[Dooms]

Hi there, I would really appreciate it if something could help me out with my problem. I ran an .exe file from the internet that caused my background to turn red with a toxic waste sign, warning me "your privacy is in danger". I'm pretty sure the culprit is smitfraud, as I have read previous forums of members that experienced exactly the same problem. Consequently I also tried the same advice you gave to those members, namely, running smitfraudfix. Smitfraudfix, however, did not want to run on my computer even though I ran it from C:\Documents and settings (My c: drive doesn't appear on the 'my computer' screen, so I decided to run it from within the 'my documents' folder on the desktop). I also had to download smitfraudfix from another computer (the one I'm using to send you this message) and transfer it to mine with a usb flashdrive (as I did with the hijackthis.exe file) seeing that the internet browser is also not working (it keeps sending me error messages). I really hope you guys can help me. Thanks for your service!

Here is the hijackthis logfile

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:05: VIRUS ALERT!, on 2008/07/12
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
H:\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarerefer...=...6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.client...fo/bt_side.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = wwwcache.uhi.ac.uk:8080
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: sqvgnrpx - {F6818E71-D7B7-4DAD-9596-215DDA7F76F9} - C:\WINDOWS\sqvgnrpx.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\Programs\Utilities\Virtualdrives\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTBROA~1\Help\SMARTB~1\BTHelpNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechCameraAssistant] C:\Program Files\Logitech\Video\CameraAssistant.exe
O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Program Files\Logitech\Video\InstallHelper.exe /inspect
O4 - HKLM\..\Run: [LogitechCameraService(E)] C:\WINDOWS\system32\ElkCtrl.exe /automation
O4 - HKLM\..\Run: [lxcemon.exe] "C:\Program Files\Lexmark 4300 Series\lxcemon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 4300 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [LXCECATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lphcl5bj0ev7g] C:\WINDOWS\system32\lphcl5bj0ev7g.exe
O4 - HKLM\..\Run: [SMrhcg5bj0ev7g] C:\Program Files\rhcg5bj0ev7g\rhcg5bj0ev7g.exe
O4 - HKLM\..\Run: [SMshcj5bj0ev7g] C:\Program Files\shcj5bj0ev7g\shcj5bj0ev7g.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [FSCBoss] C:\Program Files\FSCBoss\FSCBoss.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Gby] "C:\Program Files\Common Files\?ppPatch\?poolsv.exe"
O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\Program Files\iolo\System Mechanic 5 Professional\PopupStopper.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [Ssha] "C:\DOCUME~1\Owner\APPLIC~1\MCROSO~1\tracert.exe" -vt ndrv
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Broadband Desktop Help.lnk = C:\Program Files\BT Broadband 210\Help\bin\matcli.exe
O4 - Global Startup: Pervasive.SQL Workgroup Engine.lnk = C:\PVSW\Bin\w3dbsmgr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\Programs\Utilities\Extracting\Winzip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Search - ?p=ZK
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Programs\OFFICE~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\Programs\OFFICE~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1149586369140
O16 - DPF: {7AA32FC7-133B-4AE7-998E-CED0D9829B12} (luna Class) - http://axcab.wrs.mcboo.com/website.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://download.cdn....FreeInstall.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://locator1.cdn....nnerInstall.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O21 - SSODL: fsrpknov - {48978BC4-8794-45FB-8032-262276642FD9} - C:\WINDOWS\fsrpknov.dll
O21 - SSODL: fdxbameg - {70E34773-5907-477A-B2C9-152559B4DA4C} - C:\WINDOWS\fdxbameg.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: lxce_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcecoms.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 7889 bytes

[Advertisements]

Hello

Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.


Please download SmitfraudFix (by S!Ri) to your Desktop.

Next, please reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, a menu with options should appear;
• Select the first option, to run Windows in Safe Mode, then press "Enter".
• Choose your usual account.

Once in Safe Mode, double-click on SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.




Please download Deckard's System Scanner (DSS) and save it to your Desktop.

• Close all other windows before proceeding.
• Double-click on dss.exe and follow the prompts.
• If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
• When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

[Rorschach112]

Hello

Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.


Please download SmitfraudFix (by S!Ri) to your Desktop.

Next, please reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, a menu with options should appear;
• Select the first option, to run Windows in Safe Mode, then press "Enter".
• Choose your usual account.

Once in Safe Mode, double-click on SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.




Please download Deckard's System Scanner (DSS) and save it to your Desktop.

