my computer is running very slow. this is my hijackthis report. please help and thank you in advance! Justin Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:25:22 PM, on 5/7/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Digital Media Reader\shwiconem.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\Common Files\AOL\ACS\AOLDial.exe C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.exe c:\progra~1\mcafee.com\vso\mcvsescn.exe C:\Program Files\Spyware Doctor\pctsTray.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe C:\WINDOWS\system32\HPZipm12.exe C:\Program Files\Common Files\AOL\1128707666\ee\AOLHostManager.exe C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\Common Files\AOL\1128707666\ee\AOLServiceHost.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\Spyware Doctor\pctsAuxs.exe C:\Program Files\Spyware Doctor\pctsSvc.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\Program Files\Spyware Terminator\sp_rsser.exe C:\WINDOWS\system32\svchost.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe c:\PROGRA~1\mcafee.com\vso\mcshield.exe C:\WINDOWS\system32\wbem\wmiprvse.exe c:\progra~1\mcafee.com\vso\mcvsftsn.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\System32\svchost.exe c:\program files\common files\aol\1128707666\ee\services\antiSpywareApp\ver2_0_7\AOLSP Scheduler.exe C:\Program Files\Common Files\AOL\1128707666\ee\AOLServiceHost.exe C:\Program Files\BigFix\BigFix.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe C:\WINDOWS\system32\taskmgr.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\system32\wbem\wmiprvse.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wmsdkns.exe, O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing) O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe O4 - HKLM\..\Run: [_AntiSpyware] C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE" O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1128707666\ee\AOLHostManager.exe O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe" O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - Startup: Bat - Auto Update.lnk = C:\Program Files\Bat\Bat.exe O4 - Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe O4 - Startup: Morpheus.lnk = C:\Program Files\Morpheus\Morpheus.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe O4 - Global Startup: Smart Wizard Wireless Settings.lnk = ? O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - AppInit_DLLs: avgrsstx.dll O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: McAfee AntiSpyware Real-Time Scanner (McAfeeAntiSpyware) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.exe O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\winself.exe (file missing) O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe -- End of file - 11941 bytes
start with this: Download SDFix and save it to your Desktop.we will use it in SAFEMODE you might copy paste the safemode part into notepad and save it so you can read it in safe mode http://downloads.andymanchesta.com/RemovalTools/SDFix.exe Double click SDFix.exe and it will extract the files to %systemdrive% (Drive that contains the Windows Directory, typically C:\SDFix) Please then reboot your computer in Safe Mode by doing the following : * Restart your computer * After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; * Instead of Windows loading as normal, the Advanced Options Menu should appear; * Select the first option, to run Windows in Safe Mode, then press Enter. * Choose your usual account. * Open the extracted SDFix folder and double click RunThis.bat to start the script. * Type Y to begin the cleanup process. * It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot. * Press any Key and it will restart the PC. * When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons. * Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt (Report.txt will also be copied to Clipboard ready for posting back on the forum). * Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
