hijackthis help

Question

lirts 0 Newbie Poster

15 Years Ago

I have this antivirus 2009 thing and I can seem to get it to go away. I used some antispyware programs to try and get rid of it but none of them helped. I also ran Malwarebytes and It's picked up over 80 things. Is it reliable to use it?

Heres my hijackthis log. It was run in safe mode. Should I do it in normal mode too?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:11:20 AM, on 1/30/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O1 - Hosts: 91.207.117.244 browser-security.microsoft.com
O1 - Hosts: 91.207.117.244 browser-security.microsoft.com
O1 - Hosts: 91.207.117.244 browser-security.microsoft.com
O1 - Hosts: 91.207.117.244 browser-security.microsoft.com
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [Windows Logon Applicationedc] C:\Documents and Settings\John Yager\winlogon.exe
O4 - HKLM\..\Run: [Yruzuyajasuqe] rundll32.exe "C:\WINDOWS\Lfudas.dll",e
O4 - HKLM\..\Run: [Vtikolu] rundll32.exe "C:\WINDOWS\egeyifan.dll",e
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [jsf8uiw3jnjgffght] C:\DOCUME~1\JOHNYA~1\LOCALS~1\Temp\winlognn.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [winlogon] C:\Documents and Settings\Administrator\svchost.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [40a2b6df] rundll32.exe "C:\WINDOWS\system32\qwonsklj.dll",b
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [tezrtsjhfr84iusjfo84f] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\csrssc.exe
O4 - HKCU\..\Run: [winlogon] C:\Documents and Settings\Administrator\svchost.exe
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: userinit.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: Research - {92780b25-18cc-41c8-b9be-3c9c571a8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {fb5f1910-f110-11d2-bb9e-00c04f795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {fb5f1910-f110-11d2-bb9e-00c04f795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1233020729500
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: fbkgfw.dll zjhnqe.dll tvqazz.dll
O22 - SharedTaskScheduler: jgzfkj9w38rksndfi7r4 - {C5BF49A2-94F3-42BD-F434-3604812C8955} - C:\WINDOWS\system32\hgdfeeeh4fdg.dll
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Update Service (gupdate1c9827a501a2422) (gupdate1c9827a501a2422) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\shared\hpqwmi.exe
O23 - Service: PC Tools Auxiliary Service (sdauxservice) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdcoreservice) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 7619 bytes

windows-virus

2 Contributors
10 Replies
192 Views
3 Days Discussion Span
Latest Post 15 Years Ago Latest Post by lirts

All 10 Replies

jholland1964 650 Posting Expert

15 Years Ago

Malwarebytes and It's picked up over 80 things. Is it reliable to use it?

There is NO WAY we would recommend something that was not reliable. This is the most commonly recommended removal tool here today. If it found 80+ items then they need to be removed by that program. BUT, be sure to UPDATE it again before you run the new scan, it has very frequent updates, sometimes more than once a day.
The latest verision as of 1/30/2009 noon EST is version 1.33 and the data base version is 1708.
Do a Full System scan with it again, AFTER updating, and have it REMOVE EVERYTHING found. Save the log and post it here.
Reboot the computer AFTER the removal and run a new HiJackThis scan and post that new log here also.
You said you used "some antispyware programs" also, what were those programs and what did they find?
Where are you located by the way? Who is your internet provider? I only ask because of some of the listings in your HJT log. I need to know if they are legitimate or part of your infections.

Why isn't your anti-virus program running?
Turn off Spyware Doctor, Malwarebytes, they are NOT anti-virus programs. It appears that your anti-virus program is Antivir, is that correct?

jholland1964 650 Posting Expert

15 Years Ago

It appears the computer was not rebooted after your Malwarebytes' scan. This should always be done.
SpywareBlaster is NOT a removal program or a scanner program, it is a protection program only.
Antivir is your on board antivirus program, that should ALWAYS be the very first program you use for scanning when you suspect a problem.
Please UPDATE Antivir and run a Full System scan with it. Have it quarantine/remove everything it finds.
Malwarebytes' HAS to be installed to run it, it is a program. It shows in your log. If you uninstalled it then reinstall it and UPDATE, then run a Full System Scan with it. Have it REMOVE whatever is found.

