Hi ladies and gents, hope everyone is having a merry Christmas! Mines would be much merrier if someone can help me out getting rid of a Virtumonde virus! Here's my hijackthis log! Thanks in advance, Monica Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 3:09:54 PM, on 12/25/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16574) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\WINDOWS\System32\WLTRYSVC.EXE C:\WINDOWS\System32\bcmwltry.exe C:\WINDOWS\system32\fxssvc.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Mop\Desktop\HiJackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,rfjmoko.exe N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\MOP\Application Data\Mozilla\Profiles\default\cy7nnxh8.slt\prefs.js) O1 - Hosts: 80.190.241.30 home.edonkey.com O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKLM\..\RunOnce: [SpybotDeletingA8511] command /c del "C:\WINDOWS\SYSTEM32\hgdbb.dll_tobedeleted" O4 - HKLM\..\RunOnce: [SpybotDeletingC7017] cmd /c del "C:\WINDOWS\SYSTEM32\hgdbb.dll_tobedeleted" O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck O4 - HKLM\..\RunOnce: [SpybotDeletingA1444] command /c del "C:\WINDOWS\SYSTEM32\hgdbb.dll_tobedeleted" O4 - HKLM\..\RunOnce: [SpybotDeletingC2749] cmd /c del "C:\WINDOWS\SYSTEM32\hgdbb.dll_tobedeleted" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\RunOnce: [SpybotDeletingB3348] command /c del "C:\WINDOWS\SYSTEM32\hgdbb.dll_tobedeleted" O4 - HKCU\..\RunOnce: [SpybotDeletingD9562] cmd /c del "C:\WINDOWS\SYSTEM32\hgdbb.dll_tobedeleted" O4 - HKCU\..\RunOnce: [SpybotDeletingB3622] command /c del "C:\WINDOWS\SYSTEM32\hgdbb.dll_tobedeleted" O4 - HKCU\..\RunOnce: [SpybotDeletingD6478] cmd /c del "C:\WINDOWS\SYSTEM32\hgdbb.dll_tobedeleted" O4 - HKCU\..\Policies\Explorer\Run: [{90C69C38-0702-1033-1008-040410220001}] "C:\Program Files\Common Files\{90C69C38-0702-1033-1008-040410220001}\Update.exe" mc-110-12-0000140 O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user') O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Dell\Bluetooth Software\btsendto_ie_ctx.htm O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1198454246261 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5175/mcfscan.cab O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE O24 - Desktop Component 0: (no name) - C:\Program Files\Windows NT\kyzexet.html O24 - Desktop Component 1: (no name) - C:\Program Files\Online Services\howyvyran.html -- End of file - 9824 bytes
Reboot into safe mode, run hijackThis, place check marks next to the items listed below. Click, fix checked. Reboot. Let me know how the PC is running, so far. This will take a few steps to straighten out. Pretty good mess! O1 - Hosts: 80.190.241.30 home.edonkey.com F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,rfjmoko.exe IF YOU DO NOT RECOGNIZED THIS, REMOVE IT. N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_0 1.src"); (C:\Documents and Settings\MOP\Application Data\Mozilla\Profiles\default\cy7nnxh8.slt\prefs.js) O4 - HKLM\..\RunOnce: [SpybotDeletingA8511] command /c del "C:\WINDOWS\SYSTEM32\hgdbb.dll_tobedeleted O4 - HKLM\..