Vista Vitumonde Problem

Antwon · 08-07-2007, 08:03 AM

A couple of days age my Windows defender gave me a pop-up that said Virtumonde was detected on my computer and gave me a "remove all" option so I chose that assuming that it would get rid of it. But, everyday since it poped up the first time it continues to come up and I get the most random pop-up even when Im not at my computer. Is there a way to get rid of this Virtumonde thing? Also, I forgot to mention that I ran both "Ad-ware SE" and "Spybot Search and destroy" but neither found anything.

sUBs · 08-07-2007, 08:56 AM

Please follow MicroBell's 5 Step process - http://www.techsupportforum.com/secu...sting-log.html.

You shall have a proper set of logs for us after that

Antwon · 08-07-2007, 09:29 AM

I cannot complete step 2 because I have Windows Vista and the scan doesn't support it is there any other way to complete that step?

sUBs · 08-07-2007, 09:32 AM

Skip that & proceed to step #5

Antwon · 08-07-2007, 09:53 AM

Deckard's System Scanner v20070804.61
Run by Anthony Kelly on 2007-08-07 at 12:44:24
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- Last 3 Restore Point(s) --
3: 2007-08-07 14:40:05 UTC - RP149 - Windows Defender Checkpoint
2: 2007-08-07 02:37:58 UTC - RP147 - Windows Defender Checkpoint
1: 2007-08-05 21:04:24 UTC - RP145 - Installed Battlefield 2 Patch v1.41

Backed up registry hives.
Performed disk cleanup.

-- HijackThis (run as Anthony Kelly.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:46:18 PM, on 8/7/2007
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\qttask.exe
C:\Windows\sttray.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\ctfmon.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Windows\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\GetRight\getright.exe
C:\Windows\system32\wlfhgaeq.exe
C:\Users\Anthony Kelly\Desktop\dss.exe
C:\Windows\system32\SearchFilterHost.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Anthony Kelly.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: GetRight IE Download Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: (no name) - {4F4FF801-79FC-4092-A19D-5927CA2A525F} - C:\Windows\system32\jkhfe.dll
O2 - BHO: (no name) - {C6039E6C-BDE9-4de5-BB40-768CAA584FDC} - C:\Windows\system32\xalsitmf.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\\Steam.exe -silent
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O13 - Gopher Prefix:
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - Winlogon Notify: gebbxxu - C:\Windows\SYSTEM32\gebbxxu.dll
O20 - Winlogon Notify: jkhfe - C:\Windows\system32\jkhfe.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe

--
End of file - 5093 bytes

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S3 NAL (Nal Service ) - \??\c:\windows\system32\drivers\iqvw32.sys
S3 sfng32 (Sonic Focus Plugin for Sigmatel HDA) - c:\windows\system32\drivers\sfng32.sys <Not Verified; Sonic Focus, Inc; Sonic Focus, Inc SFNG32.SYS>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 STacSV (SigmaTel Audio Service) - c:\program files\sigmatel\c-major audio\wdm\stacsv.exe <Not Verified; SigmaTel, Inc.; C-Major Audio>

-- Device Manager: Disabled ----------------------------------------------------

Class GUID:
Description: Serial ATA Controller
Device ID: PCI\VEN_11AB&DEV_6145&SUBSYS_614511AB&REV_A1\4&2DC9D97&0&00E4
Manufacturer:
Name: Serial ATA Controller
PNP Device ID: PCI\VEN_11AB&DEV_6145&SUBSYS_614511AB&REV_A1\4&2DC9D97&0&00E4
Service:

