Smitfraud C Toolbar 888

poison_girl13 · Apr 16, 2007

Okay, so I generally don't know a lot about computers, so I don't really know what to do to solve this....

But anyway, recently whilst scanning my laptop with Spybot it came up with "Smitfraud C Toolbar 888" and not knowing anything about this, I jsut clicked fix thinking it would get rid of it. But upon scanning my laptop again, it still remains there.

And I'm majorly confused as to what I should do to remove it.

Please help..?

poison_girl13 · Apr 16, 2007

Well after reading other people's posts, I decided to install, and post a "HiJack This" log.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 09:43:18, on 16/04/2007
Platform: Windows Vista (WinNT 6.00.1904)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Windows\autoclk.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\System32\ATWTUSB.EXE
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\Explorer.EXE
C:\Users\Micey\Desktop\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.2.7.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - C:\Windows\system32\xaiflvli.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [autoclk] autoclk.exe
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [PrintDrive] rundll32.exe "C:\Windows\system32\lvlberpy.dll",setvm
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [fsc-reg] C:\ProgramData\fsc-reg\fscreg.exe 20070324
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: hggghhe - C:\Windows\SYSTEM32\hggghhe.dll
O20 - Winlogon Notify: hgghhge - C:\Windows\SYSTEM32\hgghhge.dll
O20 - Winlogon Notify: opnlmjk - C:\Windows\SYSTEM32\opnlmjk.dll
O20 - Winlogon Notify: rqrqnom - C:\Windows\SYSTEM32\rqrqnom.dll
O20 - Winlogon Notify: tuvwxuu - C:\Windows\SYSTEM32\tuvwxuu.dll
O20 - Winlogon Notify: vtspp - C:\Windows\system32\vtspp.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: O2Micro Flash Memory (O2Flash) - O2Micro International - c:\Windows\system32\o2flash.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Fujitsu Siemens Computers Diagnostic Testhandler (TestHandler) - Fujitsu Siemens Computers - C:\firststeps\OnlineDiagnostic\TestManager\TestHandler.exe

--
End of file - 7031 bytes

If that helps at all?

Blade81 · Apr 16, 2007

Hi and welcome to the forums!

Please download
VundoFix.exe
to your desktop.

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files,
click YES
Once you click yes, your desktop will go blank as it starts removing
Vundo.
When completed, it will prompt that it will reboot your computer,
click OK.
Please post the contents of C:\vundofix.txt and a new
HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above
instructions starting from
Click the Scan for Vundo button when VundoFix appears at reboot.

poison_girl13 · Apr 17, 2007

I followed what you said to do, but upon clicking remove vundo my computer crashes. I left it on over night to see if that made any difference but it was still crashed in the morning, and didn't even show an option to restart my laptop.

But here's the contents of the Vundo file...

VundoFix V6.3.19

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Scan started at 08:12:25 17/04/2007

Listing files found while scanning....

C:\Windows\system32\ppstv.bak2
C:\Windows\system32\ppstv.ini
C:\Windows\system32\ppstv.ini2
C:\Windows\system32\ppstv.tmp
C:\Windows\system32\vtspp.dll
C:\Windows\System32\xaiflvli.dll

Beginning removal...

And a new HiJack This scan results...

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 08:32:22, on 17/04/2007
Platform: Windows Vista (WinNT 6.00.1904)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Windows\autoclk.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\System32\ATWTUSB.EXE
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Micey\Desktop\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.2.7.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - C:\Windows\system32\xaiflvli.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [autoclk] autoclk.exe
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [PrintDrive] rundll32.exe "C:\Windows\system32\lvlberpy.dll",setvm
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [fsc-reg] C:\ProgramData\fsc-reg\fscreg.exe 20070324
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: hggghhe - C:\Windows\SYSTEM32\hggghhe.dll
O20 - Winlogon Notify: hgghhge - C:\Windows\SYSTEM32\hgghhge.dll
O20 - Winlogon Notify: opnlmjk - C:\Windows\SYSTEM32\opnlmjk.dll
O20 - Winlogon Notify: rqrqnom - C:\Windows\SYSTEM32\rqrqnom.dll
O20 - Winlogon Notify: tuvwxuu - C:\Windows\SYSTEM32\tuvwxuu.dll
O20 - Winlogon Notify: vtspp - C:\Windows\system32\vtspp.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: O2Micro Flash Memory (O2Flash) - O2Micro International - c:\Windows\system32\o2flash.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Fujitsu Siemens Computers Diagnostic Testhandler (TestHandler) - Fujitsu Siemens Computers - C:\firststeps\OnlineDiagnostic\TestManager\TestHandler.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\Windows\SYSTEM32\VundoFixSVC.exe

--
End of file - 7026 bytes

[And thankyou for the welcome

]

Blade81 · Apr 17, 2007

Sorry, didn't notice you were running Vista. :sad:

Try to run Vundofix in compatible mode:
Right click on Vundofix.exe and select properties.

Set settings according to following screenshot.

Then click ok and try to run Vundofix again.

If you had success post contents of C:\vundofix.txt and a fresh hjt log again. If you hadn't then we'll need to try other methods.

poison_girl13 · Apr 17, 2007

I hate to be a nuisance, but it didn't work again. My computer just crashes when I click Remove Vundo. (Nothing's ever simple for me.. Lol)

And yeah, I have to be running Vista. (Eye candy, but rubbish to use. :laugh: )

Blade81 · Apr 18, 2007

Okay, let's try with VirtumundoBeGone then

Download VirtumundoBeGone by secured2k
http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe
Save the file to your desktop.

Better run the file in compatibility mode.

Right click on VirtumundoBeGone.exe and select properties.

Set settings according to following screenshot.

Close all running programs (including your Internet Browser)
Double-click VirtumundoBeGone.exe on the desktop
Read the introductory information, and then click Continue
Click Start
When asked if you want to continue, click Yes to run the fix
Click "Save Log"

Note: It is normal for the the fix to terminate by producing a BLUE SCREEN OF DEATH so don't be concerned when this happens. It requires you to manually reboot to restore your normal windows desktop.

The log created by VirtumundoBeGone called VBG.TXT will be on located on your desktop. Please retain VBG.TXT.

Empty Recycle Bin.

Reboot and "copy/paste" a new HijackThis log file along with the VBG.TXT into this thread.

poison_girl13 · Apr 18, 2007

Okay, I did what you said... (and it didn't make my computer crash

)
Here's the VGB log...