\RunOnce: [SpybotDeletingC7017] cmd /c del "C:\WINDOWS\SYSTEM32\hgdbb.dll_tobedeleted" O4 - HKLM\..\RunOnce: [SpybotDeletingA1444] command /c del "C:\WINDOWS\SYSTEM32\hgdbb.dll_tobedeleted" O4 - HKLM\..\RunOnce: [SpybotDeletingC2749] cmd /c del "C:\WINDOWS\SYSTEM32\hgdbb.dll_tobedeleted" O4 - HKCU\..\RunOnce: [SpybotDeletingB3348] command /c del "C:\WINDOWS\SYSTEM32\hgdbb.dll_tobedeleted" O4 - HKCU\..\RunOnce: [SpybotDeletingD9562] cmd /c del "C:\WINDOWS\SYSTEM32\hgdbb.dll_tobedeleted" O4 - HKCU\..\RunOnce: [SpybotDeletingB3622] command /c del "C:\WINDOWS\SYSTEM32\hgdbb.dll_tobedeleted" O4 - HKCU\..\RunOnce: [SpybotDeletingD6478] cmd /c del "C:\WINDOWS\SYSTEM32\hgdbb.dll_tobedeleted" O4 - HKCU\..\Policies\Explorer\Run: [{90C69C38-0702-1033-1008-040410220001}] "C:\Program Files\Common Files\{90C69C38-0702-1033-1008-040410220001}\Update.exe" mc-110-12-0000140 O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing) O24 - Desktop Component 0: (no name) - C:\Program Files\Windows NT\kyzexet.html O24 - Desktop Component 1: (no name) - C:\Program Files\Online Services\howyvyran.html
I've deleted everything in the checkmark! Here's my new HiJackThis Log! Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:46:44 PM, on 12/26/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16574) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\WLTRYSVC.EXE C:\WINDOWS\System32\bcmwltry.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Mop\Desktop\HiJackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\MOP\Application Data\Mozilla\Profiles\default\cy7nnxh8.slt\prefs.js) O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Policies\Explorer\Run: [{90C69C38-0702-1033-1008-040410220001}] "C:\Program Files\Common Files\{90C69C38-0702-1033-1008-040410220001}\Update.exe" mc-110-12-0000140 O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user') O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Dell\Bluetooth Software\btsendto_ie_ctx.htm O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1198454246261 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5175/mcfscan.cab O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing) O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE -- End of file - 8002 bytes
Here's the vundoFix tool. http://www.majorgeeks.com/download4954.html After running the Vundo removal tool. How's the PC running, so far? Any odd behavior? Any pop-ups, or strange icons in system tray? Virus warnings? Sluggist operation?
I ran Vundofix but it doesn't find anything. But when I run Spybot Search And Destroy, I keep on getting the Virtumonde(c:/windows/system32/hgdbb.dll) virus that it can't remove because another program is using it. Even in safe mode I can't remove it. But my computer is running a little better now, but every once in awhile like maybe half an hour, i get a pop up.
Make sure you have removed this. O4 - HKCU\..\Policies\Explorer\Run: [{90C69C38-0702-1033-1008-040410220001}] "C:\Program Files\Common Files\{90C69C38-0702-1033-1008-040410220001}\Update.exe" mc-110-12-0000140 Next, download ComboFix, follow the instructions. Post log. http://forums.majorgeeks.com/showthread.php?t=134965 Are the pop-ups gone?