• Close all other windows before proceeding.
• Double-click on dss.exe and follow the prompts.
• If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
• When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

[Dooms]

Hi! Thanks for the quick response. The problem is that smitfraud.exe doens't want to run on the computer, it doesn't open anything even though I am in safe mode.

[Rorschach112]

Do this instead

Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.


Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).
• Finally paste the contents of the Report.txt back on the forum.

[Dooms]

It seems there is further problems. SDfix also do not want to open if I dubble click on it. If I right click it does however give me the option ("extract files...") to extract the files to a designated location. In the window that then pops up the icon of the c drive doesn't appear as a possible destination. In the "destination path (will be created if does not exist)" space I manually typed in C:\SDFix and clicked on OK. It then did a extract process....was this the correct move? Should I proceed to reboot the computer in safe mode?

[Dooms]

Once in safe mode it wasn't possible for me to access the c drive to open the 'runthis.bat' file. So I once more extracted the files from the SDFix file, but this time to the desktop. I then rebooted the system in safe mode and ran the runthis.bat file from the extracted sdfix folder on the desktop. I typed Y to begin the cleanup process. This was the report:






SDFix: Version 1.204
Run by Owner on 2008/07/12 at 15:01

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\DOCUME~1\Owner\Desktop\SDFix

Checking Services :

Name :
clbdriver

Path :
\??\globalroot\systemroot\system32\drivers\clbdriver.sys

clbdriver - Deleted



Restoring Default Security Values
Restoring Default Hosts File
Restoring Default HomePage Value
Restoring Default Desktop Components Value
Restoring Default Desktop Wallpaper
Restoring Default ScreenSaver value
Restoring Windows ProductId To Remove Fake Virus Alert
Restoring Time Format To Remove Fake Virus Alert