[04/18/2007, 22:23:02] - VirtumundoBeGone v1.5 ( "C:\Users\Micey\Desktop\VirtumundoBeGone.exe" )
[04/18/2007, 22:23:03] - Detected System Information:
[04/18/2007, 22:23:03] - Windows Version: 5.1.2600, Service Pack 2
[04/18/2007, 22:23:03] - Current Username: Micey (Admin)
[04/18/2007, 22:23:03] - Windows is in NORMAL mode.
[04/18/2007, 22:23:03] - Searching for Browser Helper Objects:
[04/18/2007, 22:23:03] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[04/18/2007, 22:23:03] - BHO 2: {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} (BitComet Helper)
[04/18/2007, 22:23:03] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} ()
[04/18/2007, 22:23:03] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/18/2007, 22:23:03] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[04/18/2007, 22:23:03] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[04/18/2007, 22:23:03] - BHO 4: {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} ()
[04/18/2007, 22:23:03] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/18/2007, 22:23:03] - Checking for HKLM\...\Winlogon\Notify\xaiflvli
[04/18/2007, 22:23:03] - Key not found: HKLM\...\Winlogon\Notify\xaiflvli, continuing.
[04/18/2007, 22:23:03] - BHO 5: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} (Groove GFS Browser Helper)
[04/18/2007, 22:23:03] - BHO 6: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[04/18/2007, 22:23:03] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/18/2007, 22:23:03] - No filename found. Continuing.
[04/18/2007, 22:23:03] - Finished Searching Browser Helper Objects
[04/18/2007, 22:23:03] - Finishing up...
[04/18/2007, 22:23:04] - Nothing found! Exiting...

And a new HiJack This log...

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 22:26:14, on 18/04/2007
Platform: Windows Vista (WinNT 6.00.1904)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Windows\autoclk.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\System32\ATWTUSB.EXE
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Micey\Desktop\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.2.7.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - C:\Windows\system32\xaiflvli.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [autoclk] autoclk.exe
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [PrintDrive] rundll32.exe "C:\Windows\system32\lvlberpy.dll",setvm
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [fsc-reg] C:\ProgramData\fsc-reg\fscreg.exe 20070324
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: hggghhe - C:\Windows\SYSTEM32\hggghhe.dll
O20 - Winlogon Notify: hgghhge - C:\Windows\SYSTEM32\hgghhge.dll
O20 - Winlogon Notify: opnlmjk - C:\Windows\SYSTEM32\opnlmjk.dll
O20 - Winlogon Notify: rqrqnom - C:\Windows\SYSTEM32\rqrqnom.dll
O20 - Winlogon Notify: tuvwxuu - C:\Windows\SYSTEM32\tuvwxuu.dll
O20 - Winlogon Notify: vtspp - C:\Windows\system32\vtspp.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: O2Micro Flash Memory (O2Flash) - O2Micro International - c:\Windows\system32\o2flash.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Fujitsu Siemens Computers Diagnostic Testhandler (TestHandler) - Fujitsu Siemens Computers - C:\firststeps\OnlineDiagnostic\TestManager\TestHandler.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\Windows\SYSTEM32\VundoFixSVC.exe

--
End of file - 7215 bytes

Blade81 · Apr 19, 2007

Please download Process Explorer by Systernals from HERE

Also download KillBox by Option^Explicit from HERE

Then boot up in SAFE MODE

the rest of this fix must be done in safe mode.

Unzip Process Explorer and double click on procexp.exe

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of xaiflvli.dll,hggghhe.dll,hgghhge.dll,opnlmjk.dll,rqrqnom.dll,tuvwxuu.dll,vtspp.dll once and then click the kill button.

After you have killed all of the xaiflvli.dll,hggghhe.dll,hgghhge.dll,opnlmjk.dll,rqrqnom.dll,tuvwxuu.dll,vtspp.dll under winlogon click OK.

Also look for any .ini or bak files or other dll's with either the same name or the file name in reverse & kill them as well

Example:

xaiflvli.bak
xaiflvli.ini
xaiflvli.reg etc

or

ilvlfiax.dll
ilvlfiax.bak
ilvlfiax.ini etc

Next double click on explorer.exe and again click once on each instance of xaiflvli.dll,hggghhe.dll,hgghhge.dll,opnlmjk.dll,rqrqnom.dll,tuvwxuu.dll,vtspp.dll then click the kill button.

Also look for any .ini or bak files or reverse named dll's with either the same name or the file name in reverse & kill them as well. See above for examples

Click on the Threads tab at the top.

Once you have done that click OK again.

Next run HijackThis and place a check beside each of the following.

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - C:\Windows\system32\xaiflvli.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [PrintDrive] rundll32.exe "C:\Windows\system32\lvlberpy.dll",setvm
O13 - Gopher Prefix:

Now click fix checked and close HijackThis.

Please copy the text in BOLD below, and paste it into a blank notepad window.
Save it as vundo.reg and in the save as type box choose all files.

Once you have saved it double click it and allow it to merge with the registry.

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{67C55A8D-E808-4caa-9EA7-F77102DE0BB6}]

[-HKEY_CLASSES_ROOT\CLSID\{67C55A8D-E808-4caa-9EA7-F77102DE0BB6}]

[-HKEY_CLASSES_ROOT\MSEvents.MSEvents]

[-HKEY_CLASSES_ROOT\MSEvents.MSEvents.1]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEvents]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEvents.1] <---Leave one empty line after this line

Double click on Killbox.exe and check the Delete on Reboot button.

Enter the following filepath and filename into the "Full path of file to delete" box:

C:\Windows\system32\xaiflvli.dll

Click the red and white "Delete File" button.
Click "Yes" at the first prompt .
Click "No" at the second.

Repeat those same steps for the files in following quote box and for any of the same named or reversed named .bak, .ini. reg, etc, files you may have found earlier.

Once you have entered in all the files, reboot.

C:\Windows\system32\lvlberpy.dll
C:\Windows\SYSTEM32\hggghhe.dll
C:\Windows\SYSTEM32\hgghhge.dll
C:\Windows\SYSTEM32\opnlmjk.dll
C:\Windows\SYSTEM32\rqrqnom.dll
C:\Windows\SYSTEM32\tuvwxuu.dll
C:\Windows\system32\vtspp.dll

Send them to the Windows clipboard by using the combination of keys: Ctrl-C
In Killbox click File > Copy from Clipboard.
Then press the "Delete File" button. You will get a confirmation box saying: "All listed Files will be Deleted on Next Reboot" Click Yes.
You will get another confirmation box saying: "Files will be Removed on Reboot, Do you want to reboot now?" Click Yes again.
The computer should now reboot automatically and the files you selected should be gone.