Just finished running Combofix, that was an impressive program! Hopefully my system is clear! Here's the log! ComboFix 07-12-21.4 - Mop 2007-12-27 0:35:07.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.596 [GMT -8:00] Running from: C:\Documents and Settings\Mop\Desktop\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\Mop\Application Data\Dxcdmns.dll C:\Program Files\Common Files\{90C69~1 C:\Program Files\racle~1 C:\Temp\1cb C:\Temp\1cb\syscheck.log C:\Temp\bkR11 C:\Temp\bkR11\ftCa.log C:\temp\tn3 C:\WINDOWS\crosof~1 C:\WINDOWS\SYSTEM32\bbdgh.ini C:\WINDOWS\SYSTEM32\bbdgh.ini2 C:\WINDOWS\system32\hgdbb.dll C:\WINDOWS\system32\pac.txt C:\WINDOWS\system32\zxdnt3d.cfg C:\x.dat C:\z.dat . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\LEGACY_CMDSERVICE -------\LEGACY_CORE -------\LEGACY_NETWORK_MONITOR -------\LEGACY_WINDOWS_OVERLAY_COMPONENTS ((((((((((((((((((((((((( Files Created from 2007-11-27 to 2007-12-27 ))))))))))))))))))))))))))))))) . 2007-12-27 00:13 . 2007-12-27 00:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files 2007-12-26 00:14 . 2007-12-26 00:14 <DIR> d-------- C:\Program Files\Opera 9.5 beta 2007-12-25 23:19 . 2007-12-25 23:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET 2007-12-25 22:53 . 2007-12-25 23:02 121 --a------ C:\WINDOWS\bdagent.INI 2007-12-25 22:00 . 2007-12-25 23:03 <DIR> d-------- C:\Program Files\Common Files\BitDefender 2007-12-25 20:18 . 2007-12-25 20:21 <DIR> d-------- C:\Program Files\XoftSpySE 2007-12-25 17:35 . 2007-12-25 17:34 102,664 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys 2007-12-25 17:34 . 2007-12-25 17:36 <DIR> d-------- C:\Documents and Settings\Mop\.housecall6.6 2007-12-25 13:52 . 2007-12-25 19:35 <DIR> d-------- C:\VundoFix Backups 2007-12-25 11:45 . 2007-12-24 12:13 98,368 --a------ C:\WINDOWS\SYSTEM32\aaoatgkj.dll 2007-12-25 11:45 . 2007-12-25 11:44 2,509 --a------ C:\WINDOWS\SYSTEM32\aaoatgkj.xml 2007-12-25 11:40 . 2007-12-24 12:13 98,368 --a------ C:\WINDOWS\SYSTEM32\sxgefkbk.dll 2007-12-25 11:40 . 2007-12-25 11:44 2,509 --a------ C:\WINDOWS\SYSTEM32\sxgefkbk.xml 2007-12-24 23:20 . 2007-12-24 12:13 98,368 --a------ C:\WINDOWS\SYSTEM32\nyirledu.dll 2007-12-24 23:20 . 2007-12-24 23:17 2,509 --a------ C:\WINDOWS\SYSTEM32\nyirledu.xml 2007-12-24 23:11 . 2007-12-24 12:13 98,368 --a------ C:\WINDOWS\SYSTEM32\wuvgbcoz.dll 2007-12-24 23:11 . 2007-12-24 23:17 2,509 --a------ C:\WINDOWS\SYSTEM32\wuvgbcoz.xml 2007-12-24 14:16 . 2007-12-24 12:13 98,368 --a------ C:\WINDOWS\SYSTEM32\ywpufqyx.dll 2007-12-24 14:16 . 2007-12-24 23:09 2,509 --a------ C:\WINDOWS\SYSTEM32\ywpufqyx.xml 2007-12-24 13:33 . 2007-12-24 12:13 98,368 --a------ C:\WINDOWS\SYSTEM32\ncxeapgh.dll 2007-12-24 13:33 . 2007-12-24 13:41 2,509 --a------ C:\WINDOWS\SYSTEM32\ncxeapgh.xml 2007-12-24 12:52 . 2007-12-24 12:13 98,368 --a------ C:\WINDOWS\SYSTEM32\ikcphowe.dll 2007-12-24 12:52 . 2007-12-24 13:28 2,509 --a------ C:\WINDOWS\SYSTEM32\ikcphowe.xml 2007-12-24 12:42 . 2007-12-24 12:13 98,368 --a------ C:\WINDOWS\SYSTEM32\tzsuxmgl.dll 2007-12-24 12:42 . 2007-12-24 12:41 2,509 --a------ C:\WINDOWS\SYSTEM32\tzsuxmgl.xml 2007-12-24 12:13 . 2007-12-24 12:41 2,509 --a------ C:\WINDOWS\SYSTEM32\wcjpoebt.xml 2007-12-24 12:13 . 2007-12-25 11:42 22 --a------ C:\WINDOWS\pskt.ini 2007-12-24 12:12 . 2007-12-24 12:13 98,368 --a------ C:\WINDOWS\SYSTEM32\wcjpoebt.dll 2007-12-23 23:07 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll 2007-12-23 23:07 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll.mui 2007-12-13 00:14 . 