS\system32\XAudio2_1.dll
2008-07-20 21:05 . 2008-05-30 14:11 467,984 --a------ C:\WINDOWS\system32\d3dx10_38.dll
2008-07-20 21:05 . 2008-05-30 14:18 238,088 --a------ C:\WINDOWS\system32\xactengine3_1.dll
2008-07-20 21:05 . 2008-05-30 14:17 65,032 --a------ C:\WINDOWS\system32\XAPOFX1_0.dll
2008-07-20 21:05 . 2008-05-30 14:17 25,608 --a------ C:\WINDOWS\system32\X3DAudio1_4.dll
2008-07-20 20:58 . 2008-07-20 20:58 <DIR> d-------- C:\WINDOWS\Logs
2008-07-20 17:31 . 2008-07-20 17:31 331 --a------ C:\WINDOWS\doom3.ini
2008-07-20 14:04 . 2008-07-20 14:04 114,048 --a------ C:\WINDOWS\system32\drivers\snapman.sys
2008-07-15 19:42 . 2008-07-15 19:42 <DIR> d-------- C:\Program Files\HP
2008-07-15 19:00 . 2008-08-02 14:23 <DIR> d-------- C:\temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-05 02:31 --------- d-----w C:\Documents and Settings\Owner\Application Data\Apple Computer
2008-08-03 17:19 --------- d-----w C:\Program Files\Java
2008-08-03 17:15 --------- d-----w C:\Program Files\iConcepts Photo Frame
2008-08-03 16:23 --------- d-----w C:\Program Files\Canon Creative
2008-08-03 16:10 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-03 05:43 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-03 05:38 --------- d-----w C:\Program Files\SpywareBlaster
2008-08-03 00:16 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-08-03 00:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-08-03 00:02 --------- d-----w C:\Program Files\CopyToDVD
2008-08-02 23:52 --------- d-----w C:\Documents and Settings\Owner\Application Data\Corel
2008-08-02 23:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Corel
2008-08-02 23:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Borland
2008-08-02 23:42 --------- d-----w C:\Program Files\ItsDeductibleEX
2008-08-02 18:19 --------- d-----w C:\Program Files\MSN Encarta Plus
2008-08-02 18:15 --------- d-----w C:\Program Files\Downloads
2008-08-02 17:32 --------- d-----w C:\Program Files\Bonjour
2008-07-20 21:30 --------- d-----w C:\Program Files\Doom 3
2008-07-14 16:32 --------- d-----w C:\Program Files\Quick Screen Capture
2008-07-12 22:01 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-07-12 21:54 --------- d-----w C:\Program Files\Windows Messaging
2008-07-12 21:54 --------- d-----w C:\Program Files\Microsoft.NET
2008-07-12 16:41 --------- d-----w C:\Program Files\iTunes
2008-07-12 16:41 --------- d-----w C:\Program Files\iPod
2008-07-12 16:38 --------- d-----w C:\Program Files\QuickTime
2008-07-01 17:47 --------- d-----w C:\Documents and Settings\Owner\Application Data\CopyToDvd
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-05-28 19:51 88 --sh--r C:\Documents and Settings\All Users\Application Data\A814ACFD49.sys
2008-05-28 19:51 2,516 --sha-w C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys
2008-05-17 02:27 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2008-05-17 02:27 245,760 ------w C:\WINDOWS\Setup1.exe
2008-04-23 19:08 353,840 ----a-w C:\Program Files\RealPlayer11GOLD.exe
2007-01-14 23:36 105,143,305 -c--a-w C:\Program Files\SonicDVDitProv6_SST.exe
2007-01-14 23:29 721,507 ----a-w C:\Program Files\RNPatch72.exe
2006-09-03 22:38 345,068,035 ----a-w C:\Program Files\Photoshop_CS2.exe
2005-03-18 13:47 3,409 -c--a-w C:\Program Files\scan.dat
2005-03-17 22:34 512 ----a-w C:\Program Files\data2.cab
2005-03-17 22:34 29,760 -c--a-w C:\Program Files\layout.bin
2005-03-17 22:34 236,953 -c--a-w C:\Program Files\data1.hdr
2005-03-17 22:33 397 -c--a-w C:\Program Files\setup.ini
2005-03-17 22:33 342,212 ----a-w C:\Program Files\setup.boot
2005-03-17 22:33 299,375 -c--a-w C:\Program Files\setup.inx
2005-03-17 22:33 2,349,117 -c--a-w C:\Program Files\data1.cab
2005-03-17 17:33 46,648 -c--a-w C:\Program Files\fditxf.1ph
2005-03-17 17:33 34,585 -c--a-w C:\Program Files\comfed.1ph
2005-03-17 17:33 27,320 -c--a-w C:\Program Files\fdiimb.1ph
2005-03-17 17:33 12,538 -c--a-w C:\Program Files\fdiofx.1ph
2005-02-21 20:15 28,672 ----a-w C:\Documents and Settings\Owner\atwbxdet.dll
2004-10-25 15:11 80,161 -c--a-w C:\Program Files\bustax.thp
2004-10-25 15:06 60,591 -c--a-w C:\Program Files\bustax.scd
2004-10-25 13:55 54,232 -c--a-w C:\Program Files\tax.thp
2004-10-25 13:55 13,248 -c--a-w C:\Program Files\tax.scd
2004-10-07 13:58 49,142 ----a-w C:\Program Files\license.txt
2004-09-17 19:59 114,688 ----a-w C:\Program Files\autorun.exe
2004-09-17 18:04 7,406 -c--a-w C:\Program Files\ttax.ico
2004-09-17 18:03 142 -c--a-w C:\Program Files\autorun.ini
2004-07-17 13:57 63,499 ----a-w C:\Documents and Settings\Owner\setup.exe
2004-01-30 14:32 20,480 -c--a-w C:\Program Files\cdrun.exe
2003-02-27 21:16 420,432 -c--a-w C:\Program Files\engine32.cab
2002-12-02 20:33 107,512 -c--a-w C:\Program Files\Setup.exe
2002-05-01 21:01 695 -c--a-w C:\Program Files\os.dat
2004-12-30 15:51 0 -csha-w C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05 204288]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 09:42 2156368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2003-09-12 23:13 98304]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-25 10:14 188416]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 09:47 116040]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-27 12:21 1232152]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 12:01 88209 C:\WINDOWS\AGRSMMSG.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli scecli