Repeat those same steps for any of the same named or reversed named .bak, .ini. reg, etc, files you may have found earlier.

Once you have entered in all the files, reboot.

After your computer has rebooted please run Hijackthis and post a new log.

poison_girl13 · Apr 20, 2007

This may sound really retarded... But what should I click on this screen at the beggining of what you told me to do.... :S

Because that's what appears when I click the "Threads" tab.

Blade81 · Apr 20, 2007

Hmm.. Process explorer might not show things right in Vista.

Before we'll continue I would like you to do something for me...
I need you too upload few malware files for further inspection.

Make your hidden files visible:

Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the
Display the contents of system folders
Under the Hidden files and folders select
Show hidden files and folders
Uncheck
Hide protected operating system files
Click Apply and then the OK and close My Computer.

Please go here to upload a suspicious file for analysis.

Enter your username from this forum
Copy and paste the link to this thread
- Click
  Browse
  on the 1. field.
  Browse to the following file and click the file with your mouse, press
  Open
  
  C:\WINDOWS\system32\xaiflvli.dll
- Click
  Browse
  on the 2. field.
  Browse to the following file and click the file with your mouse, press
  Open
  
  C:\WINDOWS\system32\lvlberpy.dll
Do the same with these files:
C:\Windows\SYSTEM32\hggghhe.dll
C:\Windows\SYSTEM32\hgghhge.dll
C:\Windows\SYSTEM32\opnlmjk.dll
C:\Windows\SYSTEM32\rqrqnom.dll
C:\Windows\SYSTEM32\tuvwxuu.dll
C:\Windows\system32\vtspp.dll
In the comments, please mention that I asked you to upload these files and insert link to this topic.
Click on Send File (You may need to post files in more than one parts)

When you've uploaded the files then do the following.

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.

Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post. in your reply

poison_girl13 · Apr 23, 2007

Well I did what you said.. Although when I tried to upload
C:\WINDOWS\system32\lvlberpy.dll
it said the file did not exist/could not be found.

poison_girl13 · Apr 23, 2007

main.txt:

Deckard's System Scanner v20070411.38
Run by Micey on 2007-04-23 at 09:10:45
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- Last 5 Restore Point(s) --
25: 2007-04-23 07:24:29 UTC - RP134 - Installed Microsoft Office Enterprise 2007
24: 2007-04-22 13:28:32 UTC - RP132 - Installed Microsoft Office Enterprise 2007
23: 2007-04-22 13:12:33 UTC - RP130 - Installed Microsoft Office Enterprise 2007
22: 2007-04-22 12:59:24 UTC - RP128 - Removed Microsoft Office Word MUI (English) 2007
21: 2007-04-22 12:59:09 UTC - RP127 - Removed Microsoft Office Shared Setup Metadata MUI (English) 2007

-- First Restore Point --
1: 2007-04-17 16:39:49 UTC - RP106 - Removed Microsoft Office Enterprise 2007

Backed up registry hives.

Performed disk cleanup.

-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of HijackThis v1.99.1
Scan saved at 2007-04-23 09:22:50
Platform: Windows Vista (6.00.6000)
MSIE: Internet Explorer (7.0.6000.16386)

Running processes:
C:\Windows\System32\taskeng.exe
C:\Windows\System32\dwm.exe
C:\Windows\explorer.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Windows\autoclk.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\System32\ATWTUSB.EXE
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Windows\ehome\ehmsas.exe
C:\Users\Micey\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.2.7.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - C:\Windows\System32\xaiflvli.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [autoclk] autoclk.exe
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [PrintDrive] rundll32.exe "C:\Windows\system32\lvlberpy.dll",setvm
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\RunOnce: [fsc-reg] cmd.exe /c rd /s /q "C:\ProgramData\fsc-reg\"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
O4 - Global Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: ms-help - {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Filter: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: hggghhe - C:\Windows\system32\hggghhe.dll
O20 - Winlogon Notify: hgghhge - C:\Windows\system32\hgghhge.dll
O20 - Winlogon Notify: igfxcui - C:\Windows\system32\igfxdev.dll
O20 - Winlogon Notify: opnlmjk - C:\Windows\system32\opnlmjk.dll
O20 - Winlogon Notify: rqrqnom - C:\Windows\system32\rqrqnom.dll
O20 - Winlogon Notify: tuvwxuu - C:\Windows\system32\tuvwxuu.dll
O20 - Winlogon Notify: vtspp - C:\Windows\System32\vtspp.dll
O23 - Service: Adobe LM Service - Adobe Systems - "C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe"
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - "C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe"
O23 - Service: Microsoft Office Groove Audit Service - Unknown owner - "C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe"
O23 - Service: O2Micro Flash Memory (O2Flash) - O2Micro International - C:\Windows\System32\o2flash.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Fujitsu Siemens Computers Diagnostic Testhandler (TestHandler) - Fujitsu Siemens Computers - C:\FirstSteps\OnlineDiagnostic\TestManager\TestHandler.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\Windows\System32\VundoFixSVC.exe

-- File Associations -----------------------------------------------------------

.chm - unable to read key

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 O2MDRDR - c:\windows\system32\drivers\o2media.sys
R0 O2SDRDR - c:\windows\system32\drivers\o2sd.sys
R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys
R3 igfx - c:\windows\system32\drivers\igdkmd32.sys
R3 NETw4v32 (Intel(R) Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit) - c:\windows\system32\drivers\netw4v32.sys
R3 smserial - c:\windows\system32\drivers\smserial.sys

