[Angelzsong]

Ive tried a myriad of malware removal programs, spyware programs and anti-virus programs...
including VirtumundoBegone and VundoFix...
including running scans in regular Windows AND Safe Mode...
including being not-connected AND connected-to the internet....
and nothing, no combination of programs or running-states, has cleaned it completely off of my system.

A well seasoned computer geek, but an admitted novice when it comes to things like this,
I searched then perused your site for advice in removing this.
Thus far, nothing has worked.

I am following your instruction and posting my logs, here.

I would like to thank you in advance for helping me resolve this.


VBG logs from 3 days ago (1st scan I ever did with it) & 2 days ago:

[06/09/2008, 17:40:15] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Mom.ANGEL\Desktop\VirtumundoBeGone.exe" )
[06/09/2008, 17:40:38] - Detected System Information:
[06/09/2008, 17:40:38] - Windows Version: 5.1.2600, Service Pack 2
[06/09/2008, 17:40:38] - Current Username: Mom (Admin)
[06/09/2008, 17:40:38] - Windows is in NORMAL mode.
[06/09/2008, 17:40:39] - Searching for Browser Helper Objects:
[06/09/2008, 17:40:39] - BHO 1: {15C9938F-CB96-496D-800A-B827F2E34EA1} (BlspcHlpr Class)
[06/09/2008, 17:40:39] - BHO 2: {487C9905-26A8-42C8-8033-C58AD3D2AEC3} ()
[06/09/2008, 17:40:39] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/09/2008, 17:40:39] - Checking for HKLM\...\Winlogon\Notify\iifcYSJC
[06/09/2008, 17:40:39] - Found: HKLM\...\Winlogon\Notify\iifcYSJC - This is probably Virtumundo.
[06/09/2008, 17:40:39] - Assigning {487C9905-26A8-42C8-8033-C58AD3D2AEC3} MSEvents Object
[06/09/2008, 17:40:39] - BHO list has been changed! Starting over...
[06/09/2008, 17:40:39] - BHO 1: {15C9938F-CB96-496D-800A-B827F2E34EA1} (BlspcHlpr Class)
[06/09/2008, 17:40:39] - BHO 2: {487C9905-26A8-42C8-8033-C58AD3D2AEC3} (MSEvents Object)
[06/09/2008, 17:40:39] - ALERT: Found MSEvents Object!
[06/09/2008, 17:40:39] - BHO 3: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} (Yahoo! IE Services Button)
[06/09/2008, 17:40:39] - BHO 4: {724d43a9-0d85-11d4-9908-00400523e39a} ()
[06/09/2008, 17:40:39] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/09/2008, 17:40:39] - Checking for HKLM\...\Winlogon\Notify\RoboForm
[06/09/2008, 17:40:39] - Key not found: HKLM\...\Winlogon\Notify\RoboForm, continuing.
[06/09/2008, 17:40:39] - BHO 5: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[06/09/2008, 17:40:39] - BHO 6: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
[06/09/2008, 17:40:39] - BHO 7: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[06/09/2008, 17:40:39] - BHO 8: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (Google Toolbar Notifier BHO)
[06/09/2008, 17:40:39] - BHO 9: {CBAA6227-2608-4C25-A225-02D82C11366B} ()
[06/09/2008, 17:40:39] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/09/2008, 17:40:39] - Checking for HKLM\...\Winlogon\Notify\rqRIcbyA
[06/09/2008, 17:40:39] - Key not found: HKLM\...\Winlogon\Notify\rqRIcbyA, continuing.
[06/09/2008, 17:40:39] - BHO 10: {d67ca5d4-21fb-42fb-aeb8-5d0422017b29} ()
[06/09/2008, 17:40:39] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/09/2008, 17:40:39] - Checking for HKLM\...\Winlogon\Notify\xgjouuho
[06/09/2008, 17:40:39] - Key not found: HKLM\...\Winlogon\Notify\xgjouuho, continuing.
[06/09/2008, 17:40:39] - Finished Searching Browser Helper Objects
[06/09/2008, 17:40:39] - *** Detected MSEvents Object
[06/09/2008, 17:40:39] - Trying to remove MSEvents Object...
[06/09/2008, 17:40:40] - Terminating Process: IEXPLORE.EXE
[06/09/2008, 17:40:40] - Terminating Process: RUNDLL32.EXE
[06/09/2008, 17:40:41] - Disabling Automatic Shell Restart
[06/09/2008, 17:40:41] - Terminating Process: EXPLORER.EXE
[06/09/2008, 17:40:41] - Suspending the NT Session Manager System Service
[06/09/2008, 17:40:41] - Terminating Windows NT Logon/Logoff Manager
[06/09/2008, 17:40:41] - Re-enabling Automatic Shell Restart
[06/09/2008, 17:40:41] - File to disable: C:\WINDOWS\system32\iifcYSJC.dll
[06/09/2008, 17:40:41] - Renaming C:\WINDOWS\system32\iifcYSJC.dll -> C:\WINDOWS\system32\iifcYSJC.dll.vir
[06/09/2008, 17:40:41] - File successfully renamed!
[06/09/2008, 17:40:41] - Removing HKLM\...\Browser Helper Objects\{487C9905-26A8-42C8-8033-C58AD3D2AEC3}
[06/09/2008, 17:40:41] - Removing HKCR\CLSID\{487C9905-26A8-42C8-8033-C58AD3D2AEC3}
[06/09/2008, 17:40:41] - Adding Kill Bit for ActiveX for GUID: {487C9905-26A8-42C8-8033-C58AD3D2AEC3}
[06/09/2008, 17:40:41] - Deleting ATLEvents/MSEvents Registry entries
[06/09/2008, 17:40:41] - Removing HKLM\...\Winlogon\Notify\iifcYSJC
[06/09/2008, 17:40:41] - Searching for Browser Helper Objects:
[06/09/2008, 17:40:41] - BHO 1: {15C9938F-CB96-496D-800A-B827F2E34EA1} (BlspcHlpr Class)
[06/09/2008, 17:40:41] - BHO 2: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} (Yahoo! IE Services Button)
[06/09/2008, 17:40:41] - BHO 3: {724d43a9-0d85-11d4-9908-00400523e39a} ()
[06/09/2008, 17:40:42] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/09/2008, 17:40:42] - Checking for HKLM\...\Winlogon\Notify\RoboForm
[06/09/2008, 17:40:42] - Key not found: HKLM\...\Winlogon\Notify\RoboForm, continuing.
[06/09/2008, 17:40:42] - BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[06/09/2008, 17:40:42] - BHO 5: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
[06/09/2008, 17:40:42] - BHO 6: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[06/09/2008, 17:40:42] - BHO 7: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (Google Toolbar Notifier BHO)
[06/09/2008, 17:40:42] - BHO 8: {CBAA6227-2608-4C25-A225-02D82C11366B} ()
[06/09/2008, 17:40:42] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/09/2008, 17:40:42] - Checking for HKLM\...\Winlogon\Notify\rqRIcbyA
[06/09/2008, 17:40:42] - Key not found: HKLM\...\Winlogon\Notify\rqRIcbyA, continuing.
[06/09/2008, 17:40:42] - BHO 9: {d67ca5d4-21fb-42fb-aeb8-5d0422017b29} ()
[06/09/2008, 17:40:42] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/09/2008, 17:40:42] - Checking for HKLM\...\Winlogon\Notify\xgjouuho
[06/09/2008, 17:40:42] - Key not found: HKLM\...\Winlogon\Notify\xgjouuho, continuing.
[06/09/2008, 17:40:42] - Finished Searching Browser Helper Objects
[06/09/2008, 17:40:42] - Finishing up...
[06/09/2008, 17:40:42] - A restart is needed.
[06/09/2008, 17:41:08] - Attempting to Restart via STOP error (Blue Screen!)