REBOOT the system and run HiJackThis again.
Place check marks next to the following entries if they remain

R3 - Default URLSearchHook is missing
O1 - Hosts: 91.207.117.244 browser-security.microsoft.com
O1 - Hosts: 91.207.117.244 browser-security.microsoft.com
O1 - Hosts: 91.207.117.244 browser-security.microsoft.com
O1 - Hosts: 91.207.117.244 browser-security.microsoft.com
O2 - BHO: (no name) - {9c464e29-5ba9-4b60-9fe7-d5625af82930} - C:\WINDOWS\system32\hgGvtRJC.dll (file missing)

O20 - AppInit_DLLs: fbkgfw.dll zjhnqe.dll tvqazz.dll
O20 - Winlogon Notify: hgGvtSLD - hgGvtSLD.dll (file missing)
O20 - Winlogon Notify: opnkhebA - opnkhebA.dll (file missing)
O20 - Winlogon Notify: qomefywu - qoMeFywu.dll (file missing)

Once you have placed the check marks then click the Fix Checked button.
Exit HJT.
REBOOT. Run another scan with HJT and save the log.
Post back here with the MBA-M log and the NEW HJT log.
Judy

jholland1964 650 Posting Expert

15 Years Ago

Be sure to REBOOT the computer AFTER Malwarebytes' is complete and has done it's removal.
When it reboots then please also run a new HJT scan and post that log along with the MBA-M log
Judy

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

lirts 0 Newbie Poster · Answer 1 · 2009-01-31T00:27:09+00:00

I have used a lot, AVG, Avast!, Spyware Doctor, Windows Defender, Ad-Aware, ThreatFire, SpywareBlaster, Avira (haven't scanned with this one), Noron Security Scan (this one wasn't working at all so it hasn't scanned anything) and a few others that I can't remember at the moment.

Spyware Doctor and Norton Security Scan came with a Google pack which included Google Chrome and Adobe Reader 8.

Not all of them are installed but I've used them. The only ones installed are Windows Defender, SpywareBlaster, Avira, and Spyware Doctor.

Avira is the anti-virus program.

I'm located in Wisconsin and this is a wireless connection at the public library where I live.

Heres the new hijackthis log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:39:32 PM, on 1/30/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avcenter.exe
c:\program files\avira\antivir personaledition classic\avscan.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O1 - Hosts: 91.207.117.244 browser-security.microsoft.com
O1 - Hosts: 91.207.117.244 browser-security.microsoft.com
O1 - Hosts: 91.207.117.244 browser-security.microsoft.com
O1 - Hosts: 91.207.117.244 browser-security.microsoft.com
O2 - BHO: (no name) - {9c464e29-5ba9-4b60-9fe7-d5625af82930} - C:\WINDOWS\system32\hgGvtRJC.dll (file missing)
O2 - BHO: Windows Live Toolbar Helper - {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O9 - Extra button: Research - {92780b25-18cc-41c8-b9be-3c9c571a8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {fb5f1910-f110-11d2-bb9e-00c04f795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {fb5f1910-f110-11d2-bb9e-00c04f795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1233020729500
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: fbkgfw.dll zjhnqe.dll tvqazz.dll
O20 - Winlogon Notify: hgGvtSLD - hgGvtSLD.dll (file missing)
O20 - Winlogon Notify: opnkhebA - opnkhebA.dll (file missing)
O20 - Winlogon Notify: qomefywu - qoMeFywu.dll (file missing)
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Update Service (gupdate1c9827a501a2422) (gupdate1c9827a501a2422) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\shared\hpqwmi.exe
O23 - Service: PC Tools Auxiliary Service (sdauxservice) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdcoreservice) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 7121 bytes

lirts 0 Newbie Poster · Answer 2 · 2009-01-31T02:10:49+00:00

Here's my newest hijackthis log, i'll have a malware log once it's finished.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:06:39 PM, on 1/30/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HPQ\shared\hpqwmi.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\SYSTEM32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
O2 - BHO: Windows Live Toolbar Helper - {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [sysguard] C:\WINDOWS\sysguard.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [jsf8uiw3jnjgffght] C:\DOCUME~1\JOHNYA~1\LOCALS~1\Temp\winlognn.exe
O4 - HKCU\..\Run: [[system]] C:\WINDOWS\system32\drivers\services.exe
O4 - HKCU\..\Run: [winlogon] C:\Documents and Settings\John Yager\svchost.exe
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: explorer.exe
O4 - Startup: userinit.exe
O8 - Extra context menu item: &windows live search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: add to windows &live favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780b25-18cc-41c8-b9be-3c9c571a8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {fb5f1910-f110-11d2-bb9e-00c04f795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {fb5f1910-f110-11d2-bb9e-00c04f795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1233020729500
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Update Service (gupdate1c9827a501a2422) (gupdate1c9827a501a2422) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\shared\hpqwmi.exe