S1 aiptektp (Pen Pad) - c:\windows\system32\drivers\aiptektp.sys
S2 ADILOADER (General Purpose USB Driver (adildr.sys)) - c:\windows\system32\drivers\adildr.sys
S3 adiusbaw (USB ADSL WAN Adapter) - c:\windows\system32\drivers\adiusbaw.sys
S3 ialm - c:\windows\system32\drivers\igdkmd32.sys
S3 NETw3v32 (Intel(R) PRO/Wireless 3945ABG Adapter Driver for Windows Vista 32 Bit) - c:\windows\system32\drivers\netw3v32.sys
S3 RT25USBAP (Nintendo Wi-Fi USB Connector Service) - c:\windows\system32\drivers\rt25usbap.sys
S3 SE27bus (Sony Ericsson Device 039 Driver driver (WDM)) - c:\windows\system32\drivers\se27bus.sys
S3 SE27mdfl (Sony Ericsson Device 039 USB WMC Modem Filter) - c:\windows\system32\drivers\se27mdfl.sys
S3 SE27mdm (Sony Ericsson Device 039 USB WMC Modem Driver) - c:\windows\system32\drivers\se27mdm.sys
S3 SE27mgmt (Sony Ericsson Device 039 USB WMC Device Management Drivers (WDM)) - c:\windows\system32\drivers\se27mgmt.sys
S3 se27nd5 (Sony Ericsson Device 039 USB Ethernet Emulation SEMC39 (NDIS)) - c:\windows\system32\drivers\se27nd5.sys
S3 se27unic (Sony Ericsson Device 039 USB Ethernet Emulation SEMC39 (WDM)) - c:\windows\system32\drivers\se27unic.sys
S3 WpdUsb - c:\windows\system32\drivers\wpdusb.sys
S4 sdbus - c:\windows\system32\drivers\sdbus.sys
S4 viamraid - c:\windows\system32\drivers\viamraid.sys

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 msfwsvc (OneCare Firewall) - "c:\program files\microsoft windows onecare live\firewall\msfwsvc.exe"
R2 O2Flash (O2Micro Flash Memory) - c:\windows\system32\o2flash.exe
R2 OneCareMP (OneCare AntiSpyware and AntiVirus) - "c:\program files\microsoft windows onecare live\antivirus\msmpeng.exe"
R2 StarWindService (StarWind iSCSI Service) - c:\program files\alcohol soft\alcohol 120\starwind\starwindservice.exe
R2 TestHandler (Fujitsu Siemens Computers Diagnostic Testhandler) - c:\firststeps\onlinediagnostic\testmanager\testhandler.exe
R2 winss (Windows Live OneCare) - c:\program files\microsoft windows onecare live\winss.exe

S3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe"
S3 Microsoft Office Groove Audit Service - "c:\program files\microsoft office\office12\grooveauditservice.exe" (file missing)
S3 VundoFixSvc (VundoFix Service) - vundofixsvc.exe
S3 ZuneNetworkSvc (Zune Network Sharing Service) - "c:\program files\zune\zunenss.exe"

-- Scheduled Tasks -------------------------------------------------------------

2007-04-23 09:20:16 418 --ah----- C:\Windows\Tasks\User_Feed_Synchronization-{B94D58B8-29B7-41FB-B4ED-AF867CAB04CD}.job<USER_F~1.JOB>