[06/10/2008, 4:31:14] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Mom.ANGEL\Desktop\VirtumundoBeGone.exe" )
[06/10/2008, 4:31:18] - Detected System Information:
[06/10/2008, 4:31:18] - Windows Version: 5.1.2600, Service Pack 2
[06/10/2008, 4:31:18] - Current Username: Mom (Admin)
[06/10/2008, 4:31:18] - Windows is in SAFE mode with Networking.
[06/10/2008, 4:31:18] - Searching for Browser Helper Objects:
[06/10/2008, 4:31:18] - BHO 1: {15C9938F-CB96-496D-800A-B827F2E34EA1} (BlspcHlpr Class)
[06/10/2008, 4:31:18] - BHO 2: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} (Yahoo! IE Services Button)
[06/10/2008, 4:31:18] - BHO 3: {724d43a9-0d85-11d4-9908-00400523e39a} ()
[06/10/2008, 4:31:18] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/10/2008, 4:31:18] - Checking for HKLM\...\Winlogon\Notify\RoboForm
[06/10/2008, 4:31:18] - Key not found: HKLM\...\Winlogon\Notify\RoboForm, continuing.
[06/10/2008, 4:31:18] - BHO 4: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
[06/10/2008, 4:31:18] - BHO 5: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[06/10/2008, 4:31:18] - BHO 6: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (Google Toolbar Notifier BHO)
[06/10/2008, 4:31:18] - BHO 7: {d67ca5d4-21fb-42fb-aeb8-5d0422017b29} ()
[06/10/2008, 4:31:18] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/10/2008, 4:31:18] - Checking for HKLM\...\Winlogon\Notify\xgjouuho
[06/10/2008, 4:31:18] - Key not found: HKLM\...\Winlogon\Notify\xgjouuho, continuing.
[06/10/2008, 4:31:18] - Finished Searching Browser Helper Objects
[06/10/2008, 4:31:18] - Finishing up...
[06/10/2008, 4:31:18] - Nothing found! Exiting...

~~~~~~~~~~~~~~~~~~~~~~

VBG log from 2 days ago when I ran it in Safe Mode:

[06/10/2008, 5:42:22] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Mom.ANGEL\Desktop\Monde Virus\VirtumundoBeGone.exe" )
[06/10/2008, 5:42:25] - Detected System Information:
[06/10/2008, 5:42:26] - Windows Version: 5.1.2600, Service Pack 2
[06/10/2008, 5:42:26] - Current Username: Mom (Admin)
[06/10/2008, 5:42:26] - Windows is in SAFE mode with Networking.
[06/10/2008, 5:42:26] - Searching for Browser Helper Objects:
[06/10/2008, 5:42:26] - BHO 1: {15C9938F-CB96-496D-800A-B827F2E34EA1} (BlspcHlpr Class)
[06/10/2008, 5:42:26] - BHO 2: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} (Yahoo! IE Services Button)
[06/10/2008, 5:42:26] - BHO 3: {724d43a9-0d85-11d4-9908-00400523e39a} ()
[06/10/2008, 5:42:26] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/10/2008, 5:42:26] - Checking for HKLM\...\Winlogon\Notify\RoboForm
[06/10/2008, 5:42:26] - Key not found: HKLM\...\Winlogon\Notify\RoboForm, continuing.
[06/10/2008, 5:42:26] - BHO 4: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
[06/10/2008, 5:42:26] - BHO 5: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[06/10/2008, 5:42:26] - BHO 6: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (Google Toolbar Notifier BHO)
[06/10/2008, 5:42:26] - BHO 7: {d67ca5d4-21fb-42fb-aeb8-5d0422017b29} ()
[06/10/2008, 5:42:26] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/10/2008, 5:42:26] - Checking for HKLM\...\Winlogon\Notify\xgjouuho
[06/10/2008, 5:42:26] - Key not found: HKLM\...\Winlogon\Notify\xgjouuho, continuing.
[06/10/2008, 5:42:26] - Finished Searching Browser Helper Objects
[06/10/2008, 5:42:26] - Finishing up...
[06/10/2008, 5:42:26] - Nothing found! Exiting...


~~~~~~~~~~~~~~~~~~~~

VGB log, ran a few minutes ago:


[06/12/2008, 15:13:41] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Mom.ANGEL\Desktop\Monde Virus\VirtumundoBeGone.exe" )
[06/12/2008, 15:13:45] - Detected System Information:
[06/12/2008, 15:13:45] - Windows Version: 5.1.2600, Service Pack 2
[06/12/2008, 15:13:45] - Current Username: Mom (Admin)
[06/12/2008, 15:13:45] - Windows is in NORMAL mode.
[06/12/2008, 15:13:45] - Searching for Browser Helper Objects:
[06/12/2008, 15:13:45] - BHO 1: {15C9938F-CB96-496D-800A-B827F2E34EA1} (BlspcHlpr Class)
[06/12/2008, 15:13:45] - BHO 2: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} (Yahoo! IE Services Button)
[06/12/2008, 15:13:45] - BHO 3: {724d43a9-0d85-11d4-9908-00400523e39a} ()
[06/12/2008, 15:13:45] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/12/2008, 15:13:45] - Checking for HKLM\...\Winlogon\Notify\RoboForm
[06/12/2008, 15:13:45] - Key not found: HKLM\...\Winlogon\Notify\RoboForm, continuing.
[06/12/2008, 15:13:45] - BHO 4: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
[06/12/2008, 15:13:45] - BHO 5: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[06/12/2008, 15:13:45] - BHO 6: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (Google Toolbar Notifier BHO)
[06/12/2008, 15:13:45] - BHO 7: {d67ca5d4-21fb-42fb-aeb8-5d0422017b29} ()
[06/12/2008, 15:13:45] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/12/2008, 15:13:45] - Checking for HKLM\...\Winlogon\Notify\xgjouuho
[06/12/2008, 15:13:45] - Key not found: HKLM\...\Winlogon\Notify\xgjouuho, continuing.
[06/12/2008, 15:13:45] - Finished Searching Browser Helper Objects
[06/12/2008, 15:13:45] - Finishing up...
[06/12/2008, 15:13:45] - Nothing found! Exiting...

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

HJT log, just ran a minute ago:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:22:52 PM, on 6/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Mixer.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\ImageFox\ImageFox.exe
C:\Program Files\MemTurbo\memturbo.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Angel Loves Her Sunshine
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
O2 - BHO: BlspcHlpr Class - {15C9938F-CB96-496D-800A-B827F2E34EA1} - C:\Program Files\BellSouth Internet Tools\blspc.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: {92b71022-40d5-8bea-bf24-bf124d5ac76d} - {d67ca5d4-21fb-42fb-aeb8-5d0422017b29} - C:\WINDOWS\system32\xgjouuho.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: ImageFox.lnk = C:\Program Files\ImageFox\ImageFox.exe
O4 - Startup: MemTurbo.lnk = C:\Program Files\MemTurbo\memturbo.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.allcursers.com
O15 - Trusted Zone: http://sofnova.forumotion.com
O15 - Trusted Zone: http://flyff.gpotato.com
O15 - Trusted Zone: http://www.myspace.com
O15 - Trusted Zone: http://fate.netgame.com
O15 - Trusted Zone: http://www.pogo.com
O15 - Trusted Zone: http://www.youtube.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplane...DC_2.1.2.76.cab
O16 - DPF: {463ED66E-431B-11D2-ADB0-0080C83DA4EB} (AcceptWM Class) - https://w3s.webmoney.ru/WMAcceptor.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase9563.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.co.../sysreqlab2.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.h...ctDetection.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2....re/HPDEXAXO.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AutoComplete Service (Autocomplete) - Acesoft - C:\Program Files\Acesoft\Tracks Eraser Pro\autocomp.exe
O23 - Service: Google Desktop Manager 5.5.709.30344 (GoogleDesktopManager-093007-112848) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 7936 bytes

Edited by Angelzsong, 12 June 2008 - 01:53 PM.

[Advertisements]

Hello Angelzsong

Welcome to G2Go.
=====================

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

• Close all other windows before proceeding.
• Double-click on dss.exe and follow the prompts.
• When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

[kahdah]

Hello Angelzsong

Welcome to G2Go.
=====================

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

• Close all other windows before proceeding.
• Double-click on dss.exe and follow the prompts.
• When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

[Angelzsong]

Main.txt:

Deckard's System Scanner v20071014.68
Run by Mom on 2008-06-12 20:04:59
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2008-06-13 00:05:00 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Mom.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:07:54 PM, on 6/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Mixer.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\ImageFox\ImageFox.exe
C:\Documents and Settings\Mom.ANGEL\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Mom.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Angel Loves Her Sunshine
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
O2 - BHO: BlspcHlpr Class - {15C9938F-CB96-496D-800A-B827F2E34EA1} - C:\Program Files\BellSouth Internet Tools\blspc.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: {92b71022-40d5-8bea-bf24-bf124d5ac76d} - {d67ca5d4-21fb-42fb-aeb8-5d0422017b29} - C:\WINDOWS\system32\xgjouuho.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: ImageFox.lnk = C:\Program Files\ImageFox\ImageFox.exe
O4 - Startup: MemTurbo.lnk = C:\Program Files\MemTurbo\memturbo.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.allcursers.com
O15 - Trusted Zone: http://sofnova.forumotion.com
O15 - Trusted Zone: http://flyff.gpotato.com
O15 - Trusted Zone: http://www.myspace.com
O15 - Trusted Zone: http://fate.netgame.com
O15 - Trusted Zone: http://www.pogo.com
O15 - Trusted Zone: http://www.youtube.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplane...DC_2.1.2.76.cab
O16 - DPF: {463ED66E-431B-11D2-ADB0-0080C83DA4EB} (AcceptWM Class) - https://w3s.webmoney.ru/WMAcceptor.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase9563.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.co.../sysreqlab2.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.h...ctDetection.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2....re/HPDEXAXO.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AutoComplete Service (Autocomplete) - Acesoft - C:\Program Files\Acesoft\Tracks Eraser Pro\autocomp.exe
O23 - Service: Google Desktop Manager 5.5.709.30344 (GoogleDesktopManager-093007-112848) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 7805 bytes

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 BANTExt (Belarc SMBios Access) - c:\windows\system32\drivers\bantext.sys
R1 VIAPFD - c:\windows\system32\drivers\viapfd.sys <Not Verified; VIA Technologies. Inc.; VIA PFD driver>
R3 fcdabus - c:\windows\system32\drivers\fcdabus.sys <Not Verified; FarStone Inc.; >
R3 FVDSCSI - c:\windows\system32\drivers\fvdscsi.sys <Not Verified; FarStone Inc.; FarStone VirtualDrive>

S3 2WIREPCP (2Wire USB) - c:\windows\system32\drivers\2wirepcp.sys <Not Verified; 2Wire, Inc.; 2Wire USB>
S3 XDva004 - c:\windows\system32\xdva004.sys (file missing)
S3 XTrapD12 - c:\windows\system32\xtrapd12.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 nhksrv (Netropa NHK Server) - c:\program files\netropa\multimedia keyboard\nhksrv.exe