2007-12-25 13:48 143 --a------ C:\WINDOWS\SYSTEM32\mcrh.tmp 2007-12-11 21:59 . 2007-12-11 22:34 1,393 --a------ C:\WINDOWS\imsins.BAK 2007-12-06 23:15 . 2007-12-06 23:15 268 --ah----- C:\sqmdata01.sqm 2007-12-06 23:15 . 2007-12-06 23:15 244 --ah----- C:\sqmnoopt01.sqm 2007-12-04 16:16 . 2007-12-04 16:16 552 --a------ C:\WINDOWS\SYSTEM32\d3d8caps.dat 2007-12-04 14:27 . 2007-12-04 14:27 <DIR> d-------- C:\Program Files\CCleaner 2007-12-03 00:19 . 2007-12-03 00:19 <DIR> d-------- C:\WINDOWS\McAfee.com 2007-12-03 00:13 . 2007-12-03 00:14 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan 2007-12-03 00:13 . 2007-12-03 00:13 30,590 --a------ C:\WINDOWS\SYSTEM32\pavas.ico 2007-12-03 00:13 . 2007-12-03 00:13 2,550 --a------ C:\WINDOWS\SYSTEM32\Uninstall.ico 2007-12-03 00:13 . 2007-12-03 00:13 1,406 --a------ C:\WINDOWS\SYSTEM32\Help.ico 2007-12-02 21:53 . 2007-12-05 02:55 <DIR> d-------- C:\WINDOWS\SYSTEM32\mm6 2007-12-02 21:53 . 2007-12-05 02:55 <DIR> d-------- C:\WINDOWS\SYSTEM32\hv2 2007-12-02 21:53 . 2007-12-02 22:47 <DIR> d-------- C:\WINDOWS\SYSTEM32\dr1 2007-12-02 21:53 . 2007-12-02 23:19 <DIR> d-------- C:\WINDOWS\SYSTEM32\daSgo18 2007-12-02 21:53 . 2007-12-02 21:53 134 --a------ C:\n.bat 2007-12-02 21:32 . 2007-12-02 21:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Receipts 2007-12-02 21:28 . 2007-12-02 21:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ultima_T15 2007-12-02 21:28 . 2007-12-02 21:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\EnterNHelp 2007-12-02 21:28 . 2007-12-25 02:06 20 ---h----- C:\Documents and Settings\All Users\Application Data\PKP_DLbz.DAT 2007-12-02 21:27 . 2007-12-02 21:27 <DIR> d-------- C:\Program Files\Nikon 2007-12-02 21:27 . 2007-12-11 13:34 <DIR> d-------- C:\Program Files\Common Files\Nikon 2007-12-02 21:27 . 2007-12-11 13:34 <DIR> d-------- C:\Documents and Settings\Mop\Application Data\Nikon . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-12-27 08:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft 2007-12-27 05:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink 2007-12-25 21:32 --------- d-----w C:\Program Files\Azureus 2007-12-25 19:49 --------- d-----w C:\Documents and Settings\Mop\Application Data\AVG7 2007-12-24 20:57 --------- d-----w C:\Program Files\eMule 2007-12-24 20:52 --------- d-----w C:\Documents and Settings\Mop\Application Data\wsInspector 2007-12-22 21:49 --------- d-----w C:\Documents and Settings\Mop\Application Data\dvdcss 2007-12-07 09:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2007-12-03 05:27 --------- d--h--w C:\Program Files\InstallShield Installation Information 2007-11-21 04:18 --------- d-----w C:\Program Files\DVDFab HD Decrypter 4 2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys 2007-04-24 06:38 92,064 ----a-w C:\Documents and Settings\Mop\mqdmmdm.sys 2007-04-24 06:38 9,232 ----a-w C:\Documents and Settings\Mop\mqdmmdfl.sys 2007-04-24 06:38 79,328 ----a-w C:\Documents and Settings\Mop\mqdmserd.sys 2007-04-24 06:38 66,656 ----a-w C:\Documents and Settings\Mop\mqdmbus.sys 2007-04-24 06:38 6,208 ----a-w C:\Documents and Settings\Mop\mqdmcmnt.sys 2007-04-24 06:38 5,936 ----a-w C:\Documents and Settings\Mop\mqdmwhnt.sys 2007-04-24 06:38 4,048 ----a-w C:\Documents and Settings\Mop\mqdmcr.sys 2007-04-24 06:38 25,600 ----a-w C:\Documents and Settings\Mop\usbsermptxp.sys 2007-04-24 06:38 22,768 ----a-w C:\Documents and Settings\Mop\usbsermpt.sys 