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\lphcl5bj0ev7g.exe - Deleted
C:\WINDOWS\system32\geBrqpoP.dll - Deleted
C:\WINDOWS\SYSTEM32\PHCL5B~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\BLPHCL~1.SCR - Deleted
C:\Documents and Settings\Owner\Desktop\Error Cleaner.url - Deleted
C:\Documents and Settings\Owner\Favorites\Error Cleaner.url - Deleted
C:\Documents and Settings\Owner\Desktop\Privacy Protector.url - Deleted
C:\Documents and Settings\Owner\Favorites\Privacy Protector.url - Deleted
C:\Documents and Settings\Owner\Desktop\Spyware&Malware Protection.url - Deleted
C:\Documents and Settings\Owner\Favorites\Spyware&Malware Protection.url - Deleted
C:\WINDOWS\privacy_danger\index.htm - Deleted
C:\WINDOWS\privacy_danger\images\capt.gif - Deleted
C:\WINDOWS\privacy_danger\images\danger.jpg - Deleted
C:\WINDOWS\privacy_danger\images\down.gif - Deleted
C:\WINDOWS\privacy_danger\images\spacer.gif - Deleted
C:\Program Files\Bifrost\klog.dat - Deleted
C:\DOCUME~1\Owner\LOCALS~1\Temp\.tt1.tmp - Deleted
C:\DOCUME~1\Owner\LOCALS~1\Temp\.tt10.tmp - Deleted
C:\DOCUME~1\Owner\LOCALS~1\Temp\.tt11.tmp - Deleted
C:\DOCUME~1\Owner\LOCALS~1\Temp\.tt12.tmp - Deleted
C:\DOCUME~1\Owner\LOCALS~1\Temp\.tt13.tmp - Deleted
C:\DOCUME~1\Owner\LOCALS~1\Temp\.tt14.tmp - Deleted
C:\DOCUME~1\Owner\LOCALS~1\Temp\.tt15.tmp - Deleted
C:\DOCUME~1\Owner\LOCALS~1\Temp\.tt16.tmp - Deleted
C:\DOCUME~1\Owner\LOCALS~1\Temp\.tt17.tmp - Deleted
C:\DOCUME~1\Owner\LOCALS~1\Temp\.tt1D.tmp - Deleted
C:\DOCUME~1\Owner\LOCALS~1\Temp\.tt1E.tmp - Deleted
C:\DOCUME~1\Owner\LOCALS~1\Temp\.tt2.tmp - Deleted
C:\DOCUME~1\Owner\LOCALS~1\Temp\.tt28.tmp - Deleted
C:\DOCUME~1\Owner\LOCALS~1\Temp\.tt3.tmp - Deleted
C:\DOCUME~1\Owner\LOCALS~1\Temp\.tt4.tmp - Deleted
C:\DOCUME~1\Owner\LOCALS~1\Temp\.tt5.tmp - Deleted
C:\DOCUME~1\Owner\LOCALS~1\Temp\.tt6.tmp - Deleted
C:\DOCUME~1\Owner\LOCALS~1\Temp\.tt7.tmp - Deleted
C:\DOCUME~1\Owner\LOCALS~1\Temp\.tt8.tmp - Deleted
C:\DOCUME~1\Owner\LOCALS~1\Temp\.tt9.tmp - Deleted
C:\DOCUME~1\Owner\LOCALS~1\Temp\.tt96.tmp - Deleted
C:\DOCUME~1\Owner\LOCALS~1\Temp\.tt99.tmp - Deleted
C:\DOCUME~1\Owner\LOCALS~1\Temp\.tt9A.tmp - Deleted
C:\DOCUME~1\Owner\LOCALS~1\Temp\.tt9B.tmp - Deleted
C:\DOCUME~1\Owner\LOCALS~1\Temp\.tt9C.tmp - Deleted
C:\DOCUME~1\Owner\LOCALS~1\Temp\.tt9E.tmp - Deleted
C:\DOCUME~1\Owner\LOCALS~1\Temp\.ttA.tmp - Deleted
C:\DOCUME~1\Owner\LOCALS~1\Temp\.ttB.tmp - Deleted
C:\DOCUME~1\Owner\LOCALS~1\Temp\.ttBD1.tmp - Deleted
C:\DOCUME~1\Owner\LOCALS~1\Temp\.ttC.tmp - Deleted
C:\DOCUME~1\Owner\LOCALS~1\Temp\.ttD.tmp - Deleted
C:\DOCUME~1\Owner\LOCALS~1\Temp\.ttE.tmp - Deleted
C:\DOCUME~1\Owner\LOCALS~1\Temp\.ttF.tmp - Deleted
C:\DOCUME~1\Owner\LOCALS~1\Temp\.tt14.tmp.vbs - Deleted
C:\DOCUME~1\Owner\LOCALS~1\Temp\.tt9.tmp.vbs - Deleted
C:\DOCUME~1\Owner\LOCALS~1\Temp\atmadm2.exe.bat - Deleted
C:\DOCUME~1\Owner\LOCALS~1\Temp\bindsrv2.exe.bat - Deleted
C:\DOCUME~1\Owner\LOCALS~1\Temp\vistasp1.exe.bat - Deleted
C:\WINDOWS\Downloaded Program Files\UWA7P_0001_N91M0809NetInstaller.exe - Deleted
C:\Documents and Settings\Owner\Application Data\addon.dat - Deleted
C:\DOCUME~1\Owner\LOCALS~1\Temp\removalfile.bat - Deleted
C:\WINDOWS\gpefaowr.exe - Deleted
C:\WINDOWS\EBVS.EXE - Deleted



Folder C:\Program Files\Bifrost - Removed
Folder C:\Program Files\WinPop - Removed
Folder C:\WINDOWS\privacy_danger - Removed


Removing Temp Files

ADS Check :



Final Check :


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\PVSW\\Bin\\w3dbsmgr.exe"="C:\\PVSW\\Bin\\w3dbsmgr.exe:*:Disabled:Database Service Manager"
"C:\\Documents and Settings\\Owner\\My Documents\\Downloads\\empires2.exe"="C:\\Documents and Settings\\Owner\\My Documents\\Downloads\\empires2.exe:*:Enabled:Age of Empires II"
"C:\\Program Files\\PopCap Games\\Zuma Deluxe\\Zuma.exe"="C:\\Program Files\\PopCap Games\\Zuma Deluxe\\Zuma.exe:*:Enabled:Zuma"
"C:\\Program Files\\BT Broadband 210\\Help\\SmartBridge\\BTHelpNotifier.exe"="C:\\Program Files\\BT Broadband 210\\Help\\SmartBridge\\BTHelpNotifier.exe:*:Disabled:BTHelpNotifier Module"
"C:\\Program Files\\uTorrent\\utorrent.exe"="C:\\Program Files\\uTorrent\\utorrent.exe:*:Enabled:æTorrent"
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"="C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe:*:Enabled:Sid Meier's Civilization 4"
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype. The whole world can talk for free."