S3 Autocomplete (AutoComplete Service) - c:\program files\acesoft\tracks eraser pro\autocomp.exe <Not Verified; Acesoft; AUTOCOMP>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E968-E325-11CE-BFC1-08002BE10318}
Description: RADEON 9200 SERIES - Secondary
Device ID: PCI\VEN_1002&DEV_5941&SUBSYS_20031002&REV_01\3&61AAA01&0&89
Manufacturer: ATI Technologies Inc.
Name: RADEON 9200 SERIES - Secondary
PNP Device ID: PCI\VEN_1002&DEV_5941&SUBSYS_20031002&REV_01\3&61AAA01&0&89
Service: ati2mtag


-- Scheduled Tasks -------------------------------------------------------------

2007-11-14 14:47:27 302 --a------ C:\WINDOWS\Tasks\Uniblue SpyEraser.job


-- Files created between 2008-05-12 and 2008-06-12 -----------------------------

2063-09-19 01:50:50 5501 --a------ C:\WINDOWS\system32\rtclmg32.dll
2008-06-12 08:33:40 0 dr-h----- C:\Documents and Settings\Mom.ANGEL\Recent
2008-06-10 03:38:44 0 d-------- C:\Program Files\Windows Live Safety Center
2008-06-09 19:41:17 0 d-------- C:\Documents and Settings\Mom.ANGEL\Application Data\Malwarebytes
2008-06-09 19:41:10 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes
2008-06-09 19:41:09 0 d-------- C:\Program Files\Malwarebytes Anti-Malware
2008-06-09 17:18:02 0 d-------- C:\VundoFix Backups
2008-06-08 23:25:40 108544 --a------ C:\WINDOWS\system32\xgjouuho.dll
2008-06-08 11:03:13 0 d-------- C:\Program Files\uTorrent
2008-06-08 11:03:07 0 d-------- C:\Documents and Settings\Mom.ANGEL\Application Data\uTorrent
2008-06-05 12:13:40 0 d-------- C:\Program Files\mediacom
2008-06-04 05:51:10 10747904 --a------ C:\Documents and Settings\Mom.ANGEL\ntuser.dat
2008-05-25 05:06:08 0 d-------- C:\Swsetup
2008-05-25 04:45:09 0 d-------- C:\Program Files\HP
2008-05-15 03:03:55 0 d-------- C:\Program Files\ATI Multimedia
2008-05-15 03:01:14 0 d-------- C:\WINDOWS\system32\windows media
2008-05-15 03:00:19 0 d-------- C:\Program Files\Common Files\CyberLink
2008-05-15 03:00:19 0 d-------- C:\Program Files\Common Files\ATI
2008-05-15 02:58:42 0 d-------- C:\Program Files\ATI Technologies
2008-05-15 02:58:18 512000 -----n--- C:\WINDOWS\system32\ati2sgag.exe <Not Verified; ; ATI Smart>
2008-05-15 01:10:22 0 d-------- C:\WINDOWS\NV35283532.TMP
2008-05-15 01:05:50 0 d-------- C:\WINDOWS\nview


-- Find3M Report ---------------------------------------------------------------

2008-06-12 15:22:31 0 d-------- C:\Program Files\Trend Micro
2008-06-10 05:51:48 0 d-------- C:\Program Files\LimeWire
2008-06-10 04:06:02 0 d-a------ C:\Program Files\Common Files
2008-06-10 03:59:16 0 d-------- C:\Program Files\Java
2008-05-31 12:47:38 0 d-------- C:\Program Files\BellSouth Internet Tools
2008-05-25 04:49:49 0 d-------- C:\Program Files\Hewlett-Packard
2008-05-15 03:04:09 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-15 01:21:42 1984 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-05-11 18:15:30 0 d-------- C:\Documents and Settings\Mom.ANGEL\Application Data\ImageFox
2008-05-08 13:21:10 0 d-------- C:\Documents and Settings\Mom.ANGEL\Application Data\Move Networks
2008-05-07 03:09:26 0 d-------- C:\Program Files\Lavasoft
2008-05-07 03:09:25 0 d-------- C:\Documents and Settings\Mom.ANGEL\Application Data\Lavasoft
2008-05-07 03:08:03 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-03 06:16:46 0 d-------- C:\Documents and Settings\Mom.ANGEL\Application Data\Xfire
2008-05-03 04:16:09 0 d-------- C:\Program Files\Xfire
2008-04-23 19:11:57 0 d-------- C:\Program Files\SHOUTcast
2008-04-23 19:09:51 0 d-------- C:\Program Files\Real Castle Screensaver
2008-04-23 19:06:00 0 d--h----- C:\Documents and Settings\Mom.ANGEL\Application Data\ijjigame
2008-04-23 19:04:21 0 d-------- C:\Program Files\Apple Software Update
2008-04-23 18:41:31 0 d-------- C:\Program Files\iTunes
2008-04-23 18:41:30 0 d-------- C:\Program Files\iPod
2008-04-17 18:22:56 0 d-------- C:\Documents and Settings\Mom.ANGEL\Application Data\Real
2008-04-12 21:34:21 0 d-------- C:\Program Files\ICQ
2008-03-19 05:47:00 1845248 --a------ C:\WINDOWS\system32\win32k.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d67ca5d4-21fb-42fb-aeb8-5d0422017b29}]
06/08/2008 11:25 PM 108544 --a------ C:\WINDOWS\system32\xgjouuho.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C-Media Mixer"="Mixer.exe" [10/15/2002 07:00 PM C:\WINDOWS\mixer.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [03/28/2008 11:37 PM]
"nwiz"="nwiz.exe" [12/05/2007 01:41 AM C:\WINDOWS\system32\nwiz.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [01/20/2004 09:10 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 01:56 AM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [04/02/2007 07:15 AM]
"@"="" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

C:\Documents and Settings\Mom.ANGEL\Start Menu\Programs\Startup\
ImageFox.lnk - C:\Program Files\ImageFox\ImageFox.exe [9/17/2005 2:05:33 PM]
MemTurbo.lnk - C:\Program Files\MemTurbo\memturbo.exe [11/8/2004 3:05:25 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableChangePassword"=0 (0x0)
"DisableLockWorkstation"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu"=0 (0x0)
"NoStartBanner"=00000000
"NoSetTaskbar"=0 (0x0)
"NoSetFolders"=0 (0x0)
"NoRun"=0 (0x0)
"NoFind"=0 (0x0)
"NoClose"=0 (0x0)
"NoCommonGroups"=0 (0x0)
"NoFileMenu"=0 (0x0)
"NoNetConnectDisconnect"=0 (0x0)
"NoTrayContextMenu"=0 (0x0)
"NoFileSharing"=0 (0x0)
"NoPrintSharing"=0 (0x0)
"ClearRecentDocsOnExit"=01000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"