2005-05-14 00:12 217,073 --sha-r C:\WINDOWS\meta4.exe 2005-10-24 18:13 66,560 --sha-r C:\WINDOWS\MOTA113.exe 2005-10-14 04:27 422,400 --sha-r C:\WINDOWS\x2.64.exe 2005-10-08 02:14 308,224 --sha-r C:\WINDOWS\SYSTEM32\avisynth.dll 2005-07-14 19:31 27,648 --sha-r C:\WINDOWS\SYSTEM32\AVSredirect.dll 2005-06-26 22:32 616,448 --sha-r C:\WINDOWS\SYSTEM32\cygwin1.dll 2005-06-22 05:37 45,568 --sha-r C:\WINDOWS\SYSTEM32\cygz.dll 2004-01-25 07:00 70,656 --sha-r C:\WINDOWS\SYSTEM32\i420vfw.dll 2006-04-27 17:24 2,945,024 --sha-r C:\WINDOWS\SYSTEM32\Smab.dll 2005-02-28 20:16 240,128 --sha-r C:\WINDOWS\SYSTEM32\x.264.exe 2004-01-25 07:00 70,656 --sha-r C:\WINDOWS\SYSTEM32\yv12vfw.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:00] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 15:48] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-06-06 12:38] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-05-29 17:34] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iiffgdb] iiffgdb.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BTTray.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BTTray.lnk backup=C:\WINDOWS\pss\BTTray.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Image Transfer.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Image Transfer.lnk backup=C:\WINDOWS\pss\Image Transfer.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Mop^Start Menu^Programs^Startup^TA_Start.lnk] path=C:\Documents and Settings\Mop\Start Menu\Programs\Startup\TA_Start.lnk backup=C:\WINDOWS\pss\TA_Start.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware] C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe /minimized [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\7755347A6A077D595455] Rundll32.exe C:\WINDOWS\system32\aaoatgkj.dll,s [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6] C:\Program Files\AIM6\aim6.exe /d locale=en-US ee://aol/imApp [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA] 2004-10-06 19:10 344064 --a------ C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] 2004-08-04 03:00 15360 --a------ C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet] 2004-09-27 09:52 610304 --a------ C:\Program Files\Dell\QuickSet\quickset.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher] 2004-04-11 09:43 53248 --------- C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager] 2005-08-02 11:33 159832 --a------ C:\Program Files\Common Files\AOL\1125370106\ee\AOLHostManager.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2007-08-15 19:15 271672 --a------ C:\Program Files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask] 2005-03-15 07:58 53248 --a------ C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent] 2003-06-18 10:00 200704 --a------ C:\Program Files\Microsoft Money\System\mnyexpr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] C:\Program Files\Messenger\msmsgs.exe /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ] 2005-05-19 18:38 1957888 --------- C:\PROGRA~1\Ahead\NEROBA~1\NBJ.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck] 2001-07-09 10:50 155648 --a------ C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] 2001-07-09 10:50 155648 --a------ C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService] 2004-04-11 18:15 290816 --------- C:\Program Files\Dell\Media Experience\PCMService.