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :


File Backups: - C:\DOCUME~1\Owner\Desktop\SDFix\backups\backups.zip

Files with Hidden Attributes :

Tue 26 Jun 2007 1,503,170 A.SH. --- "C:\WINDOWS\system32\bbadd.tmp"
Wed 27 Jun 2007 1,320,959 A.SH. --- "C:\WINDOWS\system32\bbadd.bak2"
Mon 26 Dec 2005 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 26 Dec 2005 401 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv11.bak"
Thu 29 May 2008 230,400 ..SHR --- "C:\Program Files\Common Files\?ppPatch\?poolsv.exe"
Sun 20 Apr 2008 70,656 ..SHR --- "C:\Documents and Settings\Owner\Application Data\M?crosoft\tracert.exe"
Thu 6 Mar 2008 348,160 ...H. --- "C:\Documents and Settings\Owner\Desktop\Musiek\msvcr71.dll"
Sat 22 Sep 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\cf7ced0e70c80a1e476f1abf49afecb1\BIT7.tmp"
Thu 8 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\BIT10.tmp"
Mon 26 Dec 2005 4,348 ...H. --- "C:\Documents and Settings\Owner\My Documents\My Music\My Music\Klassieke Musiek\Ubforgettable Classics\License Backup\drmv1key.bak"
Sun 25 Nov 2007 401 A..H. --- "C:\Documents and Settings\Owner\My Documents\My Music\My Music\Klassieke Musiek\Ubforgettable Classics\License Backup\drmv1lic.bak"
Wed 12 Apr 2006 400 A.SH. --- "C:\Documents and Settings\Owner\My Documents\My Music\My Music\Klassieke Musiek\Ubforgettable Classics\License Backup\drmv2key.bak"

Finished!










I then decided to run the Smitfraudfix application, and this was its rapport:






SmitFraudFix v2.329

Scan done at 15:26:02.70, 2008/07/12
Run from C:\Documents and Settings\Owner\My Documents\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
C:\WINDOWS\wbxdpgfelor.dll deleted.
C:\WINDOWS\fsrpknov.dll deleted.
C:\WINDOWS\fdxbameg.dll deleted.


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\DOCUME~1\Owner\Desktop\Error Cleaner.url Deleted
C:\DOCUME~1\Owner\Desktop\Privacy Protector.url Deleted
C:\DOCUME~1\Owner\Desktop\Spyware?Malware Protection.url Deleted
C:\DOCUME~1\Owner\FAVORI~1\Error Cleaner.url Deleted
C:\DOCUME~1\Owner\FAVORI~1\Privacy Protector.url Deleted
C:\DOCUME~1\Owner\FAVORI~1\Spyware?Malware Protection.url Deleted

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» 404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{503F38EA-20A7-4CBB-A5C2-0086E8BB210B}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS1\Services\Tcpip\..\{503F38EA-20A7-4CBB-A5C2-0086E8BB210B}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS2\Services\Tcpip\..\{503F38EA-20A7-4CBB-A5C2-0086E8BB210B}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End














After this I ran the DSS application and here are its results,
The main.txt











Deckard's System Scanner v20071014.68
Run by Owner on 2008-07-12 15:37:35
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 3 Restore Point(s) --
3: 2008-07-12 14:37:42 UTC - RP673 - Deckard's System Scanner Restore Point
2: 2008-07-11 22:51:37 UTC - RP672 - Last good restore point
1: 2008-07-11 22:51:04 UTC - RP671 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 81% (more than 75%).
Total Physical Memory: 496 MiB (512 MiB recommended).