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winvy14.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Wireless Configuration Utility HW.14.lnk]
backup=C:\WINDOWS\pss\Wireless Configuration Utility HW.14.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\advap32
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lphclo2j0e3cg
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMrhcgo2j0e3cg
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyLinkAdvisor]
--a------ 2006-04-02 21:07 389120 C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
--a------ 1998-05-07 20:04 52736 c:\WINDOWS\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-07-10 10:51 289064 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-04-23 15:11 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2]
--a------ 2007-10-22 09:58 1885464 C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2006-08-03 06:12 577536 C:\WINDOWS\soundman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\system32\\sessmgr.exe"=

R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-27 12:22]
R2 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-07-27 12:21]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-27 12:21]
R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-27 12:22]
R2 PD91Agent;PD91Agent;C:\Program Files\PerfectDisk2008\PD91Agent.exe [2008-04-16 13:00]
R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2008-01-02 03:12]
S0 Winvy14;Winvy14;C:\WINDOWS\system32\Drivers\Winvy14.sys []
S2 portD;ABS PortIO Service;C:\WINDOWS\system32\DRIVERS\portd2k.sys [2003-03-19 10:28]
S3 PD91Engine;PD91Engine;C:\Program Files\PerfectDisk2008\PD91Engine.exe [2008-04-16 13:00]
S3 PD91VMDefrag;PD91VMDefrag;C:\Program Files\PerfectDisk2008\PD91VMDefrag.exe [2008-02-29 10:44]
S3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;C:\WINDOWS\system32\DRIVERS\RTL8187B.sys [2007-12-11 07:18]
S3 SjyPkt;SjyPkt;C:\WINDOWS\System32\Drivers\SjyPkt.sys [2002-10-02 10:57]
S3 VLFVQCTIFWCLAQ;VLFVQCTIFWCLAQ;C:\DOCUME~1\Owner\LOCALS~1\Temp\VLFVQCTIFWCLAQ.exe []
S4 LSCLFE;LSCLFE;C:\DOCUME~1\Owner\LOCALS~1\Temp\LSCLFE.exe []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\Setup\rsrc\Autorun.exe
\Shell\dinstall\command - E:\Directx\dxsetup.exe
.
Contents of the 'Scheduled Tasks' folder

2008-07-25 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]

2008-07-17 C:\WINDOWS\Tasks\Uniblue SpyEraser Nag.job
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe [2007-12-03 10:55]
.
- - - - ORPHANS REMOVED - - - -

BHO-{0C8C77AF-B97A-4FD3-89C0-44098F0CDE6B} - (no file)
BHO-{7E156AAE-FA60-44A1-8E69-2E0E0030F1F6} - (no file)
BHO-{B91C0269-E0E2-4C83-BCFF-131693EB3314} - (no file)
HKLM-Run-WMC_AutoUpdate - (no file)
HKU-Default-Run-ALUAlert - C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe
HKU-Default-Run-Symantec NetDriver Warning - C:\PROGRA~1\SYMNET~1\SNDWarn.exe
Notify-efcywxWn - (no file)
Notify-WinCtrl32 - (no file)
MSConfigStartUp-QuickFinder Scheduler - c:\Program Files\Corel\WordPerfect Office X4\Programs\QFSCHD140.EXE
MSConfigStartUp-SunJavaUpdateSched - C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
R0 -: HKCU-Main,Start Page = hxxp://www.google.com/
R1 -: HKCU-Internet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=desktop
R1 -: HKCU-Internet Settings,ProxyOverride = *.local
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
O8 -: Open with WordPerfect - c:\Program Files\Corel\WordPerfect Office X4\Programs\WPLauncher.hta

O16 -: {85BA505F-FD01-4A91-836C-F7D502E89C9A} - hxxp://www.evite.com/html/imageUpload/ImageUploader4.cab
C:\WINDOWS\Downloaded Program Files\ImageUploader4.inf
C:\WINDOWS\system32\unicows.dll
C:\WINDOWS\Downloaded Program Files\ImageUploader4.ocx

O16 -: {9522B3FB-7A2B-4646-8AF6-36E7F593073C}


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-14 20:40:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2008-08-14 20:47:12 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2008-08-15 00:47:05
ComboFix2.txt 2008-02-17 15:03:51

Pre-Run: 66,070,306,816 bytes free
Post-Run: 65,985,978,368 bytes free

350 --- E O F --- 2008-08-02 23:29:16

[amateur]

Hi,

Good job.

Before we go any further, we better have the Recovery Console installed.

The Windows Recovery Console will allow you to boot up into a special recovery mode if needed. This allows us to help you in the case that your computer has a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Click here to go to the Microsoft page and download the Recovery Console file which is appropriate for your system, and save it to your desktop. Please make sure that you save it as it's originally named and place it next to Combofix on your desktop:

[/IMG]

• Close all open windows and programs
• Drag and drop the setup package onto ComboFix.exe
  
• Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.

ComboFix will now automatically install the Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Windows Recovery Console option when you start your computer unless requested to by a helper.

As part of installing the Recovery Console, ComboFix will begin to run. Follow the prompts to install the Recovery Console. Your desktop may disappear. This is normal. It will return.

Once the Recovery Console is installed using ComboFix, you should see a message that says:

The Recovery Console was successfully installed.



Please continue as follows:

Close/disable all anti virus and anti malware programs so that they do not interfere with the running of ComboFix.

Click No to exit.

=================================

Open notepad and copy/paste the text in the code box below into it:

Code:

KILLALL::

File::
C:\WINDOWS\system32\Copy of version.dll
C:\WINDOWS\system32\SETF3C.tmp
C:\WINDOWS\system32\SETF60.tmp
C:\WINDOWS\system32\SETF09.tmp
C:\WINDOWS\system32\SETF00.tmp
C:\WINDOWS\system32\SETF04.tmp
C:\WINDOWS\system32\SETF14.tmp
C:\WINDOWS\system32\SETF0D.tmp
C:\WINDOWS\system32\SETF01.tmp
C:\WINDOWS\system32\SET1E5.tmp
C:\WINDOWS\system32\SET15C.tmp
C:\WINDOWS\003478_.tmp
C:\WINDOWS\system32\HFXF72.tmp
C:\WINDOWS\system32\SET3FD.tmp
C:\WINDOWS\system32\SET20B.tmp
C:\WINDOWS\system32\SET1AF.tmp
C:\WINDOWS\005687_.tmp

DirLook::
C:\WINDOWS\system32\dll


Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winvy14.sys]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lphclo2j0e3cg]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMrhcgo2j0e3cg]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
O16 -: {9522B3FB-7A2B-4646-8AF6-36E7F593073C}

Driver::
Winvy14
VLFVQCTIFWCLAQ
LSCLFE

Save this as CFScript.txt, in the same location as ComboFix.exe



Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply along with a fresh HijackThis log please.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

[Roc 65]

OK,
Sorry for the delay, I had to replace my cable modem....