ok, first off. Thank you again! my computer is running better. Here is the report: SDFix: Version 1.182 Run by Owner on Wed 05/14/2008 at 04:30 PM Microsoft Windows XP [Version 5.1.2600] Running From: C:\SDFix Checking Services : Name : MsSecurity1.209.4 Path : C:\WINDOWS\winself.exe service MsSecurity1.209.4 - Deleted Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting Checking Files : Trojan Files Found: C:\WINDOWS\mgwwgmke\1.png - Deleted C:\WINDOWS\mgwwgmke\2.png - Deleted C:\WINDOWS\mgwwgmke\3.png - Deleted C:\WINDOWS\mgwwgmke\4.png - Deleted C:\WINDOWS\mgwwgmke\5.png - Deleted C:\WINDOWS\mgwwgmke\6.png - Deleted C:\WINDOWS\mgwwgmke\7.png - Deleted C:\WINDOWS\mgwwgmke\8.png - Deleted C:\WINDOWS\mgwwgmke\9.png - Deleted C:\WINDOWS\mgwwgmke\bottom-rc.gif - Deleted C:\WINDOWS\mgwwgmke\config.png - Deleted C:\WINDOWS\mgwwgmke\content.png - Deleted C:\WINDOWS\mgwwgmke\download.gif - Deleted C:\WINDOWS\mgwwgmke\frame-bg.gif - Deleted C:\WINDOWS\mgwwgmke\frame-bottom-left.gif - Deleted C:\WINDOWS\mgwwgmke\frame-h1bg.gif - Deleted C:\WINDOWS\mgwwgmke\head.png - Deleted C:\WINDOWS\mgwwgmke\icon.png - Deleted C:\WINDOWS\mgwwgmke\indexwp.html - Deleted C:\WINDOWS\mgwwgmke\main.css - Deleted C:\WINDOWS\mgwwgmke\memory-prots.png - Deleted C:\WINDOWS\mgwwgmke\net.png - Deleted C:\WINDOWS\mgwwgmke\pc.gif - Deleted C:\WINDOWS\mgwwgmke\pc-mag.gif - Deleted C:\WINDOWS\mgwwgmke\poloska1.png - Deleted C:\WINDOWS\mgwwgmke\poloska2.png - Deleted C:\WINDOWS\mgwwgmke\poloska3.png - Deleted C:\WINDOWS\mgwwgmke\promowp1.html - Deleted C:\WINDOWS\mgwwgmke\promowp2.html - Deleted C:\WINDOWS\mgwwgmke\promowp3.html - Deleted C:\WINDOWS\mgwwgmke\promowp4.html - Deleted C:\WINDOWS\mgwwgmke\promowp5.html - Deleted C:\WINDOWS\mgwwgmke\reg.png - Deleted C:\WINDOWS\mgwwgmke\repair.png - Deleted C:\WINDOWS\mgwwgmke\scr-1.png - Deleted C:\WINDOWS\mgwwgmke\scr-2.png - Deleted C:\WINDOWS\mgwwgmke\start.png - Deleted C:\WINDOWS\mgwwgmke\styles.css - Deleted C:\WINDOWS\mgwwgmke\top-rc.gif - Deleted C:\WINDOWS\mgwwgmke\vline.gif - Deleted C:\WINDOWS\mgwwgmke\wp.png - Deleted C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt - Deleted C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt - Deleted C:\Program Files\ISM\ism.exe - Deleted C:\Program Files\ISM\Uninstall.exe - Deleted C:\WINDOWS\123messenger.per - Deleted C:\WINDOWS\licencia.txt - Deleted C:\WINDOWS\megavid.cdt - Deleted C:\WINDOWS\muotr.so - Deleted C:\WINDOWS\system32\winfrun32.bin - Deleted C:\WINDOWS\telefonos.txt - Deleted C:\WINDOWS\textos.txt - Deleted C:\WINDOWS\Web\def.htm - Deleted Folder C:\Program Files\ISM - Removed Folder C:\Documents and Settings\LocalService\Application Data\NetMon - Removed Folder C:\WINDOWS\PerfInfo - Removed Removing Temp Files ADS Check : Final Check : catchme 0.3.1359.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-05-14 16:38:13 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden services & system hive ... scanning hidden registry entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services : Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019" "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL" "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL" "C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL" "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Application Loader" "C:\\Program Files\\America Online 9.0a\\waol.exe"="C:\\Program Files\\America Online 9.0a\\waol.exe:*:Enabled:AOL" "C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe:*:Enabled:AOLTsMon" "C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe:*:Enabled:AOLTopSpeed" "C:\\Program Files\\Common Files\\AOL\\1128707666\\EE\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1128707666\\EE\\AOLServiceHost.exe:*:Enabled:AOL" "C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"="C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe:*:Enabled:AOL" "C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe:*:Enabled:AOL" "C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe:*:Enabled:AOL" "C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"="C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe:*:Enabled:AOL" "C:\\Program Files\\Morpheus\\Morpheus.exe"="C:\\Program