-- Files created between 2007-03-23 and 2007-04-23 -----------------------------

-- Find3M Report ---------------------------------------------------------------

2007-04-23 08:42:33 0 d-------- C:\Program Files\Microsoft Visual Studio 8<MICROS~3>
2007-04-23 08:16:59 0 d-------- C:\Program Files\PowerISO
2007-04-22 20:50:32 0 d-------- C:\Program Files\Microsoft Windows OneCare Live<MI7BEA~1>
2007-04-21 10:56:12 0 d-------- C:\Program Files\Hazard Perception 2003-2004<HAZARD~1>
2007-04-21 10:54:22 0 d-------- C:\Program Files\Driving Test Success 2003-2004<DRIVIN~2>
2007-04-20 09:40:35 0 d-------- C:\Program Files\Debugging Tools for Windows<DEBUGG~1>
2007-04-20 09:18:40 0 d---s---- C:\Users\Micey\AppData\Roaming\Microsoft<MICROS~1>
2007-04-16 22:14:47 24576 --a------ C:\Windows\system32\VundoFixSVC.exe<VUNDOF~1.EXE>
2007-04-13 10:18:18 0 d-------- C:\Program Files\MSXML 4.0<MSXML4~1.0>
2007-04-13 09:07:31 0 d-------- C:\Program Files\OpenCanvas.4.06E<OPENCA~1.06E>
2007-04-12 22:29:18 0 d--h----- C:\Program Files\InstallShield Installation Information<INSTAL~1>
2007-04-12 21:44:40 0 d-------- C:\Program Files\Common Files\InstallShield<INSTAL~1>
2007-04-12 21:24:45 774711 ---hs---- C:\Windows\system32\ppstv.ini2<PPSTV~1.INI>
2007-04-12 08:08:39 771279 -----n--- C:\Windows\system32\ppstv.bak2<PPSTV~2.BAK>
2007-04-12 07:47:20 26694 --a------ C:\Windows\system32\opnlmjk.dll
2007-04-11 23:03:08 26694 --a------ C:\Windows\system32\hgghhge.dll
2007-04-11 22:10:00 26694 --a------ C:\Windows\system32\tuvwxuu.dll
2007-04-11 19:15:10 26694 --a------ C:\Windows\system32\rqrqnom.dll
2007-04-11 17:56:50 48708 --a------ C:\Windows\system32\xaiflvli.dll
2007-04-11 17:56:28 280676 ---hs---- C:\Windows\system32\vtspp.dll
2007-04-11 17:51:23 26694 --a------ C:\Windows\system32\hggghhe.dll
2007-04-11 14:25:51 0 d-------- C:\Program Files\Windows Defender<WINDOW~3>
2007-04-11 13:34:47 49664 --a------ C:\Windows\system32\csrsrv.dll
2007-04-11 13:34:46 376320 --a------ C:\Windows\system32\winsrv.dll
2007-04-11 13:18:22 0 d-------- C:\Program Files\SAGEM
2007-04-10 14:33:38 0 d-------- C:\Users\Micey\AppData\Roaming\PC Tools<PCTOOL~1>
2007-04-08 21:02:40 0 d-------- C:\Users\Micey\AppData\Roaming\Adobe
2007-04-06 08:48:18 0 d-------- C:\Users\Micey\AppData\Roaming\LimeWire
2007-04-05 09:14:48 0 d-------- C:\Program Files\ffdshow
2007-04-05 07:32:38 0 d-------- C:\Program Files\LimeWire
2007-04-04 08:46:06 2026496 --a------ C:\Windows\system32\win32k.sys
2007-04-04 08:46:04 633856 --a------ C:\Windows\system32\user32.dll
2007-04-02 10:08:54 0 d-------- C:\Program Files\Microsoft Works<MIF2B0~1>
2007-04-02 10:08:34 0 d-------- C:\Program Files\MSBuild
2007-04-02 10:06:03 0 d-------- C:\Program Files\Microsoft.NET<MICROS~1.NET>
2007-04-02 09:49:45 0 d-------- C:\Program Files\Alcohol Soft<ALCOHO~1>
2007-03-30 12:28:20 0 d-------- C:\Program Files\Common Files\Adobe
2007-03-30 10:36:31 0 d-------- C:\Program Files\Common Files\Macrovision Shared<MACROV~1>
2007-03-30 08:30:44 0 d-------- C:\Program Files\Zune
2007-03-30 08:29:56 0 d-------- C:\Program Files\Windows Mail<WINDOW~1>
2007-03-25 12:37:07 0 d-------- C:\Users\Micey\AppData\Roaming\GetRightToGo<GETRIG~1>
2007-03-25 12:36:57 0 d-------- C:\Program Files\MiniBrowser<MINIBR~1>
2007-03-25 12:36:37 249856 -----n--- C:\Windows\Setup1.exe
2007-03-25 12:36:35 73216 --a------ C:\Windows\ST6UNST.EXE
2007-03-14 18:20:38 414208 --a------ C:\Windows\system32\msscp.dll
2007-03-14 18:20:33 229888 --a------ C:\Windows\system32\msshsq.dll
2007-03-14 18:20:16 4153344 --a------ C:\Windows\system32\GameUXLegacyGDFs.dll
2007-03-14 18:20:16 1686016 --a------ C:\Windows\system32\gameux.dll
2007-03-13 12:50:41 0 d-------- C:\Users\Micey\AppData\Roaming\MyPhoneExplorer<MYPHON~1>
2007-03-12 19:37:00 0 d-------- C:\Users\Micey\AppData\Roaming\Macromedia<MACROM~1>
2007-03-08 15:14:57 0 d-------- C:\Program Files\Common Files\Teleca Shared<TELECA~1>
2007-03-08 14:46:59 0 d-------- C:\Program Files\MyPhoneExplorer<MYPHON~1>
2007-03-05 23:18:12 0 d-------- C:\Program Files\Driving Test Success 2006-2007<DRIVIN~1>
2007-03-03 09:50:00 0 d-------- C:\Program Files\Common Files\EasyInfo
2007-02-25 16:21:35 26574 --a------ C:\Users\Micey\AppData\Roaming\UserTile.png
2007-02-24 15:01:07 0 d-------- C:\Program Files\Hewlett-Packard<HEWLET~1>
2007-02-24 14:44:35 20475 --a------ C:\Windows\hpoins01.dat
2007-02-24 14:42:06 0 d-------- C:\Users\Micey\AppData\Roaming\Hewlett-Packard<HEWLET~1>
2007-02-24 14:34:46 0 d-------- C:\Program Files\Common Files\Hewlett-Packard<HEWLET~1>
2007-02-24 14:33:10 0 d-------- C:\Program Files\Common Files\MSSoap
2007-02-23 01:45:13 0 d-------- C:\Users\Micey\AppData\Roaming\Ahead
2007-02-23 00:27:10 0 d-------- C:\Program Files\Common Files\Adobe Systems Shared<ADOBES~1>
2007-02-23 00:20:38 0 d-------- C:\Users\Micey\AppData\Roaming\Teleca
2007-02-22 18:58:39 2560 --a------ C:\Windows\system32\BitCometRes.dll<BITCOM~1.DLL>
2007-02-22 17:23:01 104448 --a------ C:\Windows\system32\DWWIN.EXE
2007-02-22 17:21:57 974336 --a------ C:\Windows\system32\crypt32.dll
2007-02-15 12:31:02 2756608 --a------ C:\Windows\system32\NETw4r32.dll
2007-02-15 12:30:34 679936 --a------ C:\Windows\system32\NETw4c32.dll
2007-01-30 09:53:32 77472 --a------ C:\Windows\system32\Tblfunc.dll
2007-01-30 09:52:42 65184 --a------ C:\Windows\system32\TBLMOUSE.EXE
2007-01-30 09:40:22 97952 --a------ C:\Windows\RmTablet.exe
2007-01-30 09:35:40 319136 --a------ C:\Windows\system32\ATWTUSB.EXE

-- Registry Dump ---------------------------------------------------------------

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Sidebar"="C:\\Program Files\\Windows Sidebar\\sidebar.exe /autoRun"
"ehTray.exe"="C:\\Windows\\ehome\\ehTray.exe"
"WMPNSCFG"="C:\\Program Files\\Windows Media Player\\WMPNSCFG.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"fsc-reg"="cmd.exe /c rd /s /q \"C:\\ProgramData\\fsc-reg\\\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Windows Defender"=hex(2):25,50,72,6f,67,72,61,6d,46,69,6c,65,73,25,5c,57,69,\
6e,64,6f,77,73,20,44,65,66,65,6e,64,65,72,5c,4d,53,41,53,43,75,69,2e,65,78,\
65,20,2d,68,69,64,65,00
"IgfxTray"="C:\\Windows\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\Windows\\system32\\hkcmd.exe"
"Persistence"="C:\\Windows\\system32\\igfxpers.exe"
"RtHDVCpl"="RtHDVCpl.exe"
"SMSERIAL"="C:\\Program Files\\Motorola\\SMSERIAL\\sm56hlpr.exe"
"NeroFilterCheck"="C:\\Program Files\\Common Files\\Ahead\\Lib\\NeroCheck.exe"
"autoclk"="autoclk.exe"
"Zune Launcher"="\"C:\\Program Files\\Zune\\ZuneLauncher.exe\""
"GrooveMonitor"="\"C:\\Program Files\\Microsoft Office\\Office12\\GrooveMonitor.exe\""
"PrintDrive"="rundll32.exe \"C:\\Windows\\system32\\lvlberpy.dll\",setvm"
"atwtusb"="atwtusb.exe"
"OneCareUI"="\"C:\\Program Files\\Microsoft Windows OneCare Live\\winssnotify.exe\""
"PWRISOVM.EXE"="C:\\Program Files\\PowerISO\\PWRISOVM.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"="Groove GFS Stub Execution Hook"
"{856E36A9-A123-418A-A2CC-A05B3BF11AB9}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=dword:00000002
"ConsentPromptBehaviorUser"=dword:00000001
"EnableInstallerDetection"=dword:00000001
"EnableLUA"=dword:00000000
"EnableSecureUIAPaths"=dword:00000001
"EnableVirtualization"=dword:00000001
"PromptOnSecureDesktop"=dword:00000001
"ValidateAdminCodeSignatures"=dword:00000000
"scforceoption"=dword:00000000
"FilterAdministratorToken"=dword:00000000

poison_girl13 · Apr 23, 2007

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system\UIPI]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system\UIPI\Clipboard]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system\UIPI\Clipboard\ExceptionFormats]
"CF_TEXT"=dword:00000001
"CF_BITMAP"=dword:00000002
"CF_OEMTEXT"=dword:00000007
"CF_DIB"=dword:00000008
"CF_PALETTE"=dword:00000009
"CF_UNICODETEXT"=dword:0000000d
"CF_DIBV5"=dword:00000011