I have executed per your latest instruction and have posted the CombFix log and the fresh Hijackthis log below. A couple of notes regarding "errors":

1. When I boot my pc I get this error message - Windows cannot find 'c:\combo-fix\combofix.bat'. Make sure you typed it correctly and try again. To search for the file click start then click search.

I press OK and it continues and boots-up.

2. When installing the Recovery Console I received an error when dragging-dropping the setup package onto ComboFix.exe - c:
windows\system32\attrib.exe is not a valid win32 application. I hit OK and ComboFix continued. Next, an error came up - cannot open the file "attrib.cfexe" multiple times and I let it search the net to open. Eventually ComboFix completes.

3. When dragging-dropping CFScript.exe onto ComboFix.exe I get the same error messages as in 2 above.

Anyway, not sure if there are other problems and/or if this helps in your assessment of my pc. Here are the logs, ComboFix 1st, then the fresh Hijackthis:


ComboFix 08-08-15.04 - Owner 2008-08-17 15:50:24.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1644 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\Combo-Fix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\003478_.tmp
C:\WINDOWS\005687_.tmp
C:\WINDOWS\system32\Copy of version.dll
C:\WINDOWS\system32\HFXF72.tmp
C:\WINDOWS\system32\SET15C.tmp
C:\WINDOWS\system32\SET1AF.tmp
C:\WINDOWS\system32\SET1E5.tmp
C:\WINDOWS\system32\SET20B.tmp
C:\WINDOWS\system32\SET3FD.tmp
C:\WINDOWS\system32\SETF00.tmp
C:\WINDOWS\system32\SETF01.tmp
C:\WINDOWS\system32\SETF04.tmp
C:\WINDOWS\system32\SETF09.tmp
C:\WINDOWS\system32\SETF0D.tmp
C:\WINDOWS\system32\SETF14.tmp
C:\WINDOWS\system32\SETF3C.tmp
C:\WINDOWS\system32\SETF60.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Cookies\administrator@adwarealert[1].txt
C:\Documents and Settings\Owner\Cookies\owner@experts-exchange[1].txt
C:\Documents and Settings\Owner\Cookies\owner@fanball[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.speedguide[2].txt
C:\WINDOWS\003478_.tmp
C:\WINDOWS\005687_.tmp
C:\WINDOWS\system32\Copy of version.dll
C:\WINDOWS\system32\HFXF72.tmp
C:\WINDOWS\system32\SET15C.tmp
C:\WINDOWS\system32\SET1AF.tmp
C:\WINDOWS\system32\SET1E5.tmp
C:\WINDOWS\system32\SET20B.tmp
C:\WINDOWS\system32\SET3FD.tmp
C:\WINDOWS\system32\SETF00.tmp
C:\WINDOWS\system32\SETF01.tmp
C:\WINDOWS\system32\SETF04.tmp
C:\WINDOWS\system32\SETF09.tmp
C:\WINDOWS\system32\SETF0D.tmp
C:\WINDOWS\system32\SETF14.tmp
C:\WINDOWS\system32\SETF3C.tmp
C:\WINDOWS\system32\SETF60.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_LSCLFE
-------\Legacy_VLFVQCTIFWCLAQ
-------\Service_LSCLFE
-------\Service_VLFVQCTIFWCLAQ
-------\Service_Winvy14


((((((((((((((((((((((((( Files Created from 2008-07-17 to 2008-08-17 )))))))))))))))))))))))))))))))
.