--
End of file - 6756 bytes

lirts 0 Newbie Poster · Answer 3 · 2009-01-31T03:24:05+00:00

Alright, heres the most up to date hijackthis log and the newest malwarebytes log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:16:09 PM, on 1/30/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HPQ\shared\hpqwmi.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
O2 - BHO: Windows Live Toolbar Helper - {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [sysguard] C:\WINDOWS\sysguard.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [jsf8uiw3jnjgffght] C:\DOCUME~1\JOHNYA~1\LOCALS~1\Temp\winlognn.exe
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: &windows live search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: add to windows &live favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780b25-18cc-41c8-b9be-3c9c571a8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {fb5f1910-f110-11d2-bb9e-00c04f795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {fb5f1910-f110-11d2-bb9e-00c04f795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1233020729500
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Update Service (gupdate1c9827a501a2422) (gupdate1c9827a501a2422) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\shared\hpqwmi.exe

--
End of file - 6393 bytes

~~~~~~~~~~~~~~~~~~~~~

Malwarebytes' Anti-Malware 1.33
Database version: 1709
Windows 5.1.2600 Service Pack 3

1/30/2009 3:10:52 PM
mbam-log-2009-01-30 (15-10-52).txt

Scan type: Full Scan (C:\|)
Objects scanned: 91720
Time elapsed: 1 hour(s), 17 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 4
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 36

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\tvqazz.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{c31f5d96-0a79-48c6-abf8-7f3bf3854320} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5bf49a2-94f3-42bd-f434-3604812c8955} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\a3c2c4ed (Backdoor.Rustock) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\[system] (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\tvqazz.dll (Trojan.Vundo) -> Delete on reboot.
C:\Avenger\beep.sys (Backdoor.Rustock) -> Quarantined and deleted successfully.
C:\Documents and Settings\John Yager\Local Settings\Temp\7.tmp (Trojan.Patched) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0FFB1E77-B53D-4214-9CA3-F4A1C771759C}\RP280\A0037089.sys (Trojan.Patched) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0FFB1E77-B53D-4214-9CA3-F4A1C771759C}\RP280\A0041341.sys (Trojan.Patched) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0FFB1E77-B53D-4214-9CA3-F4A1C771759C}\RP290\A0043467.sys (Trojan.Patched) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0FFB1E77-B53D-4214-9CA3-F4A1C771759C}\RP290\A0043468.sys (Trojan.Patched) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0FFB1E77-B53D-4214-9CA3-F4A1C771759C}\RP330\A0052219.sys (Trojan.Patched) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0FFB1E77-B53D-4214-9CA3-F4A1C771759C}\RP330\A0053221.sys (Trojan.Patched) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0FFB1E77-B53D-4214-9CA3-F4A1C771759C}\RP330\A0053222.sys (Trojan.Patched) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0FFB1E77-B53D-4214-9CA3-F4A1C771759C}\RP330\A0053257.sys (Trojan.Patched) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0FFB1E77-B53D-4214-9CA3-F4A1C771759C}\RP330\A0053258.sys (Trojan.Patched) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0FFB1E77-B53D-4214-9CA3-F4A1C771759C}\RP332\A0059520.sys (Trojan.Patched) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0FFB1E77-B53D-4214-9CA3-F4A1C771759C}\RP332\A0059524.sys (Trojan.Patched) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0FFB1E77-B53D-4214-9CA3-F4A1C771759C}\RP334\A0059568.sys (Trojan.Patched) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0FFB1E77-B53D-4214-9CA3-F4A1C771759C}\RP334\A0059599.sys (Trojan.Patched) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0FFB1E77-B53D-4214-9CA3-F4A1C771759C}\RP334\A0059604.sys (Trojan.Patched) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0FFB1E77-B53D-4214-9CA3-F4A1C771759C}\RP334\A0059566.sys (Trojan.Patched) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0FFB1E77-B53D-4214-9CA3-F4A1C771759C}\RP340\A0062855.sys (Trojan.Patched) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0FFB1E77-B53D-4214-9CA3-F4A1C771759C}\RP340\A0063871.sys (Backdoor.Rustock) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0FFB1E77-B53D-4214-9CA3-F4A1C771759C}\RP340\A0063882.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0FFB1E77-B53D-4214-9CA3-F4A1C771759C}\RP340\A0063883.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0FFB1E77-B53D-4214-9CA3-F4A1C771759C}\RP340\A0063884.