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PSPVideo9] C:\Program Files\pspvideo9\pspVideo9.exe -t [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] C:\Program Files\QuickTime\qttask.exe -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SQ931STI] 2007-01-24 13:24 151552 --a------ C:\WINDOWS\SQ931STI.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot S3 motccgp;Motorola USB Composite Device Driver;C:\WINDOWS\system32\DRIVERS\motccgp.sys [2007-02-27 13:31] S3 motccgpfl;MotCcgpFlService;C:\WINDOWS\system32\DRIVERS\motccgpfl.sys [2007-01-23 18:03] S3 motmodem;Motorola USB CDC ACM Driver;C:\WINDOWS\system32\DRIVERS\motmodem.sys [2007-02-27 13:31] S3 motport;Motorola USB Diagnostic Port;C:\WINDOWS\system32\DRIVERS\motport.sys [2007-02-27 13:31] S3 SQ931;Zoom 2.0 Webcam;C:\WINDOWS\system32\Drivers\Capt931a.sys [2007-01-25 10:07] S3 w600bus;Sony Ericsson W600 driver (WDM);C:\WINDOWS\system32\DRIVERS\w600bus.sys [] S3 w600mdfl;Sony Ericsson W600 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\w600mdfl.sys [] S3 w600mdm;Sony Ericsson W600 USB WMC Modem Drivers;C:\WINDOWS\system32\DRIVERS\w600mdm.sys [] S3 w600mgmt;Sony Ericsson W600 USB WMC Device Management Drivers;C:\WINDOWS\system32\DRIVERS\w600mgmt.sys [] S3 w600obex;Sony Ericsson W600 USB WMC OBEX Interface Drivers;C:\WINDOWS\system32\DRIVERS\w600obex.sys [] . Contents of the 'Scheduled Tasks' folder "2007-12-27 08:44:56 C:\WINDOWS\Tasks\XoftSpySE 2.job" - C:\Program Files\XoftSpySE\XoftSpy.exe "2007-12-26 04:18:56 C:\WINDOWS\Tasks\XoftSpySE.job" - C:\Program Files\XoftSpySE\XoftSpy.exe . ************************************************************************** catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-12-27 00:45:45 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... C:\WINDOWS\TEMP scan completed successfully hidden files: 1 ************************************************************************** . Completion time: 2007-12-27 0:47:23 - machine was rebooted . 2007-12-25 03:30:04 --- E O F ---
Just deleted those logs! Heres my new HiJackthis Log! *cross fingers* Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:14:10 PM, on 12/27/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16574) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\WLTRYSVC.EXE C:\WINDOWS\System32\bcmwltry.exe C:\WINDOWS\System32\svchost.exe C:\Documents and Settings\Mop\Desktop\HiJackThis.exe C:\WINDOWS\system32\wuauclt.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\MOP\Application Data\Mozilla\Profiles\default\cy7nnxh8.slt\prefs.js) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user') O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Dell\Bluetooth Software\btsendto_ie_ctx.htm O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1198454246261 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5175/mcfscan.cab O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing) O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE -- End of file - 7142 bytes
*high fives* Thanks Quick Draw for all of your help! My computer is even faster than it has ever been before, and I thank you for it! Thanks! People like you make this forum GGGGreat!
Great! Make sure you OS is fully updated. http://www.update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us Run a registry cleaner, here's a good one. It's free! http://www.filehippo.com/download_ccleaner/ Run Disc Cleanup and Disc Defragmenter. Run Windows File Protection to make sure everything is in it's proper place. Start>Run> type, sfc /scanonce. Reboot. This program will take about 20 minutes to run. Happy New Year!