-- Scheduled Tasks -------------------------------------------------------------

2007-08-05 21:33:08 284 --a------ C:\Windows\Tasks\AppleSoftwareUpdate.job

-- Files created between 2007-07-07 and 2007-08-07 -----------------------------

2007-08-07 12:46:08 0 d-------- C:\Program Files\Trend Micro
2007-08-07 10:45:33 4672 --a------ C:\Windows\system32\wlfhgaeq.exe
2007-08-07 10:39:33 125504 --a------ C:\Windows\system32\hldbungd.dll
2007-08-07 10:33:33 66112 --a------ C:\Windows\system32\xrwmeqlb.exe
2007-08-07 10:30:33 574508 --a------ C:\Windows\system32\exyapodu.exe
2007-08-07 08:19:23 0 d-------- C:\Program Files\GetRight
2007-08-07 08:18:49 0 d-------- C:\Downloads
2007-08-06 22:31:16 4672 --a------ C:\Windows\system32\rkkmkncx.exe
2007-08-06 22:28:38 66112 --a------ C:\Windows\system32\sxghfkdv.exe
2007-08-05 11:50:20 4672 --a------ C:\Windows\system32\llirxsgw.exe
2007-08-05 11:44:31 66112 --a------ C:\Windows\system32\hiowritm.exe
2007-08-04 22:51:39 4672 --a------ C:\Windows\system32\fxpcvyho.exe
2007-08-04 22:43:27 66112 --a------ C:\Windows\system32\hpfehmoa.exe
2007-08-03 16:31:46 4672 --a------ C:\Windows\system32\fquvshda.exe
2007-08-03 16:30:48 69184 --a------ C:\Windows\system32\xalsitmf.dll
2007-08-03 16:19:01 66112 --a------ C:\Windows\system32\iyvyjitl.exe
2007-08-03 16:18:59 1764026 ---hs---- C:\Windows\system32\efhkj.bak2
2007-08-02 16:19:21 6467 ---hs---- C:\Windows\system32\efhkj.bak1
2007-08-02 16:18:55 228960 --a------ C:\Windows\system32\jkhfe.dll
2007-08-02 16:13:47 31254 --a------ C:\Windows\system32\gebbxxu.dll
2007-08-02 15:57:10 0 d-------- C:\Program Files\EA GAMES
2007-08-01 14:17:23 43520 --a------ C:\Windows\system32\CmdLineExt03.dll
2007-08-01 14:16:27 21840 --a------ C:\Windows\system32\SIntfNT.dll
2007-08-01 14:16:27 17212 --a------ C:\Windows\system32\SIntf32.dll
2007-08-01 14:16:27 12067 --a------ C:\Windows\system32\SIntf16.dll
2007-07-25 00:42:03 0 d-------- C:\Program Files\DivX
2007-07-25 00:42:02 684 --a------ C:\Windows\mozver.dat
2007-07-21 17:45:44 0 d-------- C:\Users\All Users\Age of Empires 3
2007-07-19 12:31:39 0 d-------- C:\Program Files\Firaxis Games
2007-07-19 12:20:53 0 d-------- C:\Program Files\DaemonTools_WhenUSave_Installer
2007-07-19 12:20:37 0 d-------- C:\Program Files\DAEMON Tools
2007-07-19 12:18:07 682232 --a------ C:\Windows\system32\drivers\sptd.sys
2007-07-18 15:08:11 0 d-------- C:\Program Files\uTorrent
2007-07-16 20:31:41 0 d-------- C:\Extras
2007-07-16 20:31:41 0 d-------- C:\Autorun
2007-07-09 15:07:50 3596288 --a------ C:\Windows\system32\qt-dx331.dll
2007-07-09 15:05:58 196608 --a------ C:\Windows\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2007-07-09 15:05:58 73728 --a------ C:\Windows\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2007-07-09 15:05:54 802816 --a------ C:\Windows\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2007-07-09 15:05:54 823296 --a------ C:\Windows\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2007-07-09 15:05:54 823296 --a------ C:\Windows\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2007-07-09 15:05:54 740442 --a------ C:\Windows\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2007-07-09 15:05:28 12288 --a------ C:\Windows\system32\DivXWMPExtType.dll

-- Find3M Report ---------------------------------------------------------------

2007-08-07 08:23:37 0 d-------- C:\Users\Anthony Kelly\AppData\Roaming\GetRightToGo
2007-08-05 16:53:06 0 d-------- C:\Program Files\Common Files
2007-08-05 15:29:24 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-08-01 20:20:33 0 d-------- C:\Users\Anthony Kelly\AppData\Roaming\uTorrent
2007-07-30 15:42:31 0 d-------- C:\Users\Anthony Kelly\AppData\Roaming\DivX
2007-07-28 12:08:38 0 d-------- C:\Users\Anthony Kelly\AppData\Roaming\Electronic Arts
2007-07-21 18:45:43 0 d-------- C:\Users\Anthony Kelly\AppData\Roaming\Hamachi
2007-07-21 13:01:37 0 d-------- C:\Program Files\Microsoft Games
2007-07-21 11:51:01 0 d-------- C:\Program Files\Common Files\InstallShield
2007-07-19 00:42:13 0 d-------- C:\Users\Anthony Kelly\AppData\Roaming\WinRAR
2007-07-17 13:36:55 0 dr-h----- C:\Users\Anthony Kelly\AppData\Roaming\SecuROM
2007-07-16 20:31:41 0 d-------- C:\Program Files\THQ
2007-07-16 16:14:29 0 d-------- C:\Users\Anthony Kelly\AppData\Roaming\InstallShield
2007-07-15 18:50:53 0 d-------- C:\Program Files\Windows Mail
2007-07-06 17:01:15 0 d-------- C:\Users\Anthony Kelly\AppData\Roaming\teamspeak2
2007-07-06 17:01:10 0 d-------- C:\Program Files\Teamspeak2_RC2
2007-06-21 11:29:20 0 d-------- C:\Users\Anthony Kelly\AppData\Roaming\Apple Computer
2007-06-19 14:52:17 0 d-------- C:\Users\Anthony Kelly\AppData\Roaming\Ventrilo
2007-06-14 19:04:51 26340 --a------ C:\Users\Anthony Kelly\AppData\Roaming\UserTile.png
2007-06-14 19:04:50 0 d-------- C:\Users\Anthony Kelly\AppData\Roaming\PeerNetworking
2007-06-12 01:12:52 0 d-------- C:\Users\Anthony Kelly\AppData\Roaming\nView_Wallpaper
2007-06-11 22:56:00 0 d-------- C:\Users\Anthony Kelly\AppData\Roaming\Microsoft Games
2007-06-11 22:55:13 0 d-------- C:\Program Files\Common Files\Microsoft Games
2007-06-11 22:28:23 0 d-------- C:\Program Files\Intel Desktop Boards
2007-06-11 22:18:49 0 d-------- C:\Program Files\Windows Defender
2007-06-11 21:53:18 22172 --a------ C:\Windows\system32\emptyregdb.dat
2007-06-11 21:47:27 0 d-------- C:\Users\Anthony Kelly\AppData\Roaming\Mozilla
2007-06-11 21:47:25 0 d-------- C:\Users\Anthony Kelly\AppData\Roaming\Macromedia
2007-06-11 21:47:25 0 d-------- C:\Users\Anthony Kelly\AppData\Roaming\Logitech
2007-06-11 21:47:25 0 d-------- C:\Users\Anthony Kelly\AppData\Roaming\Lavasoft
2007-06-11 21:47:25 0 d-------- C:\Users\Anthony Kelly\AppData\Roaming\Identities
2007-06-11 21:47:25 0 d-------- C:\Users\Anthony Kelly\AppData\Roaming\Adobe
2007-06-11 21:45:20 0 d-------- C:\Program Files\Ventrilo
2007-06-11 21:44:24 0 d-------- C:\Program Files\Valve
2007-06-11 21:44:20 0 d-------- C:\Program Files\QuickTime
2007-06-11 21:44:13 0 d-------- C:\Program Files\MSN Gaming Zone
2007-06-11 21:44:11 0 d-------- C:\Program Files\microsoft frontpage
2007-06-11 21:44:04 0 d-------- C:\Program Files\Logitech
2007-06-11 21:44:02 0 d-------- C:\Program Files\Lavasoft
2007-06-11 21:44:01 0 d-------- C:\Program Files\Intel Desktop Board
2007-06-11 21:43:58 0 d-------- C:\Program Files\Intel
2007-06-11 21:43:57 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-06-11 21:43:57 0 d-------- C:\Program Files\Common Files\ODBC
2007-06-11 21:43:57 0 d-------- C:\Program Files\Common Files\MSSoap
2007-06-11 21:43:57 0 d-------- C:\Program Files\Common Files\Logitech
2007-06-11 21:43:56 0 d-------- C:\Program Files\Common Files\Adobe
2007-06-11 21:43:56 0 d-------- C:\Program Files\Common Files\Adobe Systems Shared
2007-06-11 21:43:45 0 d-------- C:\Program Files\Apple Software Update
2007-06-11 21:40:24 0 d-------- C:\Program Files\Sigmatel