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hggghhe
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hgghhge
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnlmjk
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrqnom
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvwxuu
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtspp

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="credssp.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\OneCareMP

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ nsi\0lltdsvc\0SSDPSRV\0upnphost\0SCardSvr\0w32time\0EventSystem\0RemoteRegistry\0WinHttpAutoProxySvc\0lanmanworkstation\0TBS\0SLUINotify\0THREADORDER\0fdrespub\0netprofm\0fdphost\0wcncsvc\0QWAVE\0Mcx2Svc\0WebClient\0\0
LocalSystemNetworkRestricted REG_MULTI_SZ hidserv\0UxSms\0WdiSystemHost\0Netman\0trkwks\0AudioEndpointBuilder\0WUDFSvc\0irmon\0sysmain\0IPBusEnum\0dot3svc\0PcaSvc\0EMDMgmt\0TabletInputService\0wlansvc\0WPDBusEnum\0\0
NetworkServiceNetworkRestricted REG_MULTI_SZ PolicyAgent\0\0
LocalServiceNoNetwork REG_MULTI_SZ PLA\0DPS\0BFE\0mpssvc\0ehstart\0\0
NetworkService REG_MULTI_SZ CryptSvc\0DHCP\0TermService\0KtmRm\0DNSCache\0NapAgent\0nlasvc\0WinRM\0WECSVC\0Tapisrv\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WerSvcGroup REG_MULTI_SZ wersvc\0\0
swprv REG_MULTI_SZ swprv\0\0
LocalServiceNetworkRestricted REG_MULTI_SZ DHCP\0eventlog\0AudioSrv\0LmHosts\0wscsvc\0p2pimsvc\0PNRPSvc\0p2psvc\0WPCSvc\0PnrpAutoReg\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
regsvc REG_MULTI_SZ RemoteRegistry\0\0
wcssvc REG_MULTI_SZ WcsPlugInService\0\0
DcomLaunch REG_MULTI_SZ PlugPlay\0DcomLaunch\0\0
wdisvc REG_MULTI_SZ WdiServiceHost\0\0
sdrsvc REG_MULTI_SZ sdrsvc\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
secsvcs REG_MULTI_SZ WinDefend\0\0

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\G]
shell\AutoRun\command G:\Launcher.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d2f74913-c2d7-11db-aad6-806e6f6e6963}]
shell\AutoRun\command E:\runme.exe
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_SCDEMU

-- End of Deckard's System Scanner: finished at 2007-04-23 at 09:23:18 ---------

poison_girl13 · Apr 23, 2007

extra.txt:

Deckard's System Scanner v20070411.38
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft® Windows Vista™ Home Premium (build 6000)
Architecture: X86; Language: English

CPU 0: Intel(R) Core(TM)2 CPU T5200 @ 1.60GHz
Percentage of Memory in Use: 54%
Physical Memory (total/avail): 1013.56 MiB / 458.82 MiB
Pagefile Memory (total/avail): 2279.72 MiB / 1503.63 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1916.99 MiB

C: is Fixed (NTFS) - 78.76 GiB total, 40.65 GiB free.
D: is Fixed (NTFS) - 19.36 GiB total, 19.27 GiB free.
E: is CDROM (CDFS)
F: is CDROM (No Media)
G: is CDROM (CDFS)

-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FW: Windows Live OneCare Firewall v1.0.0 (Microsoft Corporation)
AV: Windows Live OneCare v1.0.0 (Microsoft Corporation)
AS: Windows Defender v1.1.1505.0 (Microsoft Corporation) Disabled
AS: Windows Live OneCare v1.0.0 (Microsoft Corporation)

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\Micey\AppData\Roaming
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=MICEYS
ComSpec=C:\Windows\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Users\Micey
LOCALAPPDATA=C:\Users\Micey\AppData\Local
LOGONSERVER=\\MICEYS
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Program Files\Common Files\Teleca Shared;C:\Program Files\Common Files\Adobe\AGL
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 6, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f06
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
PROMPT=$P$G
PUBLIC=C:\Users\Public
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\Micey\AppData\Local\Temp
TMP=C:\Users\Micey\AppData\Local\Temp
USERDOMAIN=MICEYS
USERNAME=Micey
USERPROFILE=C:\Users\Micey
windir=C:\Windows

-- User Profiles ---------------------------------------------------------------

Micey (admin)