2008-08-15 19:05 . 2008-08-15 19:10 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-08-15 17:57 . 2008-05-01 10:30 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-03 12:09 . 2008-08-03 12:09 <DIR> d-------- C:\Program Files\Western Digital
2008-08-03 03:09 . 2008-04-14 05:42 2,843,136 --a------ C:\WINDOWS\system32\SET326.tmp
2008-08-03 03:08 . 2008-04-14 05:42 713,216 --a------ C:\WINDOWS\system32\SET196.tmp
2008-08-03 03:03 . 2004-08-04 03:56 4,256,768 --a------ C:\WINDOWS\system32\dllcache\wmm2res.dll
2008-08-03 03:02 . 2007-10-25 23:34 8,460,288 --a------ C:\WINDOWS\system32\dllcache\shell32.dll
2008-08-02 20:24 . 2008-08-02 20:24 <DIR> d-------- C:\Program Files\Panda Security
2008-08-02 20:24 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
2008-08-02 18:52 . 2008-08-02 18:52 <DIR> d-------- C:\WINDOWS\system32\dll
2008-08-02 17:59 . 2008-04-14 05:41 1,082,368 --a------ C:\WINDOWS\system32\SET38F.tmp
2008-08-02 17:58 . 2008-04-14 05:42 2,843,136 --a------ C:\WINDOWS\system32\SET2E5.tmp
2008-08-02 17:57 . 2008-04-14 05:42 713,216 --a------ C:\WINDOWS\system32\SET1D5.tmp
2008-08-02 17:51 . 2004-08-04 02:00 71,040 --------- C:\WINDOWS\system32\drivers\_003977_.tmp.dll
2008-08-02 16:22 . 2008-08-03 03:46 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-08-02 14:34 . 2008-08-02 15:21 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Uniblue
2008-08-02 14:05 . 2008-08-02 14:05 <DIR> d-------- C:\Program Files\Common Files\AnswerWorks 4.0
2008-07-27 19:37 . 2008-07-27 19:37 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-27 19:37 . 2008-08-03 19:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-27 12:25 . 2008-08-16 08:15 <DIR> d--h----- C:\$AVG8.VAULT$
2008-07-27 12:22 . 2008-08-15 17:02 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-07-27 12:22 . 2008-07-27 12:22 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-07-27 12:22 . 2008-07-27 12:22 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-07-27 12:22 . 2008-07-27 12:22 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-07-27 12:21 . 2008-07-27 12:21 <DIR> d-------- C:\Program Files\AVG
2008-07-27 12:21 . 2008-07-27 12:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-07-24 23:04 . 2008-07-24 23:04 <DIR> d-------- C:\Deckard
2008-07-24 22:14 . 2004-02-12 20:59 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-07-24 20:22 . 2008-07-24 20:23 <DIR> d-------- C:\Webstar Cable Modem Drivers
2008-07-23 23:38 . 2008-07-23 23:38 <DIR> d-------- C:\Program Files\PerformanceTest
2008-07-23 22:31 . 2008-07-23 22:31 <DIR> d-------- C:\Program Files\WinImage
2008-07-21 23:06 . 2008-07-22 00:54 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-07-20 21:39 . 2008-07-20 21:39 0 --a------ C:\WINDOWS\ativpsrm.bin
2008-07-20 21:08 . 2008-07-20 21:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
2008-07-20 21:05 . 2008-05-30 14:11 3,850,760 --a------ C:\WINDOWS\system32\D3DX9_38.dll
2008-07-20 21:05 . 2008-05-30 14:11 1,491,992 --a------ C:\WINDOWS\system32\D3DCompiler_38.dll
2008-07-20 21:05 . 2008-05-30 14:19 507,400 --a------ C:\WINDOWS\system32\XAudio2_1.dll
2008-07-20 21:05 . 2008-05-30 14:11 467,984 --a------ C:\WINDOWS\system32\d3dx10_38.dll
2008-07-20 21:05 . 2008-05-30 14:18 238,088 --a------ C:\WINDOWS\system32\xactengine3_1.dll
2008-07-20 21:05 . 2008-05-30 14:17 65,032 --a------ C:\WINDOWS\system32\XAPOFX1_0.dll
2008-07-20 21:05 . 2008-05-30 14:17 25,608 --a------ C:\WINDOWS\system32\X3DAudio1_4.dll
2008-07-20 20:58 . 2008-07-20 20:58 <DIR> d-------- C:\WINDOWS\Logs
2008-07-20 17:31 . 2008-07-20 17:31 331 --a------ C:\WINDOWS\doom3.ini
2008-07-20 14:04 . 2008-07-20 14:04 114,048 --a------ C:\WINDOWS\system32\drivers\snapman.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-05 02:31 --------- d-----w C:\Documents and Settings\Owner\Application Data\Apple Computer
2008-08-03 17:19 --------- d-----w C:\Program Files\Java
2008-08-03 17:15 --------- d-----w C:\Program Files\iConcepts Photo Frame
2008-08-03 16:23 --------- d-----w C:\Program Files\Canon Creative
2008-08-03 16:10 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-03 05:43 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-03 05:38 --------- d-----w C:\Program Files\SpywareBlaster
2008-08-03 00:16 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-08-03 00:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-08-03 00:02 --------- d-----w C:\Program Files\CopyToDVD
2008-08-02 23:52 --------- d-----w C:\Documents and Settings\Owner\Application Data\Corel
2008-08-02 23:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Corel
2008-08-02 23:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Borland
2008-08-02 23:42 --------- d-----w C:\Program Files\ItsDeductibleEX
2008-08-02 18:19 --------- d-----w C:\Program Files\MSN Encarta Plus
2008-08-02 18:15 --------- d-----w C:\Program Files\Downloads
2008-08-02 17:32 --------- d-----w C:\Program Files\Bonjour
2008-07-20 21:30 --------- d-----w C:\Program Files\Doom 3
2008-07-15 23:42 --------- d-----w C:\Program Files\HP
2008-07-14 16:32 --------- d-----w C:\Program Files\Quick Screen Capture
2008-07-12 22:01 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-07-12 21:54 --------- d-----w C:\Program Files\Windows Messaging
2008-07-12 21:54 --------- d-----w C:\Program Files\Microsoft.NET
2008-07-12 16:41 --------- d-----w C:\Program Files\iTunes
2008-07-12 16:41 --------- d-----w C:\Program Files\iPod
2008-07-12 16:38 --------- d-----w C:\Program Files\QuickTime
2008-07-01 17:47 --------- d-----w C:\Documents and Settings\Owner\Application Data\CopyToDvd
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-05-28 19:51 88 --sh--r C:\Documents and Settings\All Users\Application Data\A814ACFD49.sys
2008-05-28 19:51 2,516 --sha-w C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys
2008-05-17 02:27 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2008-05-17 02:27 245,760 ------w C:\WINDOWS\Setup1.exe
2008-04-23 19:08 353,840 ----a-w C:\Program Files\RealPlayer11GOLD.exe
2007-01-14 23:36 105,143,305 -c--a-w C:\Program Files\SonicDVDitProv6_SST.exe
2007-01-14 23:29 721,507 ----a-w C:\Program Files\RNPatch72.exe
2006-09-03 22:38 345,068,035 ----a-w C:\Program Files\Photoshop_CS2.exe
2005-03-18 13:47 3,409 -c--a-w C:\Program Files\scan.dat
2005-03-17 22:34 512 ----a-w C:\Program Files\data2.cab
2005-03-17 22:34 29,760 -c--a-w C:\Program Files\layout.bin
2005-03-17 22:34 236,953 -c--a-w C:\Program Files\data1.hdr
2005-03-17 22:33 397 -c--a-w C:\Program Files\setup.ini
2005-03-17 22:33 342,212 ----a-w C:\Program Files\setup.boot
2005-03-17 22:33 299,375 -c--a-w C:\Program Files\setup.inx
2005-03-17 22:33 2,349,117 -c--a-w C:\Program Files\data1.cab
2005-03-17 17:33 46,648 -c--a-w C:\Program Files\fditxf.1ph
2005-03-17 17:33 34,585 -c--a-w C:\Program Files\comfed.1ph
2005-03-17 17:33 27,320 -c--a-w C:\Program Files\fdiimb.1ph
2005-03-17 17:33 12,538 -c--a-w C:\Program Files\fdiofx.1ph
2005-02-21 20:15 28,672 ----a-w C:\Documents and Settings\Owner\atwbxdet.dll
2004-10-25 15:11 80,161 -c--a-w C:\Program Files\bustax.thp
2004-10-25 15:06 60,591 -c--a-w C:\Program Files\bustax.scd
2004-10-25 13:55 54,232 -c--a-w C:\Program Files\tax.thp
2004-10-25 13:55 13,248 -c--a-w C:\Program Files\tax.scd
2004-10-07 13:58 49,142 ----a-w C:\Program Files\license.txt
2004-09-17 19:59 114,688 ----a-w C:\Program Files\autorun.exe
2004-09-17 18:04 7,406 -c--a-w C:\Program Files\ttax.ico
2004-09-17 18:03 142 -c--a-w C:\Program Files\autorun.ini
2004-07-17 13:57 63,499 ----a-w C:\Documents and Settings\Owner\setup.exe
2004-01-30 14:32 20,480 -c--a-w C:\Program Files\cdrun.exe
2003-02-27 21:16 420,432 -c--a-w C:\Program Files\engine32.cab
2002-12-02 20:33 107,512 -c--a-w C:\Program Files\Setup.exe
2002-05-01 21:01 695 -c--a-w C:\Program Files\os.dat
2004-12-30 15:51 0 -csha-w C:\WINDOWS\SMINST\HPCD.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\WINDOWS\system32\dll ----