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-07-12 15:39:27
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcSrv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Programs\Utilities\Virtualdrives\DAEMON Tools\daemon.exe
C:\Program Files\BT Broadband 210\Help\SmartBridge\BTHelpNotifier.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\CameraAssistant.exe
C:\WINDOWS\system32\ElkCtrl.exe
C:\Program Files\Lexmark 4300 Series\lxcemon.exe
C:\Program Files\Lexmark 4300 Series\ezprint.exe
C:\Program Files\shcj5bj0ev7g\shcj5bj0ev7g.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\?ppPatch\?poolsv.exe
C:\Program Files\iolo\System Mechanic 5 Professional\PopupStopper.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Documents and Settings\Owner\Application Data\M?crosoft\tracert.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\PVSW\Bin\w3dbsmgr.exe
C:\Program Files\Programs\Utilities\Extracting\Winzip\WZQKPICK.EXE
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\lxcecoms.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Owner\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = wwwcache.uhi.ac.uk:8080
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1061CDC0-5254-09DD-5115-5B00CEBC8BC8} - C:\WINDOWS\system32\mrsidi.dll (file missing)
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: RXResultTracker Class - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} - C:\Program Files\RXToolBar\sfcont.dll (file missing)
O2 - BHO: (no name) - {8A67EC3A-20FE-2F25-AA3A-79A2949B43C6} - C:\WINDOWS\system32\ndfn.dll
O2 - BHO: (no name) - {A834CE7A-D55B-4FE1-820B-8CDB343C6ABF} - C:\WINDOWS\system32\opNfFUlM.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar4.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\Programs\Utilities\Virtualdrives\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTBROA~1\Help\SMARTB~1\BTHelpNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechCameraAssistant] C:\Program Files\Logitech\Video\CameraAssistant.exe
O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Program Files\Logitech\Video\InstallHelper.exe /inspect
O4 - HKLM\..\Run: [LogitechCameraService(E)] C:\WINDOWS\system32\ElkCtrl.exe /automation
O4 - HKLM\..\Run: [lxcemon.exe] "C:\Program Files\Lexmark 4300 Series\lxcemon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 4300 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [LXCECATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [SMrhcg5bj0ev7g] C:\Program Files\rhcg5bj0ev7g\rhcg5bj0ev7g.exe
O4 - HKLM\..\Run: [SMshcj5bj0ev7g] C:\Program Files\shcj5bj0ev7g\shcj5bj0ev7g.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [FSCBoss] C:\Program Files\FSCBoss\FSCBoss.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Gby] "C:\Program Files\Common Files\?ppPatch\?poolsv.exe"
O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\Program Files\iolo\System Mechanic 5 Professional\PopupStopper.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [Ssha] "C:\DOCUME~1\Owner\APPLIC~1\MCROSO~1\tracert.exe" -vt ndrv
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Broadband Desktop Help.lnk = C:\Program Files\BT Broadband 210\Help\bin\matcli.exe
O4 - Global Startup: Pervasive.SQL Workgroup Engine.lnk = C:\PVSW\Bin\w3dbsmgr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\Programs\Utilities\Extracting\Winzip\WZQKPICK.EXE
O8 - Extra context menu item: &Search - ?p=ZK
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Programs\OFFICE~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1149586369140
O16 - DPF: {7AA32FC7-133B-4AE7-998E-CED0D9829B12} (luna Class) - http://axcab.wrs.mcboo.com/website.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} () - http://download.cdn....FreeInstall.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} () - http://locator1.cdn....nnerInstall.cab
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - Winlogon Notify: yayxuus - C:\WINDOWS\system32\yayxuus.dll (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_2.EXE
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcSrv.exe
O23 - Service: lxce_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcecoms.exe


--
End of file - 11770 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 FileDisk - c:\windows\system32\drivers\filedisk.sys <Not Verified; iolo technologies, LLC (based on original work by Bo Brantén); filedisk (based on original work by Bo Brantén)>
R3 LVPrcMon (Logitech LVPrcMon Driver) - c:\windows\system32\drivers\lvprcmon.sys
R3 mcdbus (Driver for MagicISO SCSI Host Controller) - c:\windows\system32\drivers\mcdbus.sys <Not Verified; MagicISO, Inc.; MagicISO SCSI Host Controller>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Diskeeper - "c:\program files\executive software\diskeeper\dkservice.exe" <Not Verified; Executive Software International, Inc.; Diskeeper ™ Disk Defragmenter>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Realtek RTL8139/810x Family Fast Ethernet NIC
Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_10A71734&REV_10\4&3AE5ECD5&0&60F0
Manufacturer: Realtek Semiconductor Corp.
Name: Realtek RTL8139/810x Family Fast Ethernet NIC
PNP Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_10A71734&REV_10\4&3AE5ECD5&0&60F0
Service: RTL8023xp