-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Nero\Nero 7\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\Windows\UNNeroMediaHome.exe /UNINSTALL
--> C:\Windows\UNNeroShowTime.exe /UNINSTALL
--> C:\Windows\UNNeroVision.exe /UNINSTALL
--> C:\Windows\UNRecode.exe /UNINSTALL
Ad-Aware SE Personal --> MsiExec.exe /X{78CC3BAB-DE2A-4FB4-8FBB-E4DADDC26747}
Adobe Bridge 1.0 --> MsiExec.exe /I{B74D4E10-1033-0000-0000-000000000001}
Adobe Common File Installer --> MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5B39}
Adobe Flash Player 9 ActiveX --> C:\Windows\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Help Center 1.0 --> MsiExec.exe /I{E9787678-1033-0000-8E67-000000000001}
Adobe Photoshop CS2 --> msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}
Adobe Reader 8 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A80000000002}
Adobe Shockwave Player --> C:\Windows\System32\Macromed\SHOCKW~1\UNWISE.EXE C:\Windows\System32\Macromed\SHOCKW~1\Install.log
Adobe Stock Photos 1.0 --> MsiExec.exe /I{786C5747-1033-0000-B58E-000000000001}
Adobe SVG Viewer 3.0 --> C:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Winstall.exe -u -fC:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Install.log
BitComet 0.84 --> C:\Program Files\BitComet\uninst.exe
Debugging Tools for Windows --> MsiExec.exe /I{5C741A01-05D6-4306-BA6A-DC8401285AE8}
Driving Test Success 2003-2004 --> MsiExec.exe /I{27A4C502-AAD6-402F-8A36-63ECB26B67D6}
Driving Test Success 2006/7 --> "C:\Program Files\Driving Test Success 2006-2007\unins000.exe"
ffdshow [rev 610] [2006-12-01] --> "C:\Program Files\ffdshow\unins000.exe"
Hazard Perception Training 2003-2004 --> MsiExec.exe /I{6112DD9A-2A3B-4487-8271-ADBA4A390287}
HijackThis 2.0.0 --> "C:\Users\Micey\Desktop\HijackThis.exe" /uninstall
HP Photo and Imaging 2.0 - All-in-One --> MsiExec.exe /X{9867A917-5D17-40DE-83BA-BEA5293194B1}
HP Photo and Imaging 2.0 - All-in-One Drivers --> MsiExec.exe /X{6ECB39BD-73C2-44DD-B1A0-898207C58D8B}
HP Photo and Imaging 2.0 - hp psc 1200 series --> C:\Program Files\Hewlett-Packard\Digital Imaging\{7C8BB31C-E09E-4c7d-BBF1-45E33B467FE1}\Setup\hpzscr01.exe -datfile hposcr02.dat -forcereboot
hp psc 1200 series --> MsiExec.exe /X{C900EF06-2E76-49C7-8DB0-41F629B21DC5}
Intel(R) Graphics Media Accelerator Driver --> C:\Windows\system32\igxpun.exe -uninstall
J2SE Runtime Environment 5.0 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150030}
LimeWire PRO 4.12.11 --> "C:\Program Files\LimeWire\uninstall.exe"
Microsoft Protection Service --> MsiExec.exe /I{A9475612-7515-4532-B59C-06689088F5E0}
Microsoft Windows Live OneCare Resources v1.5.1890.34 --> MsiExec.exe /I{5660022E-F3F2-4126-8CC5-9726C47150EB}
Microsoft Windows OneCare Live AntiSpyware and AntiVirus --> MsiExec.exe /I{395CF7B4-BE08-4156-97E1-EA1A570FAE77}
Microsoft Windows OneCare Live v1.5.1890.34 --> MsiExec.exe /I{D07A8E7E-D324-4945-BA8C-E532AD008FF3}
Microsoft Windows OneCare Live v1.5.1890.34 Idcrl Install --> MsiExec.exe /I{3851147E-5A91-4469-BA4D-13FFFCC8A920}
MiniBrowser 1.1.81a --> C:\WINDOWS\st6unst.exe -n "C:\Program Files\MiniBrowser\ST6UNST.LOG"
Motorola SM56 Data Fax Modem --> rundll32.exe sm56co6a.dll,SM56UnInstaller
MSXML 4.0 SP2 (KB927978) --> MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 Parser and SDK --> MsiExec.exe /I{716E0306-8318-4364-8B8F-0CC4E9376BAC}
MyPhoneExplorer --> C:\Program Files\MyPhoneExplorer\uninstall.exe
Nero 7 Essentials --> MsiExec.exe /I{D34D82E0-4600-407B-9478-8506C1DD1033}
O2Micro Flash Memory Card Windows Driver V3.00 --> C:\Program Files\InstallShield Installation Information\{3562A082-CF01-419B-8A02-233E31B8A83C}\SETUP.EXE -runfromtemp -l0x0409
PowerISO --> "C:\Program Files\PowerISO\uninstall.exe"
PX Engine --> MsiExec.exe /I{6513E869-647F-40FD-A55D-CFC92579B9BA}
Realtek High Definition Audio Driver --> RtlUpd.exe -r -m
SAGEM F@st 800-840 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4AE3A0CB-87B0-4F51-BECD-3D1F8DFDD62F}\setup.exe" -l0x9
Shockwave --> C:\Windows\System32\Macromed\SHOCKW~2\UNWISE.EXE C:\Windows\System32\Macromed\SHOCKW~2\Install.log
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Test_OnlineDiagnostic --> MsiExec.exe /I{538A1AE6-5D8B-4BF1-B1B3-AE14FDE21C09}
Update for Office 2007 (KB932080) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {EDC9CA29-6BC1-471C-828C-7A36109005D7}
USB Tablet Manager --> Rmtablet KNL
Windows Driver Package - Microsoft WPD (12/01/2006 1.2.0.0) --> rundll32.exe C:\PROGRA~1\DIFX\F78795BBB376EE09\DIFxAppA.dll, DIFxARPUninstallDriverPackage C:\Windows\System32\DriverStore\FileRepository\zune.inf_3edf621b\zune.inf
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Live OneCare --> "C:\Program Files\Microsoft Windows OneCare Live\OCSetup.exe" /u
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
Wireless Tablet Series --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{203E9709-186B-46FE-A995-FE51210E7F25}\setup.exe" -l0x9 -uninst -removeonly
Zune --> MsiExec.exe /X{ED55BFEF-90F3-4926-9536-D94FDBBF65DC}

-- End of Deckard's System Scanner: finished at 2007-04-23 at 09:23:18 ---------

Blade81 · Apr 23, 2007

Hi

Upload following two files to Jotti:
C:\Windows\system32\NETw4r32.dll
C:\Windows\system32\NETw4c32.dll

Updating Java:

Download the latest version of Java Runtime Environment (JRE) 6u1.
Scroll down to where it says
The J2SE Runtime Environment (JRE) allows end-users to run Java applications.
Click the
Download
button to the right.
Check the box that says:
Accept License Agreement.
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u1-windows-i586-p.exe to install the newest version.

Downloading needed applications
-------------------------------

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/

Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
- Click on Change state next to Resident shield. It should now change to inactive.
- Click on Change state next to Automatic updates. It should now change to inactive.
- Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
- Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update. Don't run AVG yet. Will do it a bit later.

Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop. Don't run ATF yet. Will do it a bit later.

I recommend you to print/save these instructions since these are quite long and you can't access them while in safe mode.