((((((((((((((((((((((((((((( snapshot@2008-08-14_20.46.31.75 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-23 04:16:28 124,928 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\advpack.dll
+ 2008-04-23 04:16:28 347,136 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\dxtmsft.dll
+ 2008-04-23 04:16:28 214,528 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\dxtrans.dll
+ 2008-04-23 04:16:28 133,120 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\extmgr.dll
+ 2008-04-23 04:16:28 63,488 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\icardie.dll
+ 2008-04-22 07:39:58 70,656 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\ie4uinit.exe
+ 2008-04-23 04:16:28 153,088 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\ieakeng.dll
+ 2008-04-23 04:16:28 230,400 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\ieaksie.dll
+ 2008-04-20 05:07:51 161,792 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\ieakui.dll
+ 2008-04-23 04:16:28 383,488 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\ieapfltr.dll
+ 2008-04-23 04:16:28 384,512 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\iedkcs32.dll
+ 2008-04-23 04:16:28 6,066,176 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\ieframe.dll
+ 2008-04-23 04:16:28 44,544 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\iernonce.dll
+ 2008-04-23 04:16:28 267,776 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\iertutil.dll
+ 2008-04-22 07:39:58 13,824 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\ieudinit.exe
+ 2008-04-22 07:40:18 625,664 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\iexplore.exe
+ 2008-04-23 04:16:28 27,648 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\jsproxy.dll
+ 2008-04-23 04:16:28 459,264 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\msfeeds.dll
+ 2008-04-23 04:16:28 52,224 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\msfeedsbs.dll
+ 2008-04-24 02:16:30 3,591,680 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\mshtml.dll
+ 2008-04-23 04:16:28 478,208 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\mshtmled.dll
+ 2008-04-23 04:16:28 193,024 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\msrating.dll
+ 2008-04-23 04:16:28 671,232 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\mstime.dll
+ 2008-04-23 04:16:28 102,912 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\occache.dll
+ 2008-04-23 04:16:28 44,544 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\pngfilt.dll
+ 2007-03-06 01:22:39 213,216 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\updspapi.dll
+ 2008-04-23 04:16:28 105,984 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\url.dll
+ 2008-04-23 04:16:29 1,159,680 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\urlmon.dll
+ 2008-04-23 04:16:29 233,472 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\webcheck.dll
+ 2008-04-23 04:16:29 826,368 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\wininet.dll
+ 2007-05-31 17:35:22 6,420,320 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040111900063D11C8EF10054038389C\11.0.8173\POWERPNT.EXE
- 2008-07-13 22:08:43 593,920 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2008-08-15 23:10:16 593,920 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
- 2008-07-13 22:08:43 12,288 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2008-08-15 23:10:16 12,288 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2008-07-13 22:08:43 135,168 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2008-08-15 23:10:16 135,168 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2008-07-13 22:08:43 11,264 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2008-08-15 23:10:16 11,264 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2008-07-13 22:08:43 27,136 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2008-08-15 23:10:16 27,136 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2008-07-13 22:08:43 4,096 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2008-08-15 23:10:16 4,096 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2008-07-13 22:08:44 794,624 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2008-08-15 23:10:16 794,624 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2008-07-13 22:08:43 249,856 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2008-08-15 23:10:16 249,856 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2008-07-13 22:08:43 61,440 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2008-08-15 23:10:16 61,440 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2008-07-13 22:08:44 23,040 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2008-08-15 23:10:16 23,040 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2008-07-13 22:08:43 286,720 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2008-08-15 23:10:16 286,720 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2008-07-13 22:08:43 409,600 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2008-08-15 23:10:15 409,600 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2008-04-23 04:16:28 124,928 ----a-w C:\WINDOWS\system32\advpack.dll
+ 2008-06-23 16:57:27 124,928 ----a-w C:\WINDOWS\system32\advpack.dll
- 2008-04-23 04:16:28 124,928 -c--a-w C:\WINDOWS\system32\dllcache\advpack.dll
+ 2008-06-23 16:57:27 124,928 -c--a-w C:\WINDOWS\system32\dllcache\advpack.dll
- 2008-04-23 04:16:28 347,136 -c--a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
+ 2008-06-23 16:57:27 347,136 -c--a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
- 2008-04-23 04:16:28 214,528 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
+ 2008-06-23 16:57:27 214,528 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
+ 2008-07-07 20:32:22 253,952 -c----w C:\WINDOWS\system32\dllcache\es.dll
- 2008-04-23 04:16:28 133,120 -c--a-w C:\WINDOWS\system32\dllcache\extmgr.dll
+ 2008-06-23 16:57:27 133,120 -c--a-w C:\WINDOWS\system32\dllcache\extmgr.dll
- 2008-04-23 04:16:28 63,488 -c--a-w C:\WINDOWS\system32\dllcache\icardie.dll
+ 2008-06-23 16:57:28 63,488 -c--a-w C:\WINDOWS\system32\dllcache\icardie.dll
- 2008-04-22 07:39:58 70,656 -c--a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
+ 2008-06-23 09:20:25 70,656 -c--a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
- 2008-04-23 04:16:28 153,088 -c--a-w C:\WINDOWS\system32\dllcache\ieakeng.dll
+ 2008-06-23 16:57:29 153,088 -c--a-w C:\WINDOWS\system32\dllcache\ieakeng.dll
- 2008-04-23 04:16:28 230,400 -c--a-w C:\WINDOWS\system32\dllcache\ieaksie.dll
+ 2008-06-23 16:57:29 230,400 -c--a-w C:\WINDOWS\system32\dllcache\ieaksie.dll
- 2008-04-20 05:07:51 161,792 -c--a-w C:\WINDOWS\system32\dllcache\ieakui.dll
+ 2008-06-21 05:23:54 161,792 -c--a-w C:\WINDOWS\system32\dllcache\ieakui.dll
- 2008-04-23 04:16:28 383,488 -c--a-w C:\WINDOWS\system32\dllcache\ieapfltr.dll
+ 2008-06-23 16:57:29 383,488 -c--a-w C:\WINDOWS\system32\dllcache\ieapfltr.dll
- 2008-04-23 04:16:28 384,512 -c--a-w C:\WINDOWS\system32\dllcache\iedkcs32.dll
+ 2008-06-23 16:57:29 384,512 -c--a-w C:\WINDOWS\system32\dllcache\iedkcs32.dll
- 2008-04-23 04:16:28 6,066,176 -c--a-w C:\WINDOWS\system32\dllcache\ieframe.dll
+ 2008-06-23 16:57:33 6,066,176 -c--a-w C:\WINDOWS\system32\dllcache\ieframe.dll
- 2008-04-23 04:16:28 44,544 -c--a-w C:\WINDOWS\system32\dllcache\iernonce.dll
+ 2008-06-23 16:57:33 44,544 -c--a-w C:\WINDOWS\system32\dllcache\iernonce.dll
- 2008-04-23 04:16:28 267,776 -c--a-w C:\WINDOWS\system32\dllcache\iertutil.dll
+ 2008-06-23 16:57:34 267,776 -c--a-w C:\WINDOWS\system32\dllcache\iertutil.dll
- 2008-04-22 07:39:58 13,824 -c--a-w C:\WINDOWS\system32\dllcache\ieudinit.exe
+ 2008-06-23 09:20:26 13,824 -c--a-w C:\WINDOWS\system32\dllcache\ieudinit.exe
- 2008-04-22 07:40:18 625,664 -c--a-w C:\WINDOWS\system32\dllcache\iexplore.exe
+ 2008-06-23 09:20:52 625,664 -c--a-w C:\WINDOWS\system32\dllcache\iexplore.exe
- 2007-08-21 06:15:44 683,520 ----a-w C:\WINDOWS\system32\dllcache\inetcomm.dll