-- End of Deckard's System Scanner: finished at 2008-06-12 20:09:07 ------------

~~~~~~~~~~~~~~~~~~

Extra.txt:

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Athlon™ Processor
Percentage of Memory in Use: 53%
Physical Memory (total/avail): 639.48 MiB / 298.34 MiB
Pagefile Memory (total/avail): 1373.5 MiB / 1172.57 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1919 MiB

C: is Fixed (NTFS) - 74.52 GiB total, 18.86 GiB free.
J: is CDROM (No Media)
U: is CDROM (No Media)
V: is CDROM (No Media)
W: is CDROM (No Media)
X: is CDROM (No Media)
Y: is CDROM (No Media)
Z: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - ST380013 A SCSI Disk Device - 74.53 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 74.52 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

AntiVirusDisableNotify is set.
FirewallDisableNotify is set.

AV: Spy Sweeper with AntiVirus v5.5.7.124 (Webroot Software Inc)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\ICQ\\ICQLite.exe"="C:\\Program Files\\ICQ\\ICQLite.exe:*:Enabled:ICQ Lite"
"C:\\Program Files\\BPFTP\\bpftp.exe"="C:\\Program Files\\BPFTP\\bpftp.exe:*:Enabled:BulletProof FTP"
"C:\\Program Files\\Lavasoft\\Ad-Aware SE Personal\\Ad-Aware.exe"="C:\\Program Files\\Lavasoft\\Ad-Aware SE Personal\\Ad-Aware.exe:*:Enabled:Ad-Aware SE Personal"
"C:\\GAMES\\Diablo II\\Diablo II.exe"="C:\\GAMES\\Diablo II\\Diablo II.exe:*:Enabled:Diablo II - Lord of Destruction"
"C:\\Program Files\\Common Files\\Genesis Weather Messenger\\TrueWeather.exe"="C:\\Program Files\\Common Files\\Genesis Weather Messenger\\TrueWeather.exe:*:Enabled:Genesis Weather Messenger"
"C:\\Program Files\\NoAdware3\\NoAdware3.exe"="C:\\Program Files\\NoAdware3\\NoAdware3.exe:*:Enabled:NoAdware "
"C:\\Program Files\\PowerArchiver\\POWERARC.EXE"="C:\\Program Files\\PowerArchiver\\POWERARC.EXE:*:Enabled:PowerArchiver"
"C:\\Program Files\\SpyBot\\Spybot - Search & Destroy\\SpybotSD.exe"="C:\\Program Files\\SpyBot\\Spybot - Search & Destroy\\SpybotSD.exe:*:Enabled:Spybot - Search & Destroy"
"C:\\Program Files\\The Weather Channel\\The Weather Channel.exe"="C:\\Program Files\\The Weather Channel\\The Weather Channel.exe:*:Enabled:The Weather Channel"
"C:\\Program Files\\Trillian\\trillian.exe"="C:\\Program Files\\Trillian\\trillian.exe:*:Enabled:Trillian"
"C:\\Program Files\\Winamp\\winamp.exe"="C:\\Program Files\\Winamp\\winamp.exe:*:Enabled:Winamp"
"C:\\WINDOWS\\system32\\wupdmgr.exe"="C:\\WINDOWS\\system32\\wupdmgr.exe:*:Enabled:Windows Update"
"C:\\Program Files\\Paltalk\\paltalk.exe"="C:\\Program Files\\Paltalk\\paltalk.exe:*:Enabled:Paltalk Messenger"
"C:\\Program Files\\WopVideo Player\\core\\btdownloadheadless.exe"="C:\\Program Files\\WopVideo Player\\core\\btdownloadheadless.exe:*:Disabled:burst! download engine"
"C:\\Program Files\\Trend Micro\\PC-cillin 2002\\pccmain.exe"="C:\\Program Files\\Trend Micro\\PC-cillin 2002\\pccmain.exe:*:Enabled:PC-cillin 2002"
"C:\\Program Files\\GalaNet\\Flyff\\Flyff.exe"="C:\\Program Files\\GalaNet\\Flyff\\Flyff.exe:*:Enabled:Flyff"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\Paltalk Messenger\\paltalk.exe"="C:\\Program Files\\Paltalk Messenger\\paltalk.exe:*:Enabled:Paltalk Messenger 8.5"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\Xfire\\xfire.exe"="C:\\Program Files\\Xfire\\xfire.exe:*:Enabled:Xfire"
"C:\\GAMES\\Metin2\\metin2.bin"="C:\\GAMES\\Metin2\\metin2.bin:*:Enabled:metin2"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"D:\\Program Files\\GameHouse\\Solitaire2\\ghsol2.exe"="D:\\Program Files\\GameHouse\\Solitaire2\\ghsol2.exe:*:Enabled:Super Solitaire 2"
"D:\\Program Files\\GameHouse\\Mahjong\\mahjong.exe"="D:\\Program Files\\GameHouse\\Mahjong\\mahjong.exe:*:Enabled:Super Mah Jong"
"D:\\Program Files\\GameHouse\\Collapse II\\Relapse.exe"="D:\\Program Files\\GameHouse\\Collapse II\\Relapse.exe:*:Enabled:Super Collapse! II"
"C:\\ijji\\ENGLISH\\u_sf\\soldierfront.exe"="C:\\ijji\\ENGLISH\\u_sf\\soldierfront.exe:*:Enabled:soldierfront"
"C:\\GAMES\\AeriaGames\\DOMO\\domopatch.exe"="C:\\GAMES\\AeriaGames\\DOMO\\domopatch.exe:*:Enabled:Play Dream Of Mirror Online"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Disabled:America Online 9.0"
"D:\\AOLSETUP.EXE"="D:\\AOLSETUP.EXE:*:Disabled:AOL"
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"="C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe:*:Disabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"="C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe:*:Disabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe:*:Disabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe:*:Disabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Disabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe:*:Disabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\1167525525\\EE\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1167525525\\EE\\AOLServiceHost.exe:*:Disabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\1150059208\\EE\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1150059208\\EE\\AOLServiceHost.exe:*:Disabled:AOL"
"C:\\Program Files\\America Online 9.0a\\waol.exe"="C:\\Program Files\\America Online 9.0a\\waol.exe:*:Disabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Disabled:AOL Application Loader"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe:*:Disabled:AOLTopSpeed"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe:*:Disabled:AOLTsMon"
"C:\\Program Files\\Ontrack\\PowerDesk\\ezupdate.exe"="C:\\Program Files\\Ontrack\\PowerDesk\\ezupdate.exe:*:Disabled:Easy Update"
"C:\\TEMP\\Recent Setup\\SBFix.exe"="C:\\TEMP\\Recent Setup\\SBFix.exe:*:Disabled:SBFix"
"C:\\Documents and Settings\\Mom.ANGEL\\Desktop\\SBFix.exe"="C:\\Documents and Settings\\Mom.ANGEL\\Desktop\\SBFix.exe:*:Disabled:SBFix"
"C:\\Program Files\\SHOUTcast\\sc_serv.exe"="C:\\Program Files\\SHOUTcast\\sc_serv.exe:*:Disabled:sc_serv.exe"
"C:\\Program Files\\Teamspeak Server\\server_windows.exe"="C:\\Program Files\\Teamspeak Server\\server_windows.exe:*:Disabled:Server"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe:*:Enabled:MySpace Instant Messenger"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:µTorrent"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire 4.10.0"
"C:\\Program Files\\Trend Micro\\Internet Security 2005\\pccmain.exe"="C:\\Program Files\\Trend Micro\\Internet Security 2005\\pccmain.exe:*:Disabled:Trend Micro PC-cillin Internet Security 2005"
"C:\\Temp\\winmx354b4.exe"="C:\\Temp\\winmx354b4.exe:*:Disabled:winmx354b4.exe"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users.WINDOWS
APPDATA=C:\Documents and Settings\Mom.ANGEL\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_06\li:\ext\QTJava.zip;C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=ANGEL
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Mom.ANGEL
LOGONSERVER=\\ANGEL
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\ATI Technologies\ATI Control Panel
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 4 Stepping 2, AuthenticAMD
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0402
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\MOM~1.ANG\LOCALS~1\Temp
TMP=C:\DOCUME~1\MOM~1.ANG\LOCALS~1\Temp
USERDOMAIN=ANGEL
USERNAME=Mom
USERPROFILE=C:\Documents and Settings\Mom.ANGEL
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Mom.ANGEL (admin)
Administrator.ANGEL.000 (new local, admin)
Guest (guest)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> MsiExec.exe /I{8A42F680-2DD6-11D4-9A8C-0040F6982C20}
--> Rundll32 advpack.dll,LaunchINFSectionEx C:\WINDOWS\CA533A.ini, Ca533AUnInstall
--> Rundll32 advpack.dll,LaunchINFSectionEx C:\WINDOWS\CA533A.ini, Ca533AUnInstall
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
µTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
2Wire Gateway --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F3301464-BA26-11D3-8D89-00D0B7218812}\setup.exe" -l0x9 FromAddRemove
3Planesoft Screensaver Manager 1.1 --> "C:\Program Files\3Planesoft Screensaver Manager\unins000.exe"
Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~2\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~2\INSTALL.LOG
Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Anchor Service CS3 --> MsiExec.exe /I{90176341-0A8B-4CCC-A78D-F862228A6B95}
Adobe Asset Services CS3 --> MsiExec.exe /I{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}
Adobe Bridge CS3 --> MsiExec.exe /I{9C9824D9-9000-4373-A6A5-D0E5D4831394}
Adobe Bridge Start Meeting --> MsiExec.exe /I{08B32819-6EEF-4057-AEDA-5AB681A36A23}
Adobe Camera Raw 4.0 --> MsiExec.exe /I{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}
Adobe CMaps --> MsiExec.exe /I{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}
Adobe Color - Photoshop Specific --> MsiExec.exe /I{A2D81E70-2A98-4A08-A628-94388B063C5E}
Adobe Color Common Settings --> MsiExec.exe /I{DADD7B8A-BCB0-44F5-967A-ECB6B4F2ECD9}
Adobe Color EU Extra Settings --> MsiExec.exe /I{51846830-E7B2-4218-8968-B77F0FF475B8}
Adobe Color JA Extra Settings --> MsiExec.exe /I{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}
Adobe Color NA Recommended Settings --> MsiExec.exe /I{95655ED4-7CA5-46DF-907F-7144877A32E5}
Adobe Default Language CS3 --> MsiExec.exe /I{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}
Adobe Device Central CS3 --> MsiExec.exe /I{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}
Adobe ExtendScript Toolkit 2 --> MsiExec.exe /I{C2D69781-F392-4118-A5A7-C7E9C38DBFC2}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Fonts All --> MsiExec.exe /I{6ABE0BEE-D572-4FE8-B434-9E72A289431B}
Adobe Help Viewer CS3 --> MsiExec.exe /I{04AF207D-9A77-465A-8B76-991F6AB66245}
Adobe Linguistics CS3 --> MsiExec.exe /I{54793AA1-5001-42F4-ABB6-C364617C6078}
Adobe PDF Library Files --> MsiExec.exe /I{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}
Adobe Photoshop CS3 --> C:\Program Files\Common Files\Adobe\Installers\2ac78060bc5856b0c1cf873bb919b58\Setup.exe
Adobe Photoshop CS3 --> MsiExec.exe /I{0046FA01-C5B9-4985-BACB-398DC480FC05}
Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
Adobe Setup --> MsiExec.exe /I{D1BB4446-AE9C-4256-9A7F-4D46604D2462}
Adobe Stock Photos CS3 --> MsiExec.exe /I{29E5EA97-5F74-4A57-B8B2-D4F169117183}
Adobe Type Support --> MsiExec.exe /I{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}
Adobe Update Manager CS3 --> MsiExec.exe /I{E69AE897-9E0B-485C-8552-7841F48D42D8}
Adobe Version Cue CS3 Client --> MsiExec.exe /I{D0DFF92A-492E-4C40-B862-A74A173C25C5}
Adobe WinSoft Linguistics Plugin --> MsiExec.exe /I{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}
Adobe XMP Panels CS3 --> MsiExec.exe /I{802771A9-A856-4A41-ACF7-1450E523C923}
AI RoboForm --> "C:\Program Files\Siber Systems\AI RoboForm\rfwipeout.exe"
AIM 6 --> C:\Program Files\AIM6\uninst.exe
All To MP3 Converter 1.6 --> "C:\Program Files\MP3 Converter\unins000.exe"
America Online (Choose which version to remove) --> C:\Program Files\Common Files\aolshare\Aolunins_us.exe
AOL Instant Messenger --> C:\Program Files\AIM\uninstll.exe -LOG= C:\Program Files\AIM\install.log -OEM=
AOL Spyware Protection --> C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\UNWISE.EXE C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\INSTALL.LOG
ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
ATI DVD Decoder 2.2.0.0 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{45D228AA-4284-467A-9DB6-942B92BFF656} /l1033
ATI HYDRAVISION --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3EA9D975-BFDC-4E8E-B88B-0446FBC8CA66}\setup.exe"
ATI Multimedia Center 8.6.0.0 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{B7DC0CAF-0D27-4ACE-8E34-8594C8D7C1DB} /l1033
AudibleManager --> C:\Program Files\Audible\Bin\Upgrade.exe /Uninstall
Belarc Advisor 6.0 --> C:\PROGRA~1\Belarc\Advisor\Uninstall.exe C:\PROGRA~1\Belarc\Advisor\INSTALL.LOG
BellSouth Parental Controls --> C:\Program Files\BellSouth Internet Tools\parental-setup.exe -u
BulletProof FTP --> "C:\Program Files\BPFTP\unins000.exe"
Calculator Powertoy for Windows XP --> MsiExec.exe /I{B37C842A-B624-46B8-A727-654E72F1C91A}
DAO --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{C88E49AA-41C5-4420-A08D-BE1B6C5A3A74}
Diablo II --> C:\WINDOWS\DIIUnin.exe C:\WINDOWS\DIIUnin.dat
DivX --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
Dream Of Mirror Online --> C:\GAMES\AeriaGames\DOMO\Uninst.exe
DV 3100 DRIVER --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D464245D-11C3-489A-B865-60BBABA64AA3}\Setup.exe"