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0FFB1E77-B53D-4214-9CA3-F4A1C771759C}\RP340\A0063891.exe (Trojan.Spambot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0FFB1E77-B53D-4214-9CA3-F4A1C771759C}\RP340\A0063929.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0FFB1E77-B53D-4214-9CA3-F4A1C771759C}\RP340\A0063897.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0FFB1E77-B53D-4214-9CA3-F4A1C771759C}\RP340\A0063899.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0FFB1E77-B53D-4214-9CA3-F4A1C771759C}\RP281\A0041415.new (Trojan.Patched) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0FFB1E77-B53D-4214-9CA3-F4A1C771759C}\RP281\A0041416.new (Trojan.Patched) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dllcache\beep.sys (Trojan.Patched) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\a3c2c4ed.sys (Backdoor.Rustock) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yayayXQg.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vtUkIARJ.dll (Trojan.vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\John Yager\Start Menu\Programs\Startup\userinit.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\John Yager\Start Menu\Programs\Startup\explorer.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\John Yager\Application Data\msiexec.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

jholland1964 650 Posting Expert Team Colleague Featured Poster · Answer 4 · 2009-01-31T04:54:49+00:00

download SDFix and save it to your Desktop.

* You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Double click on SDFix.exe. It should automatically extract a folder called SDFix to your system drive (usually C:\).
Please reboot your computer in Safe Mode by doing the following :

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key repeatedly;
* Instead of Windows loading as normal, a menu with options should appear;
* Select the first option, to run Windows in Safe Mode, then press "Enter".
* Choose your usual user account.

* Open the SDFix folder and double click on RunThis.bat to start the script.
* Type Y and press Enter to begin the script.
* It will start cleaning your PC and then prompt you to press any key to Reboot.
* Press any key to restart the PC.
* Your system will take longer than normal to restart as the fixtool will be removing files.
* When the desktop loads the Fixtool will complete the removal and display Finished.
* Press any key to end the script and to load your desktop icons.
* A text file should automatically open, so please copy the contents and post them here.

lirts 0 Newbie Poster · Answer 5 · 2009-02-02T22:41:51+00:00

Here's the SDfix log. I'm also having RAM problems. It says that I have less than 200MB when I really have 512MB. Every time i run a few programs, or even ONE sometimes, it crashes.

SDFix: Version 1.240

Run by John Yager on Sun 02/01/2009 at 11:13 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services:

Restoring Default Security Values
Restoring Default Hosts File

Rebooting

Checking Files:

Trojan Files Found:

C:\108440~1 - Deleted
C:\Temp\1cb\syscheck.log - Deleted
C:\DOCUME~1\JOHNYA~1\LOCALS~1\Temp\3.exe - Deleted
C:\DOCUME~1\JOHNYA~1\LOCALS~1\Temp\TMP1.tmp - Deleted
C:\DOCUME~1\JOHNYA~1\LOCALS~1\Temp\TMP11.tmp - Deleted
C:\DOCUME~1\JOHNYA~1\LOCALS~1\Temp\TMP12.tmp - Deleted
C:\DOCUME~1\JOHNYA~1\LOCALS~1\Temp\TMP13.tmp - Deleted
C:\DOCUME~1\JOHNYA~1\LOCALS~1\Temp\TMP14.tmp - Deleted
C:\DOCUME~1\JOHNYA~1\LOCALS~1\Temp\TMP15.tmp - Deleted
C:\DOCUME~1\JOHNYA~1\LOCALS~1\Temp\tmp16.tmp - Deleted
C:\DOCUME~1\JOHNYA~1\LOCALS~1\Temp\TMP17.tmp - Deleted
C:\DOCUME~1\JOHNYA~1\LOCALS~1\Temp\TMP18.tmp - Deleted
C:\DOCUME~1\JOHNYA~1\LOCALS~1\Temp\tmp19.tmp - Deleted
C:\DOCUME~1\JOHNYA~1\LOCALS~1\Temp\TMP2.tmp - Deleted
C:\DOCUME~1\JOHNYA~1\LOCALS~1\Temp\TMP3.tmp - Deleted
C:\DOCUME~1\JOHNYA~1\LOCALS~1\Temp\TMP4.tmp - Deleted
C:\DOCUME~1\JOHNYA~1\LOCALS~1\Temp\TMP5.tmp - Deleted
C:\DOCUME~1\JOHNYA~1\LOCALS~1\Temp\TMP6.tmp - Deleted
C:\DOCUME~1\JOHNYA~1\LOCALS~1\Temp\tmp69.tmp - Deleted
C:\DOCUME~1\JOHNYA~1\LOCALS~1\Temp\tmp6A.tmp - Deleted
C:\DOCUME~1\JOHNYA~1\LOCALS~1\Temp\TMP7.tmp - Deleted
C:\DOCUME~1\JOHNYA~1\LOCALS~1\Temp\TMP8.tmp - Deleted
C:\DOCUME~1\JOHNYA~1\LOCALS~1\Temp\TMP9.tmp - Deleted
C:\DOCUME~1\JOHNYA~1\LOCALS~1\Temp\TMPA.tmp - Deleted
C:\DOCUME~1\JOHNYA~1\LOCALS~1\Temp\TMPB.tmp - Deleted
C:\DOCUME~1\JOHNYA~1\LOCALS~1\Temp\TMPC.tmp - Deleted
C:\DOCUME~1\JOHNYA~1\LOCALS~1\Temp\TMPD.tmp - Deleted
C:\DOCUME~1\JOHNYA~1\LOCALS~1\Temp\TMPE.tmp - Deleted



Folder C:\Temp\1cb - Removed
Folder C:\Temp\tn3 - Removed


Removing Temp Files

ADS Check:

Final Check:

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url]http://www.gmer.net[/url]
Rootkit scan 2009-02-01 11:22:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\232f9870]
"ImagePath"="\SystemRoot\System32\drivers\232f9870.sys"
"Type"=dword:00000001
"Start"=dword:00000001