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4F4FF801-79FC-4092-A19D-5927CA2A525F}]
08/02/2007 04:18 PM 228960 --a------ C:\Windows\system32\jkhfe.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C6039E6C-BDE9-4de5-BB40-768CAA584FDC}]
08/03/2007 04:30 PM 69184 --a------ C:\Windows\system32\xalsitmf.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [06/11/2007 10:07 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [09/01/2006 04:57 PM]
"SigmatelSysTrayApp"="sttray.exe" [02/28/2007 07:56 PM C:\Windows\sttray.exe]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [07/06/2007 01:15 PM]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [07/06/2007 01:15 PM]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [07/06/2007 01:15 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [11/02/2006 08:35 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [11/02/2006 05:45 AM]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [03/16/2007 04:47 PM]
"Steam"="C:\Program Files\Valve\Steam\\Steam.exe" [07/28/2007 04:25 PM]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [11/02/2006 08:35 AM]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [11/02/2006 08:36 AM]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [04/03/2007 06:29 PM]

C:\Users\Anthony Kelly\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [3/16/2005 8:16:50 PM]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
GetRight - Tray Icon.lnk - C:\Program Files\GetRight\getright.exe [8/7/2007 8:19:23 AM]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [3/16/2007 4:47:26 PM]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [1/19/2007 4:27:51 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableLUA"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{E9BD0828-1FD9-410C-A50F-43EBE65D310F}"= C:\Windows\system32\gebbxxu.dll [08/02/2007 04:13 PM 31254]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebbxxu]
gebbxxu.dll 08/02/2007 04:13 PM 31254 C:\Windows\System32\gebbxxu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkhfe]
C:\Windows\system32\jkhfe.dll 08/02/2007 04:18 PM 228960 C:\Windows\System32\jkhfe.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum
WudfServiceGroup WUDFSvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{59b7aca3-1885-11dc-8197-806e6f6e6963}]
AutoRun\command- D:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d92d088c-3613-11dc-8a30-0019d121cabb}]
AutoRun\command- F:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d92d08bc-3613-11dc-8a30-0019d121cabb}]
AutoRun\command- G:\autorun.exe
directx\command- G:\DirectX9\dxsetup.exe
setup\command- G:\setup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI

-- End of Deckard's System Scanner: finished at 2007-08-07 at 12:49:37 ---------

sUBs · 08-07-2007, 09:59 AM

Do a HijackThis scan & place a check next to these items and select "Fix checked":

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {4F4FF801-79FC-4092-A19D-5927CA2A525F} - C:\Windows\system32\jkhfe.dll
O2 - BHO: (no name) - {C6039E6C-BDE9-4de5-BB40-768CAA584FDC} - C:\Windows\system32\xalsitmf.dll
O13 - Gopher Prefix:
O20 - Winlogon Notify: gebbxxu - C:\Windows\SYSTEM32\gebbxxu.dll
O20 - Winlogon Notify: jkhfe - C:\Windows\system32\jkhfe.dll

Reboot the machine before posting a fresh Hijackthis log

Antwon · 08-07-2007, 10:09 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:08:47 PM, on 8/7/2007
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\qttask.exe
C:\Windows\sttray.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\System32\ctfmon.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\GetRight\getright.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: GetRight IE Download Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\\Steam.exe -silent
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe

--
End of file - 4498 bytes

sUBs · 08-07-2007, 10:17 AM

Very good. The pop ups should abate.

------------

If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools → Folder Options → View tab.