EPSON Printer Software --> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R
Eyeball Chat 2.2 --> C:\PROGRA~1\Eyeball\EYEBAL~1\UNWISE.EXE C:\PROGRA~1\Eyeball\EYEBAL~1\INSTALL.LOG
FarStone Image Reader --> C:\Program Files\Farstone\VCDReader\Uninstall.exe
Fraps --> "C:\Program Files\Fraps\uninstall.exe"
GameGuard --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F6AD210D-9CF8-4C84-9FA0-9C79164F3A5B}\Setup.exe" -l0x12
Genesis Weather Messenger --> C:\WINDOWS\wnUninstall.exe "Genesis Weather Messenger"
Google Desktop --> C:\Program Files\Google\Google Desktop Search\GoogleDesktopSetup.exe -uninstall
Google Earth --> MsiExec.exe /I{1E04F83B-2AB9-4301-9EF7-E86307F79C72}
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar1.dll"
Google Updater --> "C:\Program Files\Google\Google Updater\GoogleUpdater.exe" -uninstall
HDD Regenerator --> MsiExec.exe /X{9064B17E-9FC9-439D-A4A0-668EC6AAFDEC}
HighMAT Extension to Microsoft Windows XP CD Writing Wizard --> MsiExec.exe /X{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
HP Product Detection --> MsiExec.exe /X{CAE7D1D9-3794-4169-B4DD-964ADBC534EE}
HTML Slideshow Powertoy for Windows XP --> MsiExec.exe /I{4E475FD4-4513-4B1D-8DDA-43912B068C99}
ICQ 5 --> C:\Program Files\ICQ\ICQLiteUninstall.EXE
ImageFox --> C:\PROGRA~1\ImageFox\UNWISE.EXE C:\PROGRA~1\ImageFox\INSTALL.LOG
iolo technologies' System Mechanic --> C:\PROGRA~1\iolo\SYSTEM~2\Uninstall.exe
iTunes --> MsiExec.exe /I{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}
Jasc Paint Shop Pro 8 --> MsiExec.exe /I{81A34902-9D0B-4920-A25C-4CDC5D14B328}
Java 2 Runtime Environment, SE v1.4.1_02 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EFCE5837-FC21-11D6-9D24-00010240CE95}\setup.exe" Anytext
Learn2 Player (Uninstall Only) --> C:\Program Files\Learn2.com\StRunner\stuninst.exe
Logitech Desktop Messenger --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{900B1197-53F5-4F46-A882-2CFFFE2EEDCB}\setup.exe" -l0x9 UNINSTALL
Logitech ImageStudio --> MsiExec.exe /I{5A24DD7E-7B01-41AC-ADA8-F1776177A3BA}
Logitech MouseWare 9.79 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5809E7CF-4DCF-11D4-9875-00105ACE7734}\setup.exe" -l0x9 -l0009 UNINSTALL
Logitech Resource Center --> C:\PROGRA~1\Logitech\Mouse\RESOUR~1\rem\UNWISE.EXE C:\PROGRA~1\Logitech\Mouse\RESOUR~1\rem\INSTALL.LOG
Macromedia Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes Anti-Malware\unins000.exe"
Metin2.us --> "C:\GAMES\Metin2\unins000.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Outlook Connector --> MsiExec.exe /I{95120000-003E-0409-0000-0000000FF1CE}
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft SDK for Java 4.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3E3757A2-D587-11D2-BB0C-0000F8050DD1}\setup.exe" -uninst
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Windows Journal Viewer --> MsiExec.exe /X{43DCF766-6838-4F9A-8C91-D92DA586DFA7}
Midi2Wav Recorder 3.7 DEMO --> C:\Program Files\Midi2Wav Recorder\uninst.exe
Move Networks Media Player for Internet Explorer --> C:\Documents and Settings\Mom.ANGEL\Application Data\Move Networks\ie_bin\Uninst.exe
Mozilla Firefox (2.0.0.8) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MySpaceIM --> C:\Program Files\MySpace\IM\Uninstall.exe
Nero - Burning Rom (Web installer) --> C:\WINDOWS\UNNERO.exe /UNINSTALL
Netscape (7.2) --> C:\WINDOWS\NSUninst.exe /ua "7.2 (en)"
NVIDIA Drivers --> C:\WINDOWS\system32\nvuninst.exe UninstallGUI
PageBreeze Free HTML Editor --> C:\WEBBIZ\PAGEBR~1\UNWISE.EXE C:\WEBBIZ\PAGEBR~1\INSTALL.LOG
Paltalk Messenger --> "C:\WINDOWS\Paltalk Messenger\uninstall.exe" "/U:C:\Program Files\Paltalk Messenger\irunin.xml"
PaperPort 8.0 --> MsiExec.exe /I{AEF2D1F3-0696-11D5-8E6A-00C04F7FA234}
PCI Audio Driver --> cmuninst.exe
PDF Settings --> MsiExec.exe /I{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}
PowerArchiver --> C:\Program Files\PowerArchiver\UNINST.EXE
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
PTDD Partition Table Doctor 3.0 Demo --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DB779317-B7B6-4101-A80A-260783F8F3A2}\Setup.exe" Uninstall
QuickTime --> MsiExec.exe /I{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}
R-Studio 3.0 --> C:\Program Files\R-Studio\Uninstall.exe
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
scionsoffate --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F57DD27-15B3-4B13-B38C-714EA4456FA0}\setup.exe" -l0x9 -removeonly
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Sonic Foundry Sound Forge 5.0e --> MsiExec.exe /I{BCBC500F-5C33-412E-A16F-7DEE9A7EA32D}
Spy Sweeper --> "C:\Program Files\Webroot\Spy Sweeper\unins000.exe"
Spybot - Search & Destroy 1.4 --> "C:\Program Files\SpyBot\Spybot - Search & Destroy\unins000.exe"
Spyware Doctor 5.0 --> C:\Program Files\Spyware Doctor\unins000.exe
SpywareBlaster v3.4 --> "C:\Program Files\SpywareBlaster\unins000.exe"
System Requirements Lab --> C:\Program Files\SystemRequirementsLab\Uninstall.exe
TeamSpeak 2 RC2 --> "C:\Program Files\Teamspeak2_RC2\unins000.exe"
TeamSpeak 2 Server RC2 --> "C:\Program Files\Teamspeak Server\unins000.exe"
TES Construction Set --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\Bethesda Softworks\Morrowind\CSUninstall\Setup.exe" -l0x9
The One Ring 3D Screensaver 1.0 --> "C:\Program Files\The One Ring 3D Screensaver\unins000.exe"
The Ultimate Troubleshooter --> C:\PROGRA~1\ANSWER~1\TROUBL~1\UNWISE.EXE C:\PROGRA~1\ANSWER~1\TROUBL~1\INSTALL.LOG
The Weather Channel --> C:\PROGRA~1\THEWEA~1\UNWISE.EXE C:\PROGRA~1\THEWEA~1\INSTALL.LOG
Tracks Eraser Pro v5.5 --> "C:\Program Files\Acesoft\Tracks Eraser Pro\unins000.exe"
Trend Micro Anti-Spam --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{A6FB58A5-8824-4C75-856A-8441AACCDA0B}
Trillian --> C:\Program Files\Trillian\trillian.exe /uninstall
Turbo Lister --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{99CC78D1-2356-497C-84C1-F239884001EC}
Tweak UI --> "C:\WINDOWS\system32\mshta.exe" "res://C:\WINDOWS\system32\TweakUI.exe/uninstall.hta"
Uniblue Registry Booster --> "C:\Program Files\Registry Booster\unins000.exe"
VIA Bus Master Ultra ATA Driver (Remove) --> RunDll32 VIAIDECO.dll,UninstallIDE
VIAhm --> C:\WINDOWS\IsUninst.exe -fc:\VIAhm\Uninst.isu
Viewpoint Manager (Remove Only) --> C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgrInstaller.exe /u /k
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
VirtualDrive Pro --> "C:\Program Files\FarStone\VirtualDrivePro\Setup.exe"
WeatherBug --> C:\PROGRA~1\AWS\WEATHE~1\REMOVE.EXE C:\PROGRA~1\AWS\WEATHE~1\INSTALL.LOG
Web Office Pro Keyboard --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0208A7E3-0D30-11D4-A1FC-00508B9D1BA2}\Setup.exe" -l0x9
Winamp --> "C:\Program Files\Winamp\UninstWA.exe"
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Live OneCare safety scanner --> RunDll32.exe "C:\Program Files\Windows Live Safety Center\wlscCore.dll",UninstallFunction WLSC_SCANNER_PRODUCT
Windows Live Sign-in Assistant --> MsiExec.exe /I{49672EC2-171B-47B4-8CE7-50D7806360D7}
Windows Media Connect --> "C:\WINDOWS\$NtUninstallWMCSetup$\spuninst\spuninst.exe"
Windows Media Encoder 9 Series --> msiexec.exe /I {E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
Windows Media Encoder 9 Series --> MsiExec.exe /I{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
Xfire (remove only) --> "C:\Program Files\Xfire\uninst.exe"
Yahoo! extras --> C:\PROGRA~1\Yahoo!\Common\unyext.exe
Yahoo! Internet Mail --> C:\WINDOWS\system32\regsvr32 /u /s C:\PROGRA~1\Yahoo!\Common\YMMAPI~1.DLL
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG


-- Application Event Log -------------------------------------------------------

Event Record #/Type1119 / Success
Event Submitted/Written: 06/09/2008 07:35:03 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type1115 / Error
Event Submitted/Written: 06/09/2008 06:03:28 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application explorer.exe, version 6.0.2900.3156, faulting module , version 0.0.0.0, fault address 0x00000000.
Processing media-specific event for [explorer.exe!ws!]

Event Record #/Type1114 / Error
Event Submitted/Written: 06/09/2008 06:02:12 PM
Event ID/Source: 485 / ESENT
Event Description:
HelpSvc (2448) An attempt to delete the file "C:\WINDOWS\PCHealth\HelpCtr\Config\CheckPoint\tmp.edb" failed with system error 32 (0x00000020): "The process cannot access the file because it is being used by another process. ". The delete file operation will fail with error -1032 (0xfffffbf8).

Event Record #/Type1094 / Error
Event Submitted/Written: 06/08/2008 09:17:45 PM
Event ID/Source: 1 / swg
Event Description:
There was an error in s. File s, ID x

Event Record #/Type1089 / Error
Event Submitted/Written: 06/07/2008 11:00:21 PM
Event ID/Source: 1000 / Windows Live Messenger
Event Description:
msnmsgr.exe8.1.178.045b12d6amsnmsgr.exe8.1.178.045b12d6a0002076f0



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type166 / Error
Event Submitted/Written: 06/12/2008 08:37:46 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Mega DV(Video) service failed to start due to the following error:
%%1058

Event Record #/Type165 / Warning
Event Submitted/Written: 06/12/2008 08:37:07 AM / 06/12/2008 08:37:44 AM
Event ID/Source: 51 / Disk
Event Description:
An error was detected on device \Device\Harddisk0\D during a paging operation.

Event Record #/Type164 / Warning
Event Submitted/Written: 06/12/2008 08:37:05 AM / 06/12/2008 08:37:44 AM
Event ID/Source: 51 / Disk
Event Description:
An error was detected on device \Device\Harddisk0\D during a paging operation.

Event Record #/Type163 / Warning
Event Submitted/Written: 06/12/2008 08:37:00 AM / 06/12/2008 08:37:44 AM
Event ID/Source: 51 / Disk
Event Description:
An error was detected on device \Device\Harddisk0\D during a paging operation.

Event Record #/Type162 / Error
Event Submitted/Written: 06/12/2008 08:36:44 AM / 06/12/2008 08:37:44 AM
Event ID/Source: 4 / ACPI
Event Description:
AMLI: ACPI BIOS is attempting to read from an illegal IO port address (0x71), which lies in the 0x70 - 0x71 protected
address range. This could lead to system instability. Please contact your system vendor for technical assistance.



-- End of Deckard's System Scanner: finished

[kahdah]

Please go to Start > Run> then copy\paste this in "%userprofile%\desktop\dss.exe" /daft then hit ok.

• Click on the Scan button.
• Select everything it is displaying there
• Click the Fix button.
• Close DSS.

======================
Please go to Start >Control Panel >Add\remove programs.
then uninstall the following:

Viewpoint Manager (Remove Only)
Viewpoint Media Player

The close out of the Add\remove programs and the Control Panel.
=====================
*Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.

Then I will need you to show hidden Files \Folders.
To do this:
*Click Start.
*Open My Computer.
*Select the Tools menu and click Folder Options.
*Select the View Tab.
*Under the Hidden files and folders heading select Show hidden files and folders.
*Uncheck the Hide protected operating system files (recommended) option.
*Click Yes to confirm.
*Click OK

After that using Windows Explorer (to get there right-click your Start button and go to "Explore")
Delete these folders/files listed below:

C:\WINDOWS\system32\xgjouuho.dll
C:\Program Files\Viewpoint
C:\VundoFix Backups

Now close Windows Explorer.
===============================
Now reset your Hidden files\folders to hidden.
To do this:
To reset:*Click Start.
*Open My Computer.
*Select the Tools menu and click Folder Options.
*Select the View Tab.
*Under the Hidden files and folders heading select Do not Show hidden files and folders.
*Check the Hide protected operating system files (recommended) option.
*Click Yes to confirm.
*Click OK


After that please empty your recycle bin.
=============================
After that please post back with a new Hijackthis log.

[Angelzsong]

Dear Kahdah,

Id like to thank you so very much for your swift and thorough assistance with this.

I am writing right now out of respect for you to let you know that my day was full in court and
I have not yet begun what you advised.

I will be starting the procedures shortly and you will most likely see my reply WITH the
log-files by sometime early tomorrow.

Thank you again for your help, and also for your patience :)