-- Files created between 2008-06-12 and 2008-07-12 -----------------------------

2008-07-12 15:26:15 4350 --a------ C:\WINDOWS\system32\tmp.reg
2008-07-12 15:25:37 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-07-12 15:25:37 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-07-12 15:25:37 86528 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-07-12 15:25:37 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-07-12 15:25:37 82944 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-07-12 15:25:37 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-07-12 15:25:37 81920 --a------ C:\WINDOWS\system32\404Fix.exe <Not Verified; S!Ri.URZ; 404Fix>
2008-07-12 15:21:39 0 --a------ C:\WINDOWS\system32\Process.exe
2008-07-12 14:48:54 0 d-------- C:\WINDOWS\ERUNT
2008-07-12 00:32:03 0 d-------- C:\Documents and Settings\Owner\Application Data\shcj5bj0ev7g
2008-07-12 00:31:10 0 d-------- C:\Program Files\shcj5bj0ev7g
2008-07-11 03:00:54 3090 --ahs---- C:\WINDOWS\system32\MlUFfNpo.ini2
2008-07-11 03:00:44 322304 --a------ C:\WINDOWS\system32\opNfFUlM.dll
2008-07-11 02:42:07 1723 --a------ C:\WINDOWS\system32\clbinit.dll
2008-07-11 02:38:34 10752 --a------ C:\WINDOWS\system32\drivers\clbdriver.sys
2008-07-11 02:38:34 34816 --a------ C:\WINDOWS\system32\clbdll.dll
2008-07-11 02:38:16 33152 --a------ C:\WINDOWS\system32\pmnnlKEU.dll
2008-07-11 02:38:09 94208 --a------ C:\WINDOWS\system32\pphcl5bj0ev7g.exe
2008-07-11 02:38:09 0 d-------- C:\Documents and Settings\Owner\Application Data\rhcg5bj0ev7g
2008-07-11 02:37:50 0 d-------- C:\Documents and Settings\Owner\Application Data\TmpRecentIcons
2008-07-11 02:37:47 0 d-------- C:\Program Files\rhcg5bj0ev7g
2008-07-11 02:37:35 192512 --a------ C:\WINDOWS\sqvgnrpx.dll
2008-07-01 07:57:51 0 d-------- C:\Program Files\Firaxis Games
2008-06-27 08:04:58 0 d-------- C:\Documents and Settings\Owner\Application Data\??crosoft.NET
2008-06-27 08:04:57 60928 --a------ C:\WINDOWS\system32\ndfn.dll


-- Find3M Report ---------------------------------------------------------------

2008-07-12 15:35:13 0 d-------- C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-07-12 14:24:30 0 d-------- C:\Program Files\Lexmark 4300 Series
2008-07-12 00:27:34 0 d-------- C:\Documents and Settings\Owner\Application Data\Skype
2008-07-11 03:00:57 0 d-------- C:\Documents and Settings\Owner\Application Data\uTorrent
2008-07-09 20:51:04 40 --a------ C:\WINDOWS\popcinfo.dat
2008-07-05 04:33:37 0 d-------- C:\Program Files\Lx_cats
2008-07-01 12:39:52 0 d-------- C:\Documents and Settings\Owner\Application Data\My Games
2008-07-01 07:57:58 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-27 08:04:58 0 d-------- C:\Program Files\Common Files\?ppPatch
2008-06-27 08:04:58 0 d-------- C:\Documents and Settings\Owner\Application Data\??crosoft.NET
2008-05-30 19:12:59 0 d-------- C:\Documents and Settings\Owner\Application Data\?ymantec