Tick - 'Show hidden files and folder'
Untick - 'Hide file extensions for known types'
Untick - 'Hide protected operating system files'
Click Yes to confirm & then click OK

Locate and delete the following files/folders: (let me know if you fail to find/delete any)

C:\Windows\system32\wlfhgaeq.exe
C:\Windows\system32\hldbungd.dll
C:\Windows\system32\xrwmeqlb.exe
C:\Windows\system32\exyapodu.exe
C:\Windows\system32\rkkmkncx.exe
C:\Windows\system32\sxghfkdv.exe
C:\Windows\system32\llirxsgw.exe
C:\Windows\system32\hiowritm.exe
C:\Windows\system32\fxpcvyho.exe
C:\Windows\system32\hpfehmoa.exe
C:\Windows\system32\fquvshda.exe
C:\Windows\system32\xalsitmf.dll
C:\Windows\system32\iyvyjitl.exe
C:\Windows\system32\efhkj.bak2
C:\Windows\system32\efhkj.bak1
C:\Windows\system32\jkhfe.dll
C:\Windows\system32\gebbxxu.dll

--------------

Click here perform an online scan >> Online Scanner

---------------

In your next post, please include fresh logs from:

Fresh Hijackthis log taken just before replying

Online scan

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

Antwon · 08-07-2007, 10:30 AM

There were 5 I was not able to locate and delete they were

C:\Windows\system32\hldbungd.dll
C:\Windows\system32\xalsitmf.dll
C:\Windows\system32\efhkj.bak2
C:\Windows\system32\efhkj.bak1
C:\Windows\system32\jkhfe.dll

My computer is running fine and I will give you another highjack report I just wanted to see if I could get these off first.

sUBs · 08-07-2007, 10:56 AM

Run another DSS scan. See if they turn up in the resultant log.

Post that log if you're unsure

Antwon · 08-07-2007, 11:49 AM

Deckard's System Scanner v20070804.61
Run by Anthony Kelly on 2007-08-07 at 14:48:34
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- HijackThis (run as Anthony Kelly.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:48:42 PM, on 8/7/2007
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\qttask.exe
C:\Windows\sttray.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\System32\ctfmon.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\GetRight\getright.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\Anthony Kelly\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\ANTHON~1.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: GetRight IE Download Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\\Steam.exe -silent
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe

--
End of file - 4620 bytes

-- Files created between 2007-07-07 and 2007-08-07 -----------------------------

2007-08-07 13:12:10 0 d-------- C:\Program Files\Electronic Arts
2007-08-07 12:56:15 0 d-------- C:\Program Files\WAR BETA
2007-08-07 12:46:08 0 d-------- C:\Program Files\Trend Micro
2007-08-07 08:19:23 0 d-------- C:\Program Files\GetRight
2007-08-07 08:18:49 0 d-------- C:\Downloads
2007-08-03 16:18:59 1764026 ---hs---- C:\Windows\system32\efhkj.bak2
2007-08-02 16:19:21 6467 ---hs---- C:\Windows\system32\efhkj.bak1
2007-08-02 15:57:10 0 d-------- C:\Program Files\EA GAMES
2007-08-01 14:17:23 43520 --a------ C:\Windows\system32\CmdLineExt03.dll
2007-08-01 14:16:27 21840 --a------ C:\Windows\system32\SIntfNT.dll
2007-08-01 14:16:27 17212 --a------ C:\Windows\system32\SIntf32.dll
2007-08-01 14:16:27 12067 --a------ C:\Windows\system32\SIntf16.dll
2007-07-25 00:42:03 0 d-------- C:\Program Files\DivX
2007-07-25 00:42:02 684 --a------ C:\Windows\mozver.dat
2007-07-21 17:45:44 0 d-------- C:\Users\All Users\Age of Empires 3
2007-07-19 12:31:39 0 d-------- C:\Program Files\Firaxis Games
2007-07-19 12:20:53 0 d-------- C:\Program Files\DaemonTools_WhenUSave_Installer
2007-07-19 12:20:37 0 d-------- C:\Program Files\DAEMON Tools
2007-07-19 12:18:07 682232 --a------ C:\Windows\system32\drivers\sptd.sys
2007-07-18 15:08:11 0 d-------- C:\Program Files\uTorrent
2007-07-16 20:31:41 0 d-------- C:\Extras
2007-07-16 20:31:41 0 d-------- C:\Autorun
2007-07-09 15:07:50 3596288 --a------ C:\Windows\system32\qt-dx331.dll
2007-07-09 15:05:58 196608 --a------ C:\Windows\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2007-07-09 15:05:58 73728 --a------ C:\Windows\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2007-07-09 15:05:54 802816 --a------ C:\Windows\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2007-07-09 15:05:54 823296 --a------ C:\Windows\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2007-07-09 15:05:54 823296 --a------ C:\Windows\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2007-07-09 15:05:54 740442 --a------ C:\Windows\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2007-07-09 15:05:28 12288 --a------ C:\Windows\system32\DivXWMPExtType.dll