Files\\Morpheus\\Morpheus.exe:*:Enabled:M5Shell" "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger" "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server" "C:\\Program Files\\Ultima Online 2D\\client.exe"="C:\\Program Files\\Ultima Online 2D\\client.exe:*:Enabled:client" "C:\\Program Files\\EA Games\\Ultima Online 9th Anniversary Collection\\client.exe"="C:\\Program Files\\EA Games\\Ultima Online 9th Anniversary Collection\\client.exe:*:Enabled:Ultima Online Client" "C:\\Program Files\\EA Games\\Ultima Online 9th Anniversary Collection\\uotd.exe"="C:\\Program Files\\EA Games\\Ultima Online 9th Anniversary Collection\\uotd.exe:*:Enabled:Ultima Online 3D Client" "C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019" "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL" "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL" "C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL" Remaining Files : File Backups: - C:\SDFix\backups\backups.zip Files with Hidden Attributes : Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe" Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" Fri 7 Oct 2005 0 A.SH. --- "C:\WINDOWS\SMINST\HPCD.sys" Tue 1 Nov 2005 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak" Wed 22 Aug 2007 294 A..H. --- "C:\Program Files\InterActual\InterActual Player\iti18.tmp" Sat 3 Mar 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp" Wed 7 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\385cb67dda0ffd4dea8c0d990dc65796\BIT9.tmp" Wed 14 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\c3e13424b5ca403dd00c8550d4b5fddd\BIT380.tmp" Sat 27 May 2006 31,744 ...H. --- "C:\Documents and Settings\Owner\Desktop\Susan's docs\License to go\~WRL0197.tmp" Sat 27 May 2006 32,256 ...H. --- "C:\Documents and Settings\Owner\Desktop\Susan's docs\License to go\~WRL0255.tmp" Sat 27 May 2006 29,184 ...H. --- "C:\Documents and Settings\Owner\Desktop\Susan's docs\License to go\~WRL0267.tmp" Fri 26 May 2006 23,040 ...H. --- "C:\Documents and Settings\Owner\Desktop\Susan's docs\License to go\~WRL0288.tmp" Fri 26 May 2006 25,088 ...H. --- "C:\Documents and Settings\Owner\Desktop\Susan's docs\License to go\~WRL0537.tmp" Fri 26 May 2006 23,552 ...H. --- "C:\Documents and Settings\Owner\Desktop\Susan's docs\License to go\~WRL0547.tmp" Sat 27 May 2006 30,208 ...H. --- "C:\Documents and Settings\Owner\Desktop\Susan's docs\License to go\~WRL0575.tmp" Sat 27 May 2006 32,256 ...H. --- "C:\Documents and Settings\Owner\Desktop\Susan's docs\License to go\~WRL0742.tmp" Fri 26 May 2006 25,088 ...H. --- "C:\Documents and Settings\Owner\Desktop\Susan's docs\License to go\~WRL0976.tmp" Thu 25 May 2006 21,504 ...H. --- "C:\Documents and Settings\Owner\Desktop\Susan's docs\License to go\~WRL1493.tmp" Fri 26 May 2006 26,112 ...H. --- "C:\Documents and Settings\Owner\Desktop\Susan's docs\License to go\~WRL1623.tmp" Fri 26 May 2006 27,136 ...H. --- "C:\Documents and Settings\Owner\Desktop\Susan's docs\License to go\~WRL1649.tmp" Fri 26 May 2006 24,064 ...H. --- "C:\Documents and Settings\Owner\Desktop\Susan's docs\License to go\~WRL1760.tmp" Fri 26 May 2006 25,600 ...H. --- "C:\Documents and Settings\Owner\Desktop\Susan's docs\License to go\~WRL1895.tmp" Thu 25 May 2006 138,240 ...H. --- "C:\Documents and Settings\Owner\Desktop\Susan's docs\License to go\~WRL2423.tmp" Sat 27 May 2006 32,256 ...H. --- "C:\Documents and Settings\Owner\Desktop\Susan's docs\License to go\~WRL2930.tmp" Thu 25 May 2006 179,200 ...H. --- "C:\Documents and Settings\Owner\Desktop\Susan's docs\License to go\~WRL2979.tmp" Sat 27 May 2006 31,744 ...H. --- "C:\Documents and Settings\Owner\Desktop\Susan's docs\License to go\~WRL3162.tmp" Thu 25 May 2006 172,544 ...H. --- "C:\Documents and Settings\Owner\Desktop\Susan's docs\License to go\~WRL3512.tmp" Thu 25 May 2006 250,368 ...H. --- "C:\Documents and Settings\Owner\Desktop\Susan's docs\License to go\~WRL3743.tmp" Sat 27 May 2006 28,160 ...H. --- "C:\Documents and Settings\Owner\Desktop\Susan's docs\License to go\~WRL4035.tmp" Finished! And here is the new hijackthis log: SDFix: Version 1.182 Run by Owner on Wed 05/14/2008 at 04:30 PM Microsoft Windows XP [Version 5.1.2600] Running From: C:\SDFix Checking Services : Name : MsSecurity1.209.4 Path : C:\WINDOWS\winself.exe service MsSecurity1.209.4 - Deleted Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting Checking Files : Trojan Files Found: C:\WINDOWS\mgwwgmke\1.png - Deleted C:\WINDOWS\mgwwgmke\2.png - Deleted C:\WINDOWS\mgwwgmke\3.png - Deleted C:\WINDOWS\mgwwgmke\4.png - Deleted C:\WINDOWS\mgwwgmke\5.png - Deleted C:\WINDOWS\mgwwgmke\6.png - Deleted C:\WINDOWS\mgwwgmke\7.png - Deleted C:\WINDOWS\mgwwgmke\8.png - Deleted C:\WINDOWS\mgwwgmke\9.png - Deleted C:\WINDOWS\mgwwgmke\bottom-rc.gif - Deleted C:\WINDOWS\mgwwgmke\config.png - Deleted C:\WINDOWS\mgwwgmke\content.png - Deleted C:\WINDOWS\mgwwgmke\download.gif - Deleted C:\WINDOWS\mgwwgmke\frame-bg.gif - Deleted C:\WINDOWS\mgwwgmke\frame-bottom-left.gif - Deleted C:\WINDOWS\mgwwgmke\frame-h1bg.gif - Deleted C:\WINDOWS\mgwwgmke\head.png - Deleted C:\WINDOWS\mgwwgmke\icon.png - Deleted C:\WINDOWS\mgwwgmke\indexwp.html - Deleted C:\WINDOWS\mgwwgmke\main.css - Deleted C:\WINDOWS\mgwwgmke\memory-prots.png - Deleted C:\WINDOWS\mgwwgmke\net.png - Deleted C:\WINDOWS\mgwwgmke\pc.gif - Deleted C:\WINDOWS\mgwwgmke\pc-mag.gif - Deleted C:\WINDOWS\mgwwgmke\poloska1.png - Deleted C:\WINDOWS\mgwwgmke\poloska2.png - Deleted C:\WINDOWS\mgwwgmke\poloska3.png - Deleted C:\WINDOWS\mgwwgmke\promowp1.html - Deleted C:\WINDOWS\mgwwgmke\promowp2.html - Deleted C:\WINDOWS\mgwwgmke\promowp3.html - Deleted C:\WINDOWS\mgwwgmke\promowp4.html - Deleted C:\WINDOWS\mgwwgmke\promowp5.html - Deleted C:\WINDOWS\mgwwgmke\reg.png - Deleted C:\WINDOWS\mgwwgmke\repair.png - Deleted C:\WINDOWS\mgwwgmke\scr-1.png - Deleted C:\WINDOWS\mgwwgmke\scr-2.png - Deleted C:\WINDOWS\mgwwgmke\start.png - Deleted C:\WINDOWS\mgwwgmke\styles.css - Deleted C:\WINDOWS\mgwwgmke\top-rc.gif - Deleted C:\WINDOWS\mgwwgmke\vline.gif - Deleted C:\WINDOWS\mgwwgmke\wp.png - Deleted C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt - Deleted C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt - Deleted C:\Program Files\ISM\ism.exe - Deleted C:\Program Files\ISM\Uninstall.exe - Deleted C:\WINDOWS\123messenger.per - Deleted C:\WINDOWS\licencia.txt - Deleted C:\WINDOWS\megavid.cdt - Deleted C:\WINDOWS\muotr.so - Deleted C:\WINDOWS\system32\winfrun32.bin - Deleted C:\WINDOWS\telefonos.txt - Deleted C:\WINDOWS\textos.txt - Deleted C:\WINDOWS\Web\def.htm - Deleted Folder C:\Program Files\ISM - Removed Folder C:\Documents and Settings\LocalService\Application Data\NetMon - Removed Folder C:\WINDOWS\PerfInfo - Removed Removing Temp Files ADS Check : Final Check : catchme 0.3.1359.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-05-14 16:38:13 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden services & system hive ... scanning hidden registry entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services : Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019" "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL" "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL" "C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL" "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Application Loader" "C:\\Program Files\\America Online 9.0a\\waol.exe"="C:\\Program Files\\America Online 9.0a\\waol.exe:*:Enabled:AOL" "C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe:*:Enabled:AOLTsMon" "C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe:*:Enabled:AOLTopSpeed" "C:\\Program Files\\Common Files\\AOL\\1128707666\\EE\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1128707666\\EE\\AOLServiceHost.exe:*:Enabled:AOL" "C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"="C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe:*:Enabled:AOL" "C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe:*:Enabled:AOL" "C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe:*:Enabled:AOL" "C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"="C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe:*:Enabled:AOL" "C:\\Program