+ 2008-04-11 18:50:43 683,520 -c--a-w C:\WINDOWS\system32\dllcache\inetcomm.dll
- 2008-04-23 04:16:28 27,648 -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
+ 2008-06-23 16:57:35 27,648 -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
+ 2008-06-24 16:23:05 74,240 -c----w C:\WINDOWS\system32\dllcache\mscms.dll
- 2008-04-23 04:16:28 459,264 -c--a-w C:\WINDOWS\system32\dllcache\msfeeds.dll
+ 2008-06-23 16:57:36 459,264 -c--a-w C:\WINDOWS\system32\dllcache\msfeeds.dll
- 2008-04-23 04:16:28 52,224 -c--a-w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
+ 2008-06-23 16:57:36 52,224 -c--a-w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
- 2008-04-24 02:16:30 3,591,680 -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll
+ 2008-06-24 14:57:40 3,592,192 -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll
- 2008-04-23 04:16:28 478,208 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
+ 2008-06-23 16:57:39 477,696 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
- 2008-04-23 04:16:28 193,024 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll
+ 2008-06-23 16:57:39 193,024 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll
- 2008-04-23 04:16:28 671,232 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll
+ 2008-06-23 16:57:40 671,232 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll
- 2008-04-23 04:16:28 102,912 -c--a-w C:\WINDOWS\system32\dllcache\occache.dll
+ 2008-06-23 16:57:40 102,912 -c--a-w C:\WINDOWS\system32\dllcache\occache.dll
- 2008-04-23 04:16:28 44,544 -c--a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
+ 2008-06-23 16:57:40 44,544 -c--a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
- 2008-04-23 04:16:28 105,984 -c--a-w C:\WINDOWS\system32\dllcache\url.dll
+ 2008-06-23 16:57:40 105,984 -c--a-w C:\WINDOWS\system32\dllcache\url.dll
- 2008-04-23 04:16:29 1,159,680 -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll
+ 2008-06-23 16:57:40 1,159,680 -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll
- 2008-04-23 04:16:29 233,472 -c--a-w C:\WINDOWS\system32\dllcache\webcheck.dll
+ 2008-06-23 16:57:41 233,472 -c--a-w C:\WINDOWS\system32\dllcache\webcheck.dll
- 2008-04-23 04:16:29 826,368 -c--a-w C:\WINDOWS\system32\dllcache\wininet.dll
+ 2008-06-23 16:57:41 826,368 -c--a-w C:\WINDOWS\system32\dllcache\wininet.dll
- 2008-04-23 04:16:28 347,136 ----a-w C:\WINDOWS\system32\dxtmsft.dll
+ 2008-06-23 16:57:27 347,136 ----a-w C:\WINDOWS\system32\dxtmsft.dll
- 2008-04-23 04:16:28 214,528 ----a-w C:\WINDOWS\system32\dxtrans.dll
+ 2008-06-23 16:57:27 214,528 ----a-w C:\WINDOWS\system32\dxtrans.dll
- 2005-07-26 04:39:45 243,200 ----a-w C:\WINDOWS\system32\es.dll
+ 2008-07-07 20:32:22 253,952 ----a-w C:\WINDOWS\system32\es.dll
- 2008-04-23 04:16:28 133,120 ----a-w C:\WINDOWS\system32\extmgr.dll
+ 2008-06-23 16:57:27 133,120 ----a-w C:\WINDOWS\system32\extmgr.dll
- 2008-04-23 04:16:28 63,488 ----a-w C:\WINDOWS\system32\icardie.dll
+ 2008-06-23 16:57:28 63,488 ----a-w C:\WINDOWS\system32\icardie.dll
- 2008-04-22 07:39:58 70,656 ----a-w C:\WINDOWS\system32\ie4uinit.exe
+ 2008-06-23 09:20:25 70,656 ----a-w C:\WINDOWS\system32\ie4uinit.exe
- 2008-04-23 04:16:28 153,088 ----a-w C:\WINDOWS\system32\ieakeng.dll
+ 2008-06-23 16:57:29 153,088 ----a-w C:\WINDOWS\system32\ieakeng.dll
- 2008-04-23 04:16:28 230,400 ----a-w C:\WINDOWS\system32\ieaksie.dll
+ 2008-06-23 16:57:29 230,400 ----a-w C:\WINDOWS\system32\ieaksie.dll
- 2008-04-20 05:07:51 161,792 ----a-w C:\WINDOWS\system32\ieakui.dll
+ 2008-06-21 05:23:54 161,792 ----a-w C:\WINDOWS\system32\ieakui.dll
- 2008-04-23 04:16:28 383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll
+ 2008-06-23 16:57:29 383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll
- 2008-04-23 04:16:28 384,512 ----a-w C:\WINDOWS\system32\iedkcs32.dll
+ 2008-06-23 16:57:29 384,512 ----a-w C:\WINDOWS\system32\iedkcs32.dll
- 2008-04-23 04:16:28 6,066,176 ----a-w C:\WINDOWS\system32\ieframe.dll
+ 2008-06-23 16:57:33 6,066,176 ----a-w C:\WINDOWS\system32\ieframe.dll
- 2008-04-23 04:16:28 44,544 ----a-w C:\WINDOWS\system32\iernonce.dll
+ 2008-06-23 16:57:33 44,544 ----a-w C:\WINDOWS\system32\iernonce.dll
- 2008-04-23 04:16:28 267,776 ----a-w C:\WINDOWS\system32\iertutil.dll
+ 2008-06-23 16:57:34 267,776 ----a-w C:\WINDOWS\system32\iertutil.dll
- 2008-04-22 07:39:58 13,824 ----a-w C:\WINDOWS\system32\ieudinit.exe
+ 2008-06-23 09:20:26 13,824 ----a-w C:\WINDOWS\system32\ieudinit.exe
- 2007-08-21 06:15:44 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
+ 2008-04-11 18:50:43 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
- 2008-04-23 04:16:28 27,648 ----a-w C:\WINDOWS\system32\jsproxy.dll
+ 2008-06-23 16:57:35 27,648 ----a-w C:\WINDOWS\system32\jsproxy.dll
- 2008-06-25 16:15:46 17,972,344 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2008-08-05 18:11:01 15,888,504 ----a-w C:\WINDOWS\system32\MRT.exe
- 2005-06-29 01:46:00 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
+ 2008-06-24 16:23:05 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
- 2008-04-23 04:16:28 459,264 ----a-w C:\WINDOWS\system32\msfeeds.dll
+ 2008-06-23 16:57:36 459,264 ----a-w C:\WINDOWS\system32\msfeeds.dll
- 2008-04-23 04:16:28 52,224 ----a-w C:\WINDOWS\system32\msfeedsbs.dll
+ 2008-06-23 16:57:36 52,224 ----a-w C:\WINDOWS\system32\msfeedsbs.dll
- 2008-04-24 02:16:30 3,591,680 ----a-w C:\WINDOWS\system32\mshtml.dll
+ 2008-06-24 14:57:40 3,592,192 ----a-w C:\WINDOWS\system32\mshtml.dll
- 2008-04-23 04:16:28 478,208 ----a-w C:\WINDOWS\system32\mshtmled.dll
+ 2008-06-23 16:57:39 477,696 ----a-w C:\WINDOWS\system32\mshtmled.dll
- 2008-04-23 04:16:28 193,024 ----a-w C:\WINDOWS\system32\msrating.dll
+ 2008-06-23 16:57:39 193,024 ----a-w C:\WINDOWS\system32\msrating.dll
- 2008-04-23 04:16:28 671,232 ----a-w C:\WINDOWS\system32\mstime.dll
+ 2008-06-23 16:57:40 671,232 ----a-w C:\WINDOWS\system32\mstime.dll
- 2008-04-23 04:16:28 102,912 ----a-w C:\WINDOWS\system32\occache.dll
+ 2008-06-23 16:57:40 102,912 ----a-w C:\WINDOWS\system32\occache.dll
- 2008-07-28 17:13:00 65,044 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-08-15 00:43:35 65,044 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-07-28 17:13:00 410,574 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-08-15 00:43:36 410,574 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2008-04-23 04:16:28 44,544 ----a-w C:\WINDOWS\system32\pngfilt.dll
+ 2008-06-23 16:57:40 44,544 ----a-w C:\WINDOWS\system32\pngfilt.dll
- 2007-08-11 00:46:18 17,272 ------w C:\WINDOWS\system32\spmsg.dll
+ 2007-11-30 12:39:22 17,272 ------w C:\WINDOWS\system32\spmsg.dll
- 2007-11-13 11:31:11 60,416 ----a-w C:\WINDOWS\system32\tzchange.exe
+ 2008-07-14 11:09:18 62,976 ----a-w C:\WINDOWS\system32\tzchange.exe
- 2008-04-23 04:16:28 105,984 ----a-w C:\WINDOWS\system32\url.dll
+ 2008-06-23 16:57:40 105,984 ----a-w C:\WINDOWS\system32\url.dll
- 2008-04-23 04:16:29 1,159,680 ----a-w C:\WINDOWS\system32\urlmon.dll
+ 2008-06-23 16:57:40 1,159,680 ----a-w C:\WINDOWS\system32\urlmon.dll
- 2008-04-23 04:16:29 233,472 ----a-w C:\WINDOWS\system32\webcheck.dll
+ 2008-06-23 16:57:41 233,472 ----a-w C:\WINDOWS\system32\webcheck.dll
- 2008-04-23 04:16:29 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
+ 2008-06-23 16:57:41 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05 204288]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 09:42 2156368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2003-09-12 23:13 98304]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-25 10:14 188416]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 09:47 116040]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-27 12:21 1232152]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 12:01 88209 C:\WINDOWS\AGRSMMSG.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcywxWn]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WinCtrl32]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli scecli