~~~Angel

[kahdah]

You are most welcome and whenever you can is fine.
I will be here.

[Angelzsong]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:37:33 PM, on 6/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\ImageFox\ImageFox.exe
C:\Program Files\MemTurbo\memturbo.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Angel Loves Her Sunshine
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
O2 - BHO: BlspcHlpr Class - {15C9938F-CB96-496D-800A-B827F2E34EA1} - C:\Program Files\BellSouth Internet Tools\blspc.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: {92b71022-40d5-8bea-bf24-bf124d5ac76d} - {d67ca5d4-21fb-42fb-aeb8-5d0422017b29} - C:\WINDOWS\system32\xgjouuho.dll (file missing)
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: ImageFox.lnk = C:\Program Files\ImageFox\ImageFox.exe
O4 - Startup: MemTurbo.lnk = C:\Program Files\MemTurbo\memturbo.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.allcursers.com
O15 - Trusted Zone: http://sofnova.forumotion.com
O15 - Trusted Zone: http://flyff.gpotato.com
O15 - Trusted Zone: http://www.myspace.com
O15 - Trusted Zone: http://fate.netgame.com
O15 - Trusted Zone: http://www.pogo.com
O15 - Trusted Zone: http://www.youtube.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplane...DC_2.1.2.76.cab
O16 - DPF: {463ED66E-431B-11D2-ADB0-0080C83DA4EB} (AcceptWM Class) - https://w3s.webmoney.ru/WMAcceptor.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase9563.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.co.../sysreqlab2.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.h...ctDetection.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2....re/HPDEXAXO.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AutoComplete Service (Autocomplete) - Acesoft - C:\Program Files\Acesoft\Tracks Eraser Pro\autocomp.exe
O23 - Service: Google Desktop Manager 5.5.709.30344 (GoogleDesktopManager-093007-112848) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 7824 bytes

[kahdah]

Please re-open Hijackthis and click on "Do a system scan only"
Then place a check mark next to these entries below:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: {92b71022-40d5-8bea-bf24-bf124d5ac76d} - {d67ca5d4-21fb-42fb-aeb8-5d0422017b29} - C:\WINDOWS\system32\xgjouuho.dll (file missing)



Now click on Fix Checked and then close Hijackthis.
=====================================
Please download ATF Cleaner by Atribune.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
===============================================================
Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.

• The program will install and then begin downloading the latest definition files.
• After the files have been downloaded on the left side of the page in the Scan section select My Computer
• This will start the program and scan your system.
• The scan will take a while, so be patient and let it run.
• Once the scan is complete, click on View scan report
• Now, click on the Save Report as button.
• Save the file to your desktop.
• Copy and paste that information in your next post.