"ErrorControl"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6087f710]
"ImagePath"="\SystemRoot\System32\drivers\6087f710.sys"
"Type"=dword:00000001
"Start"=dword:00000001
"ErrorControl"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\controlset003\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000002
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\controlset003\Control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000007
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\controlset003\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000023
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\controlset003\Control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000004
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\controlset003\Control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000004
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\controlset003\Control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000004
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\controlset003\Control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000007
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\controlset003\Services\232f9870]
"ImagePath"="\SystemRoot\System32\drivers\232f9870.sys"
"Type"=dword:00000001
"Start"=dword:00000001
"ErrorControl"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\controlset003\Services\6087f710]
"ImagePath"="\SystemRoot\System32\drivers\6087f710.sys"
"Type"=dword:00000001
"Start"=dword:00000001
"ErrorControl"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\controlset003\Services\MRxDAV\EncryptedDirectories]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\controlset004\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000002
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\controlset004\Control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000007
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\controlset004\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000023
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\controlset004\Control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000004
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\controlset004\Control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000004
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\controlset004\Control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000004
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\controlset004\Control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000007
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\controlset004\Services\232f9870]
"ImagePath"="\SystemRoot\System32\drivers\232f9870.sys"
"Type"=dword:00000001
"Start"=dword:00000001
"ErrorControl"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\controlset004\Services\6087f710]
"ImagePath"="\SystemRoot\System32\drivers\6087f710.sys"
"Type"=dword:00000001
"Start"=dword:00000001
"ErrorControl"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\controlset004\Services\MRxDAV\EncryptedDirectories]
@=""

scanning hidden registry entries ...

scanning hidden files ...

C:\WINDOWS\system32\wbem\Performance\WmiApRpl_new.h 357 bytes

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 1

Remaining Services:

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Documents and Settings\\John Yager\\My Documents\\FrostWire\\FrostWire.exe"="C:\\Documents and Settings\\John Yager\\My Documents\\FrostWire\\FrostWire.exe:*:Enabled:FrostWire"
"C:\\Program Files\\Java\\jre1.6.0_05\\bin\\javaw.exe"="C:\\Program Files\\Java\\jre1.6.0_05\\bin\\javaw.exe:*:Enabled:Java(TM) Platform SE binary"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files:

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Sun 24 Sep 2006         4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sun 24 Sep 2006           401 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv17.bak"
Fri 30 Jan 2009             0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Tue 27 Jan 2009     1,527,296 A..H. --- "C:\Documents and Settings\John Yager\Local Settings\Temp\dotnetfx3521022.08\1033\dotnetfx30\x86\BITBF.tmp"
Tue 25 Jul 2006     2,723,840 A..H. --- "C:\Documents and Settings\John Yager\Local Settings\Temp\dotnetfx304506.30\1033\wcu\wf\BIT25.tmp"

Finished!

jholland1964 650 Posting Expert Team Colleague Featured Poster · Answer 6 · 2009-02-03T02:46:40+00:00

Did the problem with the "missing" RAM begin with the infection or has this been on going?
Have you opened the case to see if the RAM is properly seated?

lirts 0 Newbie Poster · Answer 7 · 2009-02-03T03:26:37+00:00

I think it's been happening since the infection. I also haven't been able to run the defrag. It gets stuck at analyzing at 20%.

hijackthis help

Recommended Answers Collapse Answers

All 10 Replies

Recommended Answers