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winvy14.sys]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Wireless Configuration Utility HW.14.lnk]
backup=C:\WINDOWS\pss\Wireless Configuration Utility HW.14.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\advap32
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyLinkAdvisor]
--a------ 2006-04-02 21:07 389120 C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
--a------ 1998-05-07 20:04 52736 c:\WINDOWS\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-07-10 10:51 289064 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-04-23 15:11 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2]
--a------ 2007-10-22 09:58 1885464 C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2006-08-03 06:12 577536 C:\WINDOWS\soundman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\system32\\sessmgr.exe"=

R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-27 12:22]
R2 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-07-27 12:21]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-27 12:21]
R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-27 12:22]
R2 PD91Agent;PD91Agent;C:\Program Files\PerfectDisk2008\PD91Agent.exe [2008-04-16 13:00]
R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2008-01-02 03:12]
S2 portD;ABS PortIO Service;C:\WINDOWS\system32\DRIVERS\portd2k.sys [2003-03-19 10:28]
S3 PD91Engine;PD91Engine;C:\Program Files\PerfectDisk2008\PD91Engine.exe [2008-04-16 13:00]
S3 PD91VMDefrag;PD91VMDefrag;C:\Program Files\PerfectDisk2008\PD91VMDefrag.exe [2008-02-29 10:44]
S3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;C:\WINDOWS\system32\DRIVERS\RTL8187B.sys [2007-12-11 07:18]
S3 SjyPkt;SjyPkt;C:\WINDOWS\System32\Drivers\SjyPkt.sys [2002-10-02 10:57]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2008-08-15 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]