[Angelzsong]

The scan took forever :/

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, June 14, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, June 14, 2008 15:12:28
Records in database: 863600
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
J:\
U:\
V:\
W:\
X:\
Y:\
Z:\

Scan statistics:
Files scanned: 177518
Threat name: 47
Infected objects: 146
Suspicious objects: 27
Duration of the scan: 12:14:32


File name / Threat name / Threats count
C:\Documents and Settings\Mom.ANGEL\Desktop\Toolbars\GO\System Stuff\Utils\SpySweeper\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\Documents and Settings\Mom.ANGEL\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Infected: Trojan-Spy.HTML.Baufraud.fg 1
C:\Documents and Settings\Mom.ANGEL\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Suspicious: Trojan-Spy.HTML.Fraud.gen 17
C:\Documents and Settings\Mom.ANGEL\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Infected: Trojan-Spy.HTML.Paylap.bw 1
C:\Documents and Settings\Mom.ANGEL\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Infected: Trojan-Spy.HTML.Bayfraud.jv 1
C:\Documents and Settings\Mom.ANGEL\Mom's Documents\DocumImpt\EXs.zip Infected: not-a-virus:AdWare.Win32.SaveNow.c 1
C:\Documents and Settings\Mom.ANGEL\Mom's Documents\DocumImpt\EXs.zip Infected: not-a-virus:AdWare.Win32.SaveNow.af 1
C:\Documents and Settings\Mom.ANGEL\Mom's Documents\DocumImpt\EXs.zip Infected: not-a-virus:AdWare.Win32.SaveNow.v 2
C:\Documents and Settings\Mom.ANGEL\Mom's Documents\DocumImpt\EXs.zip Infected: not-a-virus:AdWare.Win32.NewDotNet 2
C:\Documents and Settings\Mom.ANGEL\Mom's Documents\DocumImpt\EXs.zip Infected: not-a-virus:AdWare.Win32.WebHancer.320 6
C:\Documents and Settings\Mom.ANGEL\Mom's Documents\DocumImpt\EXs.zip Infected: not-a-virus:AdWare.Win32.EZula.cp 1
C:\Documents and Settings\Mom.ANGEL\Mom's Documents\DocumImpt\EXs.zip Infected: not-a-virus:AdWare.Win32.Gator.3103 2
C:\Documents and Settings\Mom.ANGEL\Mom's Documents\Downloads\Limewire Pro 4.18 Setup.zip Infected: Trojan-Downloader.Win32.Injecter.tz 1
C:\Program Files\AWS\WeatherBug\Install\WxBugSetup60b6.04.0.9b.EXE Infected: not-a-virus:AdWare.Win32.MyWay.j 1
C:\Program Files\MIRC\BACKUP\mirc32.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.56 1
C:\Program Files\MIRC\Bots\mirc32.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.561 1
C:\Program Files\MIRC\mirc32.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.561 1
C:\Program Files\MIRC\Script\The Script!.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.561 1
C:\Program Files\The Bat!\MAIL\ADPAlumni\Inbox\MESSAGES.TBB Suspicious: Email-Worm.Win32.Bagle.mail 2
C:\Program Files\The Bat!\MAIL\ADPAlumni\Inbox\MESSAGES.TBB Infected: Email-Worm.Win32.Bagle.e.txt 1
C:\Program Files\The Bat!\MAIL\Angel\Family\MESSAGES.TBB Infected: Email-Worm.VBS.KakWorm 4
C:\Program Files\The Bat!\MAIL\Angel\Family\MESSAGES.TBB Infected: not-a-virus:AdWare.Win32.TimeSink.h 1
C:\Program Files\The Bat!\MAIL\Angel\Family\MESSAGES.TBB Infected: not-a-virus:AdWare.Win32.TimeSinc 1
C:\Program Files\The Bat!\MAIL\AngelOLD\Family\MESSAGES.TBB Infected: Email-Worm.VBS.KakWorm 4
C:\Program Files\The Bat!\MAIL\AngelOLD\Family\MESSAGES.TBB Infected: not-a-virus:AdWare.Win32.TimeSink.h 1
C:\Program Files\The Bat!\MAIL\AngelOLD\Family\MESSAGES.TBB Infected: not-a-virus:AdWare.Win32.TimeSinc 1
C:\Program Files\The Bat!\MAIL\DelphiOLD\Inbox\MESSAGES.TBB Infected: Net-Worm.Win32.Nimda 2
C:\Program Files\The Bat!\MAIL\DelphiOLD\Trash\MESSAGES.TBB Infected: Net-Worm.Win32.Nimda 2
C:\Program Files\The Bat!\MAIL\DSD\Inbox\MESSAGES.TBB Infected: Trojan-Spy.HTML.Bayfraud.g 3
C:\Program Files\The Bat!\MAIL\DSD\Inbox\MESSAGES.TBB Infected: Trojan-Spy.HTML.Pcard.c 2
C:\Program Files\The Bat!\MAIL\DSD\Inbox\MESSAGES.TBB Infected: Trojan-Spy.HTML.Citifraud.ay 3
C:\Program Files\The Bat!\MAIL\DSD\Inbox\MESSAGES.TBB Suspicious: Trojan-Spy.HTML.Fraud.gen 6
C:\Program Files\The Bat!\MAIL\DSD\Inbox\MESSAGES.TBB Infected: Trojan-Spy.HTML.Sunfraud.k 2
C:\Program Files\The Bat!\MAIL\DSD\Inbox\MESSAGES.TBB Infected: Trojan-Spy.HTML.Citifraud.bb 4
C:\Program Files\The Bat!\MAIL\DSD\Inbox\MESSAGES.TBB Infected: Trojan-Spy.HTML.Paylap.s 2
C:\Program Files\The Bat!\MAIL\DSD\Inbox\MESSAGES.TBB Infected: Trojan-Spy.HTML.Citifraud.cd 1
C:\Program Files\The Bat!\MAIL\DSD\Inbox\MESSAGES.TBB Infected: Trojan-Spy.HTML.Sunfraud.ai 1
C:\Program Files\The Bat!\MAIL\DSD\Inbox\MESSAGES.TBB Infected: Email-Worm.Win32.NetSky.t 7
C:\Program Files\The Bat!\MAIL\DSD\Inbox\MESSAGES.TBB Infected: Trojan-Spy.HTML.Bankfraud.cw 1
C:\Program Files\The Bat!\MAIL\DSD\Inbox\MESSAGES.TBB Infected: Trojan-Spy.HTML.Citifraud.bz 1
C:\Program Files\The Bat!\MAIL\DSD\Inbox\MESSAGES.TBB Infected: Trojan-Spy.HTML.Paylap.bg 1
C:\Program Files\The Bat!\MAIL\DSD\Inbox\MESSAGES.TBB Infected: Email-Worm.Win32.Sober.i 1
C:\Program Files\The Bat!\MAIL\DSD\Inbox\MESSAGES.TBB Infected: Email-Worm.Win32.Mabutu.a 1
C:\Program Files\The Bat!\MAIL\DSD\Inbox\MESSAGES.TBB Infected: Trojan-Spy.HTML.Sunfraud.bc 1
C:\Program Files\The Bat!\MAIL\DSD\Trash\MESSAGES.TBB Infected: Trojan-Spy.HTML.Citifraud.ay 2
C:\Program Files\The Bat!\MAIL\DSD\Trash\MESSAGES.TBB Infected: Trojan-Spy.HTML.Pcard.c 2
C:\Program Files\The Bat!\MAIL\DSD\Trash\MESSAGES.TBB Infected: Trojan-Spy.HTML.Bayfraud.g 3
C:\Program Files\The Bat!\MAIL\DSD\Trash\MESSAGES.TBB Suspicious: Trojan-Spy.HTML.Fraud.gen 2
C:\Program Files\The Bat!\MAIL\DSD\Trash\MESSAGES.TBB Infected: Trojan-Spy.HTML.Sunfraud.k 2
C:\Program Files\The Bat!\MAIL\DSD\Trash\MESSAGES.TBB Infected: Trojan-Spy.HTML.Citifraud.bb 4
C:\Program Files\The Bat!\MAIL\DSD\Trash\MESSAGES.TBB Infected: Trojan-Spy.HTML.Paylap.s 2
C:\Program Files\The Bat!\MAIL\DSD\Trash\MESSAGES.TBB Infected: Email-Worm.Win32.NetSky.t 7
C:\Program Files\The Bat!\MAIL\DSD\Trash\MESSAGES.TBB Infected: Trojan-Spy.HTML.Citifraud.bz 1
C:\Program Files\The Bat!\MAIL\DSD\Trash\MESSAGES.TBB Infected: Trojan-Spy.HTML.Bankfraud.cw 1
C:\Program Files\The Bat!\MAIL\DSD\Trash\MESSAGES.TBB Infected: Trojan-Spy.HTML.Sunfraud.bc 1
C:\Program Files\The Bat!\MAIL\DSD\Trash\MESSAGES.TBB Infected: Trojan-Spy.HTML.Sunfraud.ai 1
C:\Program Files\The Bat!\MAIL\DSD\Trash\MESSAGES.TBB Infected: Email-Worm.Win32.Mabutu.a 1
C:\Program Files\The Bat!\MAIL\DSD\Trash\MESSAGES.TBB Infected: Email-Worm.Win32.Sober.i 1
C:\Program Files\The Bat!\MAIL\DSD\Trash\MESSAGES.TBB Infected: Trojan-Spy.HTML.Citifraud.cd 1
C:\Program Files\The Bat!\MAIL\EmailMain\Family\MESSAGES.TBB Infected: Email-Worm.VBS.KakWorm 4
C:\Program Files\The Bat!\MAIL\EmailMain\Family\Teddy\MESSAGES.TBB Infected: not-virus:BadJoke.Win32.Unko.a 1
C:\Program Files\The Bat!\MAIL\EmailMain\PayPal BidPay\MESSAGES.TBB Infected: Trojan-Spy.HTML.Paylap.bg 1
C:\Program Files\The Bat!\MAIL\EmailOLD\Family\MESSAGES.TBB Infected: Email-Worm.VBS.KakWorm 4
C:\Program Files\The Bat!\MAIL\EmailOLD\Family\MESSAGES.TBB Infected: not-a-virus:AdWare.Win32.TimeSink.h 1
C:\Program Files\The Bat!\MAIL\EmailOLD\Family\MESSAGES.TBB Infected: not-a-virus:AdWare.Win32.TimeSinc 1
C:\Program Files\The Bat!\MAIL\EmailOLD\Trash\MESSAGES.TBB Infected: Email-Worm.Win32.Sircam.c 5
C:\Program Files\The Bat!\MAIL\EmailOLD\Trash\MESSAGES.TBB Infected: Email-Worm.Win32.Magistr.a 1
C:\Program Files\The Bat!\MAIL\MGS\Inbox\MESSAGES.TBB Infected: Email-Worm.VBS.KakWorm 1
C:\Program Files\The Bat!\MAIL\MGSFoundation\Inbox\MESSAGES.TBB Infected: Email-Worm.Win32.Mydoom.m 1
C:\Program Files\The Bat!\MAIL\MGSFoundation\Inbox\MESSAGES.TBB Infected: Trojan-Spy.HTML.Smitfraud.c 1
C:\Program Files\The Bat!\MAIL\MGSFoundation\Inbox\MESSAGES.TBB Infected: Trojan-Spy.HTML.Citifraud.ai 1
C:\Program Files\The Bat!\MAIL\MGSFoundation\Inbox\MESSAGES.TBB Infected: Trojan-Spy.HTML.Bankfraud.u 1
C:\Program Files\The Bat!\MAIL\MGSFoundation\Research\MESSAGES.TBB Infected: Email-Worm.VBS.KakWorm 1
C:\Program Files\The Bat!\MAIL\SmartPer\Inbox\MESSAGES.TBB Infected: Trojan-Spy.HTML.Bankfraud.bh 1
C:\Program Files\The Bat!\MAIL\SmartPer\Inbox\MESSAGES.TBB Infected: Trojan-Spy.HTML.Paylap.bg 1
C:\Program Files\The Bat!\MAIL\SmartPer\Trash\MESSAGES.TBB Infected: Trojan-Spy.HTML.Bankfraud.bh 1
C:\Program Files\The Bat!\MAIL\SmartPer\Trash\MESSAGES.TBB Infected: Trojan-Spy.HTML.Bankfraud.bu 1
C:\Program Files\The Bat!\MAIL\SmartPer\Trash\MESSAGES.TBB Infected: Trojan-Spy.HTML.Bayfraud.g 1
C:\Program Files\The Bat!\MAIL\STC\eBay\MESSAGES.TBB Infected: Trojan-Spy.HTML.Bayfraud.ib 1
C:\Program Files\The Bat!\MAIL\USA.net\Trash\MESSAGES.TBB Infected: Email-Worm.Win32.Sircam.c 10
C:\Program Files\The Bat!\MAIL\USA.net\Trash\MESSAGES.TBB Infected: Email-Worm.Win32.Magistr.a 1
C:\SmitfraudFix.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\Temp\funstuff\funny.exe Infected: not-virus:BadJoke.Win32.Unko.a 1
C:\Temp\Limewire Pro 4.18.1 Setup.EXE Infected: Trojan-Downloader.Win32.Injecter.tz 1