-- Find3M Report ---------------------------------------------------------------

2007-08-07 08:23:37 0 d-------- C:\Users\Anthony Kelly\AppData\Roaming\GetRightToGo
2007-08-05 16:53:06 0 d-------- C:\Program Files\Common Files
2007-08-05 15:29:24 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-08-01 20:20:33 0 d-------- C:\Users\Anthony Kelly\AppData\Roaming\uTorrent
2007-07-30 15:42:31 0 d-------- C:\Users\Anthony Kelly\AppData\Roaming\DivX
2007-07-28 12:08:38 0 d-------- C:\Users\Anthony Kelly\AppData\Roaming\Electronic Arts
2007-07-21 18:45:43 0 d-------- C:\Users\Anthony Kelly\AppData\Roaming\Hamachi
2007-07-21 13:01:37 0 d-------- C:\Program Files\Microsoft Games
2007-07-21 11:51:01 0 d-------- C:\Program Files\Common Files\InstallShield
2007-07-19 00:42:13 0 d-------- C:\Users\Anthony Kelly\AppData\Roaming\WinRAR
2007-07-17 13:36:55 0 dr-h----- C:\Users\Anthony Kelly\AppData\Roaming\SecuROM
2007-07-16 20:31:41 0 d-------- C:\Program Files\THQ
2007-07-16 16:14:29 0 d-------- C:\Users\Anthony Kelly\AppData\Roaming\InstallShield
2007-07-15 18:50:53 0 d-------- C:\Program Files\Windows Mail
2007-07-06 17:01:15 0 d-------- C:\Users\Anthony Kelly\AppData\Roaming\teamspeak2
2007-07-06 17:01:10 0 d-------- C:\Program Files\Teamspeak2_RC2
2007-06-21 11:29:20 0 d-------- C:\Users\Anthony Kelly\AppData\Roaming\Apple Computer
2007-06-19 14:52:17 0 d-------- C:\Users\Anthony Kelly\AppData\Roaming\Ventrilo
2007-06-14 19:04:51 26340 --a------ C:\Users\Anthony Kelly\AppData\Roaming\UserTile.png
2007-06-14 19:04:50 0 d-------- C:\Users\Anthony Kelly\AppData\Roaming\PeerNetworking
2007-06-12 01:12:52 0 d-------- C:\Users\Anthony Kelly\AppData\Roaming\nView_Wallpaper
2007-06-11 22:56:00 0 d-------- C:\Users\Anthony Kelly\AppData\Roaming\Microsoft Games
2007-06-11 22:55:13 0 d-------- C:\Program Files\Common Files\Microsoft Games
2007-06-11 22:28:23 0 d-------- C:\Program Files\Intel Desktop Boards
2007-06-11 22:18:49 0 d-------- C:\Program Files\Windows Defender
2007-06-11 21:53:18 22172 --a------ C:\Windows\system32\emptyregdb.dat
2007-06-11 21:47:27 0 d-------- C:\Users\Anthony Kelly\AppData\Roaming\Mozilla
2007-06-11 21:47:25 0 d-------- C:\Users\Anthony Kelly\AppData\Roaming\Macromedia
2007-06-11 21:47:25 0 d-------- C:\Users\Anthony Kelly\AppData\Roaming\Logitech
2007-06-11 21:47:25 0 d-------- C:\Users\Anthony Kelly\AppData\Roaming\Lavasoft
2007-06-11 21:47:25 0 d-------- C:\Users\Anthony Kelly\AppData\Roaming\Identities
2007-06-11 21:47:25 0 d-------- C:\Users\Anthony Kelly\AppData\Roaming\Adobe
2007-06-11 21:45:20 0 d-------- C:\Program Files\Ventrilo
2007-06-11 21:44:24 0 d-------- C:\Program Files\Valve
2007-06-11 21:44:20 0 d-------- C:\Program Files\QuickTime
2007-06-11 21:44:13 0 d-------- C:\Program Files\MSN Gaming Zone
2007-06-11 21:44:11 0 d-------- C:\Program Files\microsoft frontpage
2007-06-11 21:44:04 0 d-------- C:\Program Files\Logitech
2007-06-11 21:44:02 0 d-------- C:\Program Files\Lavasoft
2007-06-11 21:44:01 0 d-------- C:\Program Files\Intel Desktop Board
2007-06-11 21:43:58 0 d-------- C:\Program Files\Intel
2007-06-11 21:43:57 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-06-11 21:43:57 0 d-------- C:\Program Files\Common Files\ODBC
2007-06-11 21:43:57 0 d-------- C:\Program Files\Common Files\MSSoap
2007-06-11 21:43:57 0 d-------- C:\Program Files\Common Files\Logitech
2007-06-11 21:43:56 0 d-------- C:\Program Files\Common Files\Adobe
2007-06-11 21:43:56 0 d-------- C:\Program Files\Common Files\Adobe Systems Shared
2007-06-11 21:43:45 0 d-------- C:\Program Files\Apple Software Update
2007-06-11 21:40:24 0 d-------- C:\Program Files\Sigmatel

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [06/11/2007 10:07 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [09/01/2006 04:57 PM]
"SigmatelSysTrayApp"="sttray.exe" [02/28/2007 07:56 PM C:\Windows\sttray.exe]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [07/06/2007 01:15 PM]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [07/06/2007 01:15 PM]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [07/06/2007 01:15 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [11/02/2006 08:35 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [11/02/2006 05:45 AM]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [03/16/2007 04:47 PM]
"Steam"="C:\Program Files\Valve\Steam\\Steam.exe" [07/28/2007 04:25 PM]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [11/02/2006 08:35 AM]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [11/02/2006 08:36 AM]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [04/03/2007 06:29 PM]

C:\Users\Anthony Kelly\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [3/16/2005 8:16:50 PM]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
GetRight - Tray Icon.lnk - C:\Program Files\GetRight\getright.exe [8/7/2007 8:19:23 AM]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [3/16/2007 4:47:26 PM]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [1/19/2007 4:27:51 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableLUA"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{E9BD0828-1FD9-410C-A50F-43EBE65D310F}"= C:\Windows\system32\gebbxxu.dll [ ]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum
WudfServiceGroup WUDFSvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{59b7aca3-1885-11dc-8197-806e6f6e6963}]
AutoRun\command- D:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d92d088c-3613-11dc-8a30-0019d121cabb}]
AutoRun\command- F:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d92d08bc-3613-11dc-8a30-0019d121cabb}]
AutoRun\command- G:\autorun.exe
directx\command- G:\DirectX9\dxsetup.exe
setup\command- G:\setup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI

-- End of Deckard's System Scanner: finished at 2007-08-07 at 14:49:23 ---------

sUBs · 08-07-2007, 11:54 AM

Open up the command prompt.
Go to Start > Run - type cmd.exe

In the ensuing window, type this in ...

Del /a C:\Windows\system32\efhkj.bak*

Antwon · 08-07-2007, 05:11 PM

It didn't do anything.

Antwon · 08-07-2007, 06:20 PM

It says it can't find the path specified.

sUBs · 08-07-2007, 08:13 PM

Quote:

It says it can't find the path specified.