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1061CDC0-5254-09DD-5115-5B00CEBC8BC8}]
C:\WINDOWS\system32\mrsidi.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{59879FA4-4790-461c-A1CC-4EC4DE4CA483}]
C:\Program Files\RXToolBar\sfcont.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8A67EC3A-20FE-2F25-AA3A-79A2949B43C6}]
2008/05/29 19:34 60928 --a------ C:\WINDOWS\system32\ndfn.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A834CE7A-D55B-4FE1-820B-8CDB343C6ABF}]
2008/07/11 03:00 322304 --a------ C:\WINDOWS\system32\opNfFUlM.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2004/10/27 14:21 C:\WINDOWS\system32\HdAShCut.exe]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005/07/19 10:09]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005/07/19 10:06]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005/07/19 10:10]
"SoundMan"="SOUNDMAN.EXE" [2005/08/23 12:41 C:\WINDOWS\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2005/08/23 12:47 C:\WINDOWS\ALCWZRD.EXE]
"Alcmtr"="ALCMTR.EXE" [2005/05/03 17:43 C:\WINDOWS\ALCMTR.EXE]
"SMSERIAL"="sm56hlpr.exe" [2005/08/12 10:09 C:\WINDOWS\sm56hlpr.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005/04/15 07:48]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001/07/09 09:50]
"DAEMON Tools"="C:\Program Files\Programs\Utilities\Virtualdrives\DAEMON Tools\daemon.exe" [2005/11/08 23:00]
"DiskeeperSystray"="C:\Program Files\Executive Software\Diskeeper\DkIcon.exe" [2004/12/21 22:29]
"Motive SmartBridge"="C:\PROGRA~1\BTBROA~1\Help\SMARTB~1\BTHelpNotifier.exe" [2005/06/22 15:29]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006/06/14 16:24]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006/07/06 13:36]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2005/12/09 15:32]
"LogitechCameraAssistant"="C:\Program Files\Logitech\Video\CameraAssistant.exe" [2005/12/07 10:26]
"LogitechVideo[inspector]"="C:\Program Files\Logitech\Video\InstallHelper.exe" [2005/12/07 10:33]
"LogitechCameraService(E)"="C:\WINDOWS\system32\ElkCtrl.exe" [2004/11/01 17:22]
"lxcemon.exe"="C:\Program Files\Lexmark 4300 Series\lxcemon.exe" [2005/08/02 18:45]
"EzPrint"="C:\Program Files\Lexmark 4300 Series\ezprint.exe" [2005/07/26 13:17]
"FaxCenterServer"="C:\Program Files\Lexmark Fax Solutions\fm3032.exe" [2005/07/12 10:36]
"LXCECATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll" [2005/07/20 14:46]
"SMrhcg5bj0ev7g"="C:\Program Files\rhcg5bj0ev7g\rhcg5bj0ev7g.exe" [2008/07/10 17:44]
"SMshcj5bj0ev7g"="C:\Program Files\shcj5bj0ev7g\shcj5bj0ev7g.exe" [2008/07/10 17:45]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004/10/13 17:24]
"RealPlayer"="C:\Program Files\Real\RealPlayer\realplay.exe" [2006/05/31 17:30]
"FSCBoss"="C:\Program Files\FSCBoss\FSCBoss.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004/08/04 13:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007/06/22 13:46]
"Gby"="C:\Program Files\Common Files\?ppPatch\?poolsv.exe" [2008/05/29 19:35]
"System Mechanic Popup Stopper"="C:\Program Files\iolo\System Mechanic 5 Professional\PopupStopper.exe" [2004/09/20 11:12]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007/09/13 14:31]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007/04/19 06:37]
"Ssha"="C:\DOCUME~1\Owner\APPLIC~1\MCROSO~1\tracert.exe" [2008/04/20 18:09]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006/03/30 16:45]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [2007/12/26 02:09:04 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005/09/23 10:05:26 PM]
Broadband Desktop Help.lnk - C:\Program Files\BT Broadband 210\Help\bin\matcli.exe [2006/03/14 04:11:50 PM]
Pervasive.SQL Workgroup Engine.lnk - C:\PVSW\Bin\w3dbsmgr.exe [2006/01/19 06:39:01 AM]
WinZip Quick Pick.lnk - C:\Program Files\Programs\Utilities\Extracting\Winzip\WZQKPICK.EXE [2005/12/15 05:36:38 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayxuus]
yayxuus.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\opNfFUlM


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
AutoRun\command- F:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
AutoRun\command- G:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1a484f48-36cd-11dd-81a1-0013ce61ac0b}]
AutoRun\command- H:\
explore\Command- RECYCLER\INFO.exe
open\Command- RECYCLER\INFO.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5d5eda6c-b2f0-11dc-80a1-0013ce61ac0b}]
AutoRun\command- G:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9248bda2-aa32-11dc-8088-0013ce61ac0b}]
Auto\command- OSO.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL OSO.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a4cdedc1-6d63-11da-bc12-806d6172696f}]
AutoRun\command- D:\Setup.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b6d6c4d6-8a9f-11da-bc89-0013ce61ac0b}]
AutoRun\command- E:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b6d6c4d7-8a9f-11da-bc89-0013ce61ac0b}]
AutoRun\command- F:\Autorun.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{E5E41BB0-B117-EE2F-180A-FA6AF1DE848A}]
C:\Documents and Settings\Owner\Application Data\Server.exe s



-- End of Deckard's System Scanner: finished at 2008-07-12 15:40:18 ------------






The extra.text







Deckard's System Scanner v20071014.68
Run by Owner on 2008-07-12 15:37:35
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 3 Restore Point(s) --
3: 2008-07-12 14:37:42 UTC - RP673 - Deckard's System Scanner Restore Point
2: 2008-07-11 22:51:37 UTC - RP672 - Last good restore point
1: 2008-07-11 22:51:04 UTC - RP671 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 81% (more than 75%).
[color="red"]Total Physical Memory: 496 MiB (512 MiB recommended).