2008-08-16 C:\WINDOWS\Tasks\Uniblue SpyEraser Nag.job
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe [2007-12-03 10:55]
.
- - - - ORPHANS REMOVED - - - -

BHO-{0C8C77AF-B97A-4FD3-89C0-44098F0CDE6B} - (no file)
BHO-{7E156AAE-FA60-44A1-8E69-2E0E0030F1F6} - (no file)
BHO-{B91C0269-E0E2-4C83-BCFF-131693EB3314} - (no file)


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-17 15:58:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2008-08-17 16:05:16 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2008-08-17 20:05:08
ComboFix2.txt 2008-08-15 00:47:13
ComboFix3.txt 2008-02-17 15:03:51

Pre-Run: 65,595,400,192 bytes free
Post-Run: 65,588,195,328 bytes free

480 --- E O F --- 2008-08-15 23:11:03



HIJACKTHIS

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:07:29 PM, on 8/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\PerfectDisk2008\PD91Agent.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: Open with WordPerfect - c:\Program Files\Corel\WordPerfect Office X4\Programs\WPLauncher.hta
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - http://support2.charter.com/sdccommo...ad/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager...EGetPlugin.ocx
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqna/downloads/sysinfo.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1093930840796
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn...tDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1124160269328
O16 - DPF: {85BA505F-FD01-4A91-836C-F7D502E89C9A} - http://www.evite.com/html/imageUploa...eUploader4.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: efcywxWn - C:\WINDOWS\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PD91Agent - Raxco Software, Inc. - C:\Program Files\PerfectDisk2008\PD91Agent.exe
O23 - Service: PD91Engine - Raxco Software, Inc. - C:\Program Files\PerfectDisk2008\PD91Engine.exe
O23 - Service: PD91VMDefrag - Raxco Software, Inc. - C:\Program Files\PerfectDisk2008\PD91VMDefrag.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 6368 bytes

[amateur]

Hi,

Let's check your environment variables:

Goto Start and type CMD.
Then on the windows that open type "path" without the quotes.
Post what it returns here.

(rightclick>select all, open notepad CTRL+V to paste)

==========================================


While both Tea timer and SpyBot are closed
Right click here and click save link as
Save it as resetteatimer.bat to your desktop

1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
5) Restart your computer.

Double click on resetteatimer.bat and wait for it to finish

====================================

Disconnect from the internet and disable AVG.

====================================

• Open notepad (Start>All programs>accessories>notepad ) (It must be notepad, not wordpad, or it won't work)
• Copy the entire contents of the Quote Box below to Notepad.
• Name the file as CFScript.txt
• Change the Save as Type to All Files
• and Save it on the desktop
• Click Format and ensure Wordwrap is unchecked.

Code:

KILLALL::

Registry::
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {85BA505F-FD01-4A91-836C-F7D502E89C9A} - http://www.evite.com/html/imageUploa...eUploader4.cab
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcywxWn]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WinCtrl32]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winvy14.sys]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\advap32]
[-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

======================================

Re-enable AVG8 and reconnect to Internet.

======================================

Run an Online scan

Perform an online scan with Panda ActiveScan

• Click on Scan Your PC Now
• A "pop up" window will appear, or a new tab will open.
• Click on Register
• Choose the option you like most, but we recommend the Free Registration.
• Click on Register
• Enter your e-mail address, and create a password.
• Select "I do not want to receive any type of information". (unless you want to receive such information)
• Click on Send
• Confirm registration, and continue by entering your user name and password, then click on Enter
• Select Full Scan, then Click on Scan Now
• Wait for the components to be loaded and installed. Don't close this window or go to another page while it is downloading. You can continue using the Internet by opening another window in your browser.
• If it finds any malware it can disinfect, the Disinfect button will be enabled. Click on Disinfect
• Please ignore the offer to buy the program. Click on Export To
  
• Export the log and save it to your desktop.
• Please attach the contents of that log to your reply, along with a new HijackThis log.

* Turn off the real time scanner of any existing antivirus program while performing the online scan

=====================================

Restart your computer.

=====================================

Please post back the path text, Combofix.txt, Panda online report and a fresh HijackThis log.

[amateur]

Hi,

The online scanners do take time, but I would appreciate if you could also run this online scanner. Please be patient and let it run its full course:

Using Internet Explorer, visit http://www.kaspersky.com/kos/eng/par...avwebscan.html

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
  
  
  
  
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs
  
• Turn off the real time scanner of any existing antivirus program while performing the online scan

[amateur]

Hi Roc65,

Just wondering if you're still with us. Are you having problem with any of the above instructions or scanners?

Could you also please perform the following:

Open notepad and copy/paste the text in the codebox below into it:

Code:

vfind -ltf "%windir%\clb.dll" "%windir%\clbcatex.dll" "%windir%\clbcatq.dll"  >log.txt
notepad log.txt

Save this as peek.bat Choose to "Save type as - All Files"
It should look like this:
Double click on peek.bat & allow it to run. A notepad file will open. Copy that information into your next reply, please, along with the logs requested in my previous posts. Thank you.