Do you mean "access denied" instead?

Antwon · 08-08-2007, 08:34 AM

No it says "Could Not Find C:\Windows\system32\efhkj.bak*"

sUBs · 08-08-2007, 11:29 AM

Probably not there anymore. Let's leave it for the moment & continue with the online scan.

Have you done the Kaspersky scan yet? Kindly refer to post #8

Antwon · 08-08-2007, 12:28 PM

Do I do all the scans or just one of them?

sUBs · 08-08-2007, 12:44 PM

Just the Kaspersky scan will do.

Antwon · 08-08-2007, 05:50 PM

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, August 08, 2007 8:47:56 PM
Operating System: Microsoft Windows Vista Home Edition, (Build 6000)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 9/08/2007
Kaspersky Anti-Virus database records: 377300
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
F:\
G:\
H:\

Scan Statistics:
Total number of scanned objects: 115008
Number of viruses found: 4
Number of infected objects: 6
Number of suspicious objects: 0
Duration of the scan process: 01:17:20

Infected Object Name / Virus Name / Last Action
C:\Program Files\DAEMON Tools\SetupDTSB.exe Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
C:\Program Files\DaemonTools_WhenUSave_Installer\URL3\WUSVInst.exe Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
C:\Program Files\Electronic Arts\WAR_Beta2\logs\art.log Object is locked skipped
C:\Program Files\Electronic Arts\WAR_Beta2\logs\critical.log Object is locked skipped
C:\Program Files\Electronic Arts\WAR_Beta2\logs\debug.log Object is locked skipped
C:\Program Files\Electronic Arts\WAR_Beta2\logs\load.log Object is locked skipped
C:\Program Files\Electronic Arts\WAR_Beta2\logs\patcher.080807.Log Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Anthony Kelly\Data\chandir.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Anthony Kelly\Data\chandir.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Anthony Kelly\Data\chn.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Anthony Kelly\Data\chn.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Anthony Kelly\Data\D0000000.FCS Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Anthony Kelly\Data\inuse.txt Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Anthony Kelly\Data\L0000005.FCS Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Anthony Kelly\Data\main.log Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Anthony Kelly\Data\prs.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Anthony Kelly\Data\prs.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Anthony Kelly\Data\prs_die.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Anthony Kelly\Data\prs_die.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Anthony Kelly\Data\prs_dnd.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Anthony Kelly\Data\prs_dnd.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Anthony Kelly\Data\prs_ext.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Anthony Kelly\Data\prs_ext.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Anthony Kelly\Data\prs_rcv.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Anthony Kelly\Data\prs_rcv.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Anthony Kelly\Data\storydb.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Anthony Kelly\Data\storydb.idx Object is locked skipped
C:\Program Files\Trend Micro\HijackThis\backups\backup-20070807-130639-209.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.la skipped
C:\Program Files\Trend Micro\HijackThis\backups\backup-20070807-130639-939.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.la skipped
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f8f9ce209bea0f9a23a190fe87e2b9e9_238b4349-d538-4b87-a2cf-dc4284a412cb Object is locked skipped
C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.56.Crwl Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.56.gthr Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSStmp.log Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010001.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010002.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010003.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010004.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010005.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010006.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010007.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010008.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010009.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000A.ci Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000A.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000A.wsb Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000B.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000C.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000D.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000E.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000F.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010010.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010011.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010012.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010013.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010014.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010015.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010016.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010017.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010018.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010019.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001001A.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001001B.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001001C.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001001D.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001001E.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001001F.ci Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001001F.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010022.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010027.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010029.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001002A.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001002B.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiMG001f.000 Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\INDEX.000 Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.000 Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\Used0000.000 Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.000 Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.chk1.gthr Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.chk2.gthr Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.Ntfy491.gthr Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\tmp.edb Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc\Ntf9FCA.tmp Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc\Ntf9FDA.tmp Object is locked skipped
C:\ProgramData\Microsoft\Windows Defender\Support\MPLog-11022006-050241.log Object is locked skipped
C:\Users\Anthony Kelly\AppData\Local\Microsoft\CardSpace\CardSpace.db Object is locked skipped
C:\Users\Anthony Kelly\AppData\Local\Microsoft\CardSpace\CardSpace.db.shadow Object is locked skipped
C:\Users\Anthony Kelly\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT Object is locked skipped
C:\Users\Anthony Kelly\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db Object is locked skipped
C:\Users\Anthony Kelly\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat Object is locked skipped
C:\Users\Anthony Kelly\AppData\Local\Microsoft\Windows\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Users\Anthony Kelly\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DESRRYT3\kcehc_eicooc20070702[1] Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\Users\Anthony Kelly\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Users\Anthony Kelly\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SIV170LQ\masiyxanidi[1] Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\Users\Anthony Kelly\AppData\Local\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Users\Anthony Kelly\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1 Object is locked skipped