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-07-12 15:39:27
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcSrv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Programs\Utilities\Virtualdrives\DAEMON Tools\daemon.exe
C:\Program Files\BT Broadband 210\Help\SmartBridge\BTHelpNotifier.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\CameraAssistant.exe
C:\WINDOWS\system32\ElkCtrl.exe
C:\Program Files\Lexmark 4300 Series\lxcemon.exe
C:\Program Files\Lexmark 4300 Series\ezprint.exe
C:\Program Files\shcj5bj0ev7g\shcj5bj0ev7g.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\?ppPatch\?poolsv.exe
C:\Program Files\iolo\System Mechanic 5 Professional\PopupStopper.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Documents and Settings\Owner\Application Data\M?crosoft\tracert.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\PVSW\Bin\w3dbsmgr.exe
C:\Program Files\Programs\Utilities\Extracting\Winzip\WZQKPICK.EXE
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\lxcecoms.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Owner\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = wwwcache.uhi.ac.uk:8080
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1061CDC0-5254-09DD-5115-5B00CEBC8BC8} - C:\WINDOWS\system32\mrsidi.dll (file missing)
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: RXResultTracker Class - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} - C:\Program Files\RXToolBar\sfcont.dll (file missing)
O2 - BHO: (no name) - {8A67EC3A-20FE-2F25-AA3A-79A2949B43C6} - C:\WINDOWS\system32\ndfn.dll
O2 - BHO: (no name) - {A834CE7A-D55B-4FE1-820B-8CDB343C6ABF} - C:\WINDOWS\system32\opNfFUlM.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar4.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\Programs\Utilities\Virtualdrives\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTBROA~1\Help\SMARTB~1\BTHelpNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechCameraAssistant] C:\Program Files\Logitech\Video\CameraAssistant.exe
O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Program Files\Logitech\Video\InstallHelper.exe /inspect
O4 - HKLM\..\Run: [LogitechCameraService(E)] C:\WINDOWS\system32\ElkCtrl.exe /automation
O4 - HKLM\..\Run: [lxcemon.exe] "C:\Program Files\Lexmark 4300 Series\lxcemon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 4300 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [LXCECATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [SMrhcg5bj0ev7g] C:\Program Files\rhcg5bj0ev7g\rhcg5bj0ev7g.exe
O4 - HKLM\..\Run: [SMshcj5bj0ev7g] C:\Program Files\shcj5bj0ev7g\shcj5bj0ev7g.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [FSCBoss] C:\Program Files\FSCBoss\FSCBoss.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Gby] "C:\Program Files\Common Files\?ppPatch\?poolsv.exe"
O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\Program Files\iolo\System Mechanic 5 Professional\PopupStopper.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [Ssha] "C:\DOCUME~1\Owner\APPLIC~1\MCROSO~1\tracert.exe" -vt ndrv
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Broadband Desktop Help.lnk = C:\Program Files\BT Broadband 210\Help\bin\matcli.exe
O4 - Global Startup: Pervasive.SQL Workgroup Engine.lnk = C:\PVSW\Bin\w3dbsmgr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\Programs\Utilities\Extracting\Winzip\WZQKPICK.EXE
O8 - Extra context menu item: &Search - ?p=ZK
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Programs\OFFICE~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1149586369140
O16 - DPF: {7AA32FC7-133B-4AE7-998E-CED0D9829B12} (luna Class) - http://axcab.wrs.mcboo.com/website.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} () - http://download.cdn....FreeInstall.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} () - http://locator1.cdn....nnerInstall.cab
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - Winlogon Notify: yayxuus - C:\WINDOWS\system32\yayxuus.dll (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_2.EXE
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcSrv.exe
O23 - Service: lxce_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcecoms.exe


--
End of file - 11770 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 FileDisk - c:\windows\system32\drivers\filedisk.s

[Rorschach112]

Can you post these normally

I am not looking through coloured logs

Some of the DSS log was cut off, you will need more than one post to fit it all in

[Rorschach112]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.