Start hjt, click do a system scan only, check:
O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - C:\Windows\System32\xaiflvli.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [PrintDrive] rundll32.exe "C:\Windows\system32\lvlberpy.dll",setvm
O20 - Winlogon Notify: hggghhe - C:\Windows\system32\hggghhe.dll
O20 - Winlogon Notify: hgghhge - C:\Windows\system32\hgghhge.dll
O20 - Winlogon Notify: igfxcui - C:\Windows\system32\igfxdev.dll
O20 - Winlogon Notify: opnlmjk - C:\Windows\system32\opnlmjk.dll
O20 - Winlogon Notify: rqrqnom - C:\Windows\system32\rqrqnom.dll
O20 - Winlogon Notify: tuvwxuu - C:\Windows\system32\tuvwxuu.dll
O20 - Winlogon Notify: vtspp - C:\Windows\System32\vtspp.dll

Close all browsers & other windows. Click fix checked.

==============================

Reboot into safe mode (press F8 before Windows' loading screen and select safe mode)

Deleting files & folders
------------------------

Delete following files, if found:
C:\Windows\system32\ppstv.ini2
C:\Windows\system32\ppstv.bak2
C:\Windows\system32\opnlmjk.dll
C:\Windows\system32\hgghhge.dll
C:\Windows\system32\tuvwxuu.dll
C:\Windows\system32\rqrqnom.dll
C:\Windows\system32\xaiflvli.dll
C:\Windows\system32\vtspp.dll
C:\Windows\system32\hggghhe.dll
C:\Windows\system32\lvlberpy.dll

Running temp cleaner & AVG Anti-Spyware
---------------------------------------

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.

Click on Scanner on the toolbar.
Click on the Settings tab.
- Under How to act?
  - Click on Recommended Action and choose Quarantine from the popup menu.
- Under How to scan?
  - All checkboxes should be ticked.
- Under Possibly unwanted software:
  - All checkboxes should be ticked.
- Under Reports:
  - Select Automatically generate report after every scan and uncheck Only if threats were found.
- Under What to scan?
  - Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the
Save Scan Report
button before you did hit the
Apply all Actions
button.
- Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
- At the bottom of the window click on the Apply all Actions button. (3)
When done, click the Save Scan Report button. (4)
- Click the Save Report as button.
- Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

Reboot in Normal Mode.

Post AVG Anti-Spyware log & a fresh HJT log and results of those two files I asked you to scan at Jotti.

poison_girl13 · Apr 23, 2007

I was following what you said, and AVG Anti-Spyware loads when I'm not in safe mode, as long as I run it in xp compatibility mode, but as soon as I try to load it in safe mode it comes up with the Error "Application failed to initalize properly (0xc0000142)"

Is there anyway you can think of me fixing this? Or another program to use...?

Blade81 · Apr 24, 2007

Let's replace AVG part with Kaspersky Online Scanner.

Please do an online scan with
Kaspersky
WebScanner (use Internet Explorer)

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky,
Click Yes.

The program will launch and then begin downloading the latest
definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
- Extended (if available otherwise
  Standard)
- Scan Options:
- Scan Archives
  Scan Mail Bases
Click OK
Now under select a target to scan:
- Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been
infected.
- Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

Post also a fresh hjt log and Jotti's results of those two files.

poison_girl13 · Apr 25, 2007

Okay... hijackthis log:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 07:44:20, on 25/04/2007
Platform: Windows Vista (WinNT 6.00.1904)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Windows\autoclk.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\System32\ATWTUSB.EXE
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Windows\system32\wuauclt.exe
C:\Users\Micey\Desktop\rawr\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.2.7.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [autoclk] autoclk.exe
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O13 - Gopher Prefix:
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Microsoft Office Groove Audit Service - Unknown owner - C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe (file missing)
O23 - Service: @C:\Program Files\Microsoft Windows OneCare Live\Firewall\\MSFWSVCResource.dll,-10000 (msfwsvc) - Unknown owner - C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe (file missing)
O23 - Service: O2Micro Flash Memory (O2Flash) - O2Micro International - c:\Windows\system32\o2flash.exe
O23 - Service: OneCare AntiSpyware and AntiVirus (OneCareMP) - Unknown owner - C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe (file missing)
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Fujitsu Siemens Computers Diagnostic Testhandler (TestHandler) - Fujitsu Siemens Computers - C:\firststeps\OnlineDiagnostic\TestManager\TestHandler.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\Windows\SYSTEM32\VundoFixSVC.exe
O23 - Service: Windows Live OneCare (winss) - Unknown owner - C:\Program Files\Microsoft Windows OneCare Live\winss.exe (file missing)

--
End of file - 8586 bytes

poison_girl13 · Apr 25, 2007

Kaspersky Scan:

Wednesday, April 25, 2007 7:27:46 AM
Operating System: Home Edition, (Build 6000)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 24/04/2007
Kaspersky Anti-Virus database records: 301974

Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\
E:\
F:\

Scan Statistics
Total number of scanned objects 494353
Number of viruses found 0
Number of infected objects 0 / 0
Number of suspicious objects 0
Duration of the scan process 01:10:02

Infected Object Name Virus Name Last Action
C:\Boot\BCD Object is locked skipped

C:\Boot\BCD.LOG Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\RSA\MachineKeys\0fda277f3391197217bae327d9f73c54_744667ab-5136-436c-bce7-170532359aca Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\RSA\MachineKeys\2ae8a9234af60b7835f9e1ddf4988224_744667ab-5136-436c-bce7-170532359aca Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\RSA\MachineKeys\61f1c5fa594468f064deac5b230ab2e0_744667ab-5136-436c-bce7-170532359aca Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\RSA\MachineKeys\6d9d40dc5c80bf936cb45bb9530ce2f8_744667ab-5136-436c-bce7-170532359aca Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\RSA\MachineKeys\fa5cf313bd87fa18ae17748a0629f9c5_744667ab-5136-436c-bce7-170532359aca Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\RSA\MachineKeys\0fda277f3391197217bae327d9f73c54_744667ab-5136-436c-bce7-170532359aca Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\RSA\MachineKeys\2ae8a9234af60b7835f9e1ddf4988224_744667ab-5136-436c-bce7-170532359aca Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\RSA\MachineKeys\61f1c5fa594468f064deac5b230ab2e0_744667ab-5136-436c-bce7-170532359aca Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\RSA\MachineKeys\6d9d40dc5c80bf936cb45bb9530ce2f8_744667ab-5136-436c-bce7-170532359aca Object is locked skipped

Smitfraud C Toolbar 888

New member

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

New member

New member

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

New member