C:\Users\Anthony Kelly\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2 Object is locked skipped
C:\Users\Anthony Kelly\AppData\Local\Microsoft\Windows\UsrClass.dat{59b7acf2-1885-11dc-8197-0019d121cabb}.TM.blf Object is locked skipped
C:\Users\Anthony Kelly\AppData\Local\Microsoft\Windows\UsrClass.dat{59b7acf2-1885-11dc-8197-0019d121cabb}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Users\Anthony Kelly\AppData\Local\Microsoft\Windows\UsrClass.dat{59b7acf2-1885-11dc-8197-0019d121cabb}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Users\Anthony Kelly\AppData\Local\Microsoft\Windows Defender\FileTracker\{DCEB013B-3EE5-4FE7-86AE-430B7E4C1A6B} Object is locked skipped
C:\Users\Anthony Kelly\AppData\Local\Microsoft\Windows Sidebar\Settings.ini Object is locked skipped
C:\Users\Anthony Kelly\AppData\Local\Mozilla\Firefox\Profiles\ln7nlmfy.default\Cache\_CACHE_001_ Object is locked skipped
C:\Users\Anthony Kelly\AppData\Local\Mozilla\Firefox\Profiles\ln7nlmfy.default\Cache\_CACHE_002_ Object is locked skipped
C:\Users\Anthony Kelly\AppData\Local\Mozilla\Firefox\Profiles\ln7nlmfy.default\Cache\_CACHE_003_ Object is locked skipped
C:\Users\Anthony Kelly\AppData\Local\Mozilla\Firefox\Profiles\ln7nlmfy.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Users\Anthony Kelly\AppData\Roaming\Microsoft\Windows\Cookies\index.dat Object is locked skipped
C:\Users\Anthony Kelly\AppData\Roaming\Mozilla\Firefox\Profiles\ln7nlmfy.default\cert8.db Object is locked skipped
C:\Users\Anthony Kelly\AppData\Roaming\Mozilla\Firefox\Profiles\ln7nlmfy.default\formhistory.dat Object is locked skipped
C:\Users\Anthony Kelly\AppData\Roaming\Mozilla\Firefox\Profiles\ln7nlmfy.default\history.dat Object is locked skipped
C:\Users\Anthony Kelly\AppData\Roaming\Mozilla\Firefox\Profiles\ln7nlmfy.default\key3.db Object is locked skipped
C:\Users\Anthony Kelly\AppData\Roaming\Mozilla\Firefox\Profiles\ln7nlmfy.default\parent.lock Object is locked skipped
C:\Users\Anthony Kelly\AppData\Roaming\Mozilla\Firefox\Profiles\ln7nlmfy.default\search.sqlite Object is locked skipped
C:\Users\Anthony Kelly\AppData\Roaming\Mozilla\Firefox\Profiles\ln7nlmfy.default\urlclassifier2.sqlite Object is locked skipped
C:\Users\Anthony Kelly\NTUSER.DAT Object is locked skipped
C:\Users\Anthony Kelly\ntuser.dat.LOG1 Object is locked skipped
C:\Users\Anthony Kelly\ntuser.dat.LOG2 Object is locked skipped
C:\Users\Anthony Kelly\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TM.blf Object is locked skipped
C:\Users\Anthony Kelly\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Users\Anthony Kelly\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\Debug\PASSWD.LOG Object is locked skipped
C:\Windows\Debug\sam.log Object is locked skipped
C:\Windows\SchedLgU.Txt Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WindowsUpdate.log Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG1 Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG2 Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{3a539869-6a70-11db-887c-d362bd253390}.TM.blf Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{3a539869-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{3a539869-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1 Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG2 Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{3a539865-6a70-11db-887c-d362bd253390}.TM.blf Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{3a539865-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{3a539865-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped
C:\Windows\System32\catroot2\edb.log Object is locked skipped
C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb Object is locked skipped
C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb Object is locked skipped
C:\Windows\System32\config\COMPONENTS Object is locked skipped
C:\Windows\System32\config\COMPONENTS.LOG1 Object is locked skipped
C:\Windows\System32\config\COMPONENTS.LOG2 Object is locked skipped
C:\Windows\System32\config\DEFAULT Object is locked skipped
C:\Windows\System32\config\DEFAULT.LOG1 Object is locked skipped
C:\Windows\System32\config\DEFAULT.LOG2 Object is locked skipped
C:\Windows\System32\config\RegBack\COMPONENTS Object is locked skipped
C:\Windows\System32\config\RegBack\DEFAULT Object is locked skipped
C:\Windows\System32\config\RegBack\SAM Object is locked skipped
C:\Windows\System32\config\RegBack\SECURITY Object is locked skipped
C:\Windows\System32\config\RegBack\SOFTWARE Object is locked skipped
C:\Windows\System32\config\RegBack\SYSTEM Object is locked skipped
C:\Windows\System32\config\SAM Object is locked skipped
C:\Windows\System32\config\SAM.LOG1 Object is locked skipped
C:\Windows\System32\config\SAM.LOG2 Object is locked skipped
C:\Windows\System32\config\SECURITY Object is locked skipped
C:\Windows\System32\config\SECURITY.LOG1 Object is locked skipped
C:\Windows\System32\config\SECURITY.LOG2 Object is locked skipped
C:\Windows\System32\config\SOFTWARE Object is locked skipped
C:\Windows\System32\config\SOFTWARE.LOG1 Object is locked skipped
C:\Windows\System32\config\SOFTWARE.LOG2 Object is locked skipped
C:\Windows\System32\config\SYSTEM Object is locked skipped
C:\Windows\System32\config\SYSTEM.LOG1 Object is locked skipped
C:\Windows\System32\config\SYSTEM.LOG2 Object is locked skipped
C:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.0.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.1.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.2.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.blf Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TM.blf Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\System32\drivers\sptd.sys Object is locked skipped
C:\Windows\System32\LogFiles\Scm\SCM.EVM Object is locked skipped
C:\Windows\System32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\Windows\System32\Msdtc\KtmRmTm.blf Object is locked skipped
C:\Windows\System32\Msdtc\KtmRmTmContainer00000000000000000001 Object is locked skipped
C:\Windows\System32\Msdtc\KtmRmTmContainer00000000000000000002 Object is locked skipped
C:\Windows\System32\spool\SpoolerETW.etl Object is locked skipped
C:\Windows\System32\wbem\Logs\WMITracing.log Object is locked skipped
C:\Windows\System32\wbem\Repository\INDEX.BTR Object is locked skipped
C:\Windows\System32\wbem\Repository\MAPPING1.MAP Object is locked skipped
C:\Windows\System32\wbem\Repository\MAPPING2.MAP Object is locked skipped
C:\Windows\System32\wbem\Repository\OBJECTS.DATA Object is locked skipped
C:\Windows\System32\WDI\LogFiles\WdiContextLog.etl.001 Object is locked skipped
C:\Windows\System32\wfp\wfpdiag.etl Object is locked skipped
C:\Windows\System32\winevt\Logs\Application.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\DFS Replication.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\HardwareEvents.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Internet Explorer.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Key Management Service.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Media Center.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-DriverFrameworks-UserMode%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-International%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-LanguagePackSetup%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkAccessProtection%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReliabilityAnalysisComponent%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Security.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\System.evtx Object is locked skipped
C:\Windows\WindowsUpdate.log Object is locked skipped

Scan process completed.