The selected area was scanned.

Edited by Angelzsong, 14 June 2008 - 10:02 PM.

[kahdah]

HI do you now what is inside of this folder?
C:\Documents and Settings\Mom.ANGEL\Mom's Documents\DocumImpt\EXs.zip <this folder is infected and needs to be deleted.
I am not sure if there are more than one or not but if there are delete them as well.

Below delete the files\and folder names that are bolded along with the e-mails.
Delete all e-mails in your Outlook.

C:\SmitfraudFix.exe
C:\Temp\funstuff\funny.exe
C:\Temp\Limewire Pro 4.18.1 Setup.EXE
C:\Documents and Settings\Mom.ANGEL\Desktop\Toolbars\GO\System Stuff\Utils\SpySweeper\SmitfraudFix
C:\Documents and Settings\Mom.ANGEL\Mom's Documents\Downloads\Limewire Pro 4.18 Setup.zip
C:\Program Files\The Bat!\MAIL\ADPAlumni\Inbox <Everything in there
C:\Program Files\The Bat!\MAIL\Angel\Family <Everything in there
C:\Program Files\The Bat!\MAIL\AngelOLD\Family <Everything in there
C:\Program Files\The Bat!\MAIL\DelphiOLD\Inbox <Everything in there
C:\Program Files\The Bat!\MAIL\DSD\Inbox <Everything in there
C:\Program Files\The Bat!\MAIL\DSD\Trash <Everything in there
C:\Program Files\The Bat!\MAIL\EmailMain\Family <Everything in there
C:\Program Files\The Bat!\MAIL\EmailMain\PayPal BidPay <Everything in there
C:\Program Files\The Bat!\MAIL\EmailOLD\Family <Everything in there
C:\Program Files\The Bat!\MAIL\EmailOLD\Trash <Everything in there
C:\Program Files\The Bat!\MAIL\MGS\Inbox <Everything in there
C:\Program Files\The Bat!\MAIL\MGSFoundation\Inbox <Everything in there
C:\Program Files\The Bat!\MAIL\MGSFoundation\Research <Everything in there
C:\Program Files\The Bat!\MAIL\SmartPer\Inbox <Everything in there
C:\Program Files\The Bat!\MAIL\SmartPer\Trash <Everything in there
C:\Program Files\The Bat!\MAIL\USA.net\Trash <Everything in there

All of the above everything in those e-mail folders needs to be emptied out.

[Angelzsong]

HI do you now what is inside of this folder?
C:\Documents and Settings\Mom.ANGEL\Mom's Documents\DocumImpt\EXs.zip <this folder is infected and needs to be deleted.
I am not sure if there are more than one or not but if there are delete them as well.

Yes, its just documents, and things such as that, pertaining to ex-husband & ex-boyfriend.
All self-created... and I zipped everything up myself...
it contains nothing which was downloaded. Just scanned photos bank statements scanned
documents etc.

Below delete the files\and folder names that are bolded along with the e-mails.
Delete all e-mails in your Outlook.

C:\SmitfraudFix.exe
C:\Temp\funstuff\funny.exe
C:\Temp\Limewire Pro 4.18.1 Setup.EXE
C:\Documents and Settings\Mom.ANGEL\Desktop\Toolbars\GO\System Stuff\Utils\SpySweeper\SmitfraudFix
C:\Documents and Settings\Mom.ANGEL\Mom's Documents\Downloads\Limewire Pro 4.18 Setup.zip
C:\Program Files\The Bat!\MAIL\ADPAlumni\Inbox <Everything in there
C:\Program Files\The Bat!\MAIL\Angel\Family <Everything in there
C:\Program Files\The Bat!\MAIL\AngelOLD\Family <Everything in there
C:\Program Files\The Bat!\MAIL\DelphiOLD\Inbox <Everything in there
C:\Program Files\The Bat!\MAIL\DSD\Inbox <Everything in there
C:\Program Files\The Bat!\MAIL\DSD\Trash <Everything in there
C:\Program Files\The Bat!\MAIL\EmailMain\Family <Everything in there
C:\Program Files\The Bat!\MAIL\EmailMain\PayPal BidPay <Everything in there
C:\Program Files\The Bat!\MAIL\EmailOLD\Family <Everything in there
C:\Program Files\The Bat!\MAIL\EmailOLD\Trash <Everything in there
C:\Program Files\The Bat!\MAIL\MGS\Inbox <Everything in there
C:\Program Files\The Bat!\MAIL\MGSFoundation\Inbox <Everything in there
C:\Program Files\The Bat!\MAIL\MGSFoundation\Research <Everything in there
C:\Program Files\The Bat!\MAIL\SmartPer\Inbox <Everything in there
C:\Program Files\The Bat!\MAIL\SmartPer\Trash <Everything in there
C:\Program Files\The Bat!\MAIL\USA.net\Trash <Everything in there

All of the above everything in those e-mail folders needs to be emptied out.

Everything you pointed out has been deleted/removed from my HDD.

Thank you so much :)

[kahdah]

You are welcome
Go ahead and delete the dss icon from off of your desktop and the C:\Deckard folder.
Empty your recycle bin.
===========
Upgrading Java:

• Download the latest version of Java Runtime Environment (JRE) 6 Update 6.
• Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
• Click the "Download" button to the right.
• Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
• Click on Continue.
• Click on the link to download Windows Offline Installation (jre-6u6-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java version.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on the download to install the newest version.

=============================
Delete\uninstall anything else that we have used.

System Restore
Then I will need you to reset your System Restore points.
The link below shows how to create a clean restore point.
How to Turn On and Turn Off System Restore in Windows XP
http://support.micro...kb/310405/en-us
=====================================
After that your log is clean.

The following is a list of tools and utilities that I like to suggest to people.
You do not have to have all or any of them they are only suggestions.
This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

Spybot Search & Destroy-Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.

Spyware Blaster - Great prevention tool to keep nasties from installing on your system.

Spywareguard-Works as a Spyware "Shield" to protect your computer from getting malware in the first place.

IE-SPYAD- puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Tony Klein article To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.