Files\\Morpheus\\Morpheus.exe"="C:\\Program Files\\Morpheus\\Morpheus.exe:*:Enabled:M5Shell" "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger" "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server" "C:\\Program Files\\Ultima Online 2D\\client.exe"="C:\\Program Files\\Ultima Online 2D\\client.exe:*:Enabled:client" "C:\\Program Files\\EA Games\\Ultima Online 9th Anniversary Collection\\client.exe"="C:\\Program Files\\EA Games\\Ultima Online 9th Anniversary Collection\\client.exe:*:Enabled:Ultima Online Client" "C:\\Program Files\\EA Games\\Ultima Online 9th Anniversary Collection\\uotd.exe"="C:\\Program Files\\EA Games\\Ultima Online 9th Anniversary Collection\\uotd.exe:*:Enabled:Ultima Online 3D Client" "C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019" "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL" "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL" "C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL" Remaining Files : File Backups: - C:\SDFix\backups\backups.zip Files with Hidden Attributes : Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe" Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" Fri 7 Oct 2005 0 A.SH. --- "C:\WINDOWS\SMINST\HPCD.sys" Tue 1 Nov 2005 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak" Wed 22 Aug 2007 294 A..H. --- "C:\Program Files\InterActual\InterActual Player\iti18.tmp" Sat 3 Mar 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp" Wed 7 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\385cb67dda0ffd4dea8c0d990dc65796\BIT9.tmp" Wed 14 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\c3e13424b5ca403dd00c8550d4b5fddd\BIT380.tmp" Sat 27 May 2006 31,744 ...H. --- "C:\Documents and Settings\Owner\Desktop\Susan's docs\License to go\~WRL0197.tmp" Sat 27 May 2006 32,256 ...H. --- "C:\Documents and Settings\Owner\Desktop\Susan's docs\License to go\~WRL0255.tmp" Sat 27 May 2006 29,184 ...H. --- "C:\Documents and Settings\Owner\Desktop\Susan's docs\License to go\~WRL0267.tmp" Fri 26 May 2006 23,040 ...H. --- "C:\Documents and Settings\Owner\Desktop\Susan's docs\License to go\~WRL0288.tmp" Fri 26 May 2006 25,088 ...H. --- "C:\Documents and Settings\Owner\Desktop\Susan's docs\License to go\~WRL0537.tmp" Fri 26 May 2006 23,552 ...H. --- "C:\Documents and Settings\Owner\Desktop\Susan's docs\License to go\~WRL0547.tmp" Sat 27 May 2006 30,208 ...H. --- "C:\Documents and Settings\Owner\Desktop\Susan's docs\License to go\~WRL0575.tmp" Sat 27 May 2006 32,256 ...H. --- "C:\Documents and Settings\Owner\Desktop\Susan's docs\License to go\~WRL0742.tmp" Fri 26 May 2006 25,088 ...H. --- "C:\Documents and Settings\Owner\Desktop\Susan's docs\License to go\~WRL0976.tmp" Thu 25 May 2006 21,504 ...H. --- "C:\Documents and Settings\Owner\Desktop\Susan's docs\License to go\~WRL1493.tmp" Fri 26 May 2006 26,112 ...H. --- "C:\Documents and Settings\Owner\Desktop\Susan's docs\License to go\~WRL1623.tmp" Fri 26 May 2006 27,136 ...H. --- "C:\Documents and Settings\Owner\Desktop\Susan's docs\License to go\~WRL1649.tmp" Fri 26 May 2006 24,064 ...H. --- "C:\Documents and Settings\Owner\Desktop\Susan's docs\License to go\~WRL1760.tmp" Fri 26 May 2006 25,600 ...H. --- "C:\Documents and Settings\Owner\Desktop\Susan's docs\License to go\~WRL1895.tmp" Thu 25 May 2006 138,240 ...H. --- "C:\Documents and Settings\Owner\Desktop\Susan's docs\License to go\~WRL2423.tmp" Sat 27 May 2006 32,256 ...H. --- "C:\Documents and Settings\Owner\Desktop\Susan's docs\License to go\~WRL2930.tmp" Thu 25 May 2006 179,200 ...H. --- "C:\Documents and Settings\Owner\Desktop\Susan's docs\License to go\~WRL2979.tmp" Sat 27 May 2006 31,744 ...H. --- "C:\Documents and Settings\Owner\Desktop\Susan's docs\License to go\~WRL3162.tmp" Thu 25 May 2006 172,544 ...H. --- "C:\Documents and Settings\Owner\Desktop\Susan's docs\License to go\~WRL3512.tmp" Thu 25 May 2006 250,368 ...H. --- "C:\Documents and Settings\Owner\Desktop\Susan's docs\License to go\~WRL3743.tmp" Sat 27 May 2006 28,160 ...H. --- "C:\Documents and Settings\Owner\Desktop\Susan's docs\License to go\~WRL4035.tmp" Finished! Your awesome! Justin