08-07-2007, 08:03 AM	#1 (permalink)
Antwon Registered User Join Date: Aug 2007 Posts: 14 OS: Vista	Vista Vitumonde Problem A couple of days age my Windows defender gave me a pop-up that said Virtumonde was detected on my computer and gave me a "remove all" option so I chose that assuming that it would get rid of it. But, everyday since it poped up the first time it continues to come up and I get the most random pop-up even when Im not at my computer. Is there a way to get rid of this Virtumonde thing? Also, I forgot to mention that I ran both "Ad-ware SE" and "Spybot Search and destroy" but neither found anything. Last edited by Antwon; 08-07-2007 at 08:07 AM.

08-07-2007, 08:56 AM	#2 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 23,247 OS: N/A	Re: Vista Vitumonde Problem Please follow MicroBell's 5 Step process - http://www.techsupportforum.com/secu...sting-log.html. You shall have a proper set of logs for us after that __________________

08-07-2007, 09:29 AM	#3 (permalink)
Antwon Registered User Join Date: Aug 2007 Posts: 14 OS: Vista	Re: Vista Vitumonde Problem I cannot complete step 2 because I have Windows Vista and the scan doesn't support it is there any other way to complete that step?

08-07-2007, 09:32 AM	#4 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 23,247 OS: N/A	Re: Vista Vitumonde Problem Skip that & proceed to step #5 __________________ Last edited by sUBs; 08-07-2007 at 09:33 AM.

08-07-2007, 09:59 AM	#6 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 23,247 OS: N/A	Re: Vista Vitumonde Problem Do a HijackThis scan & place a check next to these items and select "Fix checked": R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: ::1 localhost O2 - BHO: (no name) - {4F4FF801-79FC-4092-A19D-5927CA2A525F} - C:\Windows\system32\jkhfe.dll O2 - BHO: (no name) - {C6039E6C-BDE9-4de5-BB40-768CAA584FDC} - C:\Windows\system32\xalsitmf.dll O13 - Gopher Prefix: O20 - Winlogon Notify: gebbxxu - C:\Windows\SYSTEM32\gebbxxu.dll O20 - Winlogon Notify: jkhfe - C:\Windows\system32\jkhfe.dll Reboot the machine before posting a fresh Hijackthis log __________________

08-07-2007, 10:09 AM	#7 (permalink)
Antwon Registered User Join Date: Aug 2007 Posts: 14 OS: Vista	Re: Vista Vitumonde Problem Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 1:08:47 PM, on 8/7/2007 Platform: Windows Vista (WinNT 6.00.1904) MSIE: Internet Explorer v7.00 (7.00.6000.16473) Boot mode: Normal Running processes: C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Windows\system32\taskeng.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\QuickTime\qttask.exe C:\Windows\sttray.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Program Files\Windows Sidebar\sidebar.exe C:\Windows\System32\ctfmon.exe C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe C:\Windows\System32\rundll32.exe C:\Windows\ehome\ehtray.exe C:\Program Files\Windows Media Player\wmpnscfg.exe C:\Program Files\DAEMON Tools\daemon.exe C:\Program Files\GetRight\getright.exe C:\Windows\ehome\ehmsas.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: GetRight IE Download Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\\Steam.exe -silent O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE') O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe -- End of file - 4498 bytes

08-07-2007, 10:17 AM	#8 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 23,247 OS: N/A	Re: Vista Vitumonde Problem Very good. The pop ups should abate. ------------ If you have not done so already, please enable the viewing of Hidden files From Windows Explorer, go to Tools → Folder Options → View tab. Tick - 'Show hidden files and folder' Untick - 'Hide file extensions for known types' Untick - 'Hide protected operating system files' Click Yes to confirm & then click OK Locate and delete the following files/folders: (let me know if you fail to find/delete any) C:\Windows\system32\wlfhgaeq.exe C:\Windows\system32\hldbungd.dll C:\Windows\system32\xrwmeqlb.exe C:\Windows\system32\exyapodu.exe C:\Windows\system32\rkkmkncx.exe C:\Windows\system32\sxghfkdv.exe C:\Windows\system32\llirxsgw.exe C:\Windows\system32\hiowritm.exe C:\Windows\system32\fxpcvyho.exe C:\Windows\system32\hpfehmoa.exe C:\Windows\system32\fquvshda.exe C:\Windows\system32\xalsitmf.dll C:\Windows\system32\iyvyjitl.exe C:\Windows\system32\efhkj.bak2 C:\Windows\system32\efhkj.bak1 C:\Windows\system32\jkhfe.dll C:\Windows\system32\gebbxxu.dll -------------- Click here perform an online scan >> Online Scanner --------------- In your next post, please include fresh logs from: Fresh Hijackthis log taken just before replying Online scan Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now __________________

08-07-2007, 10:30 AM	#9 (permalink)
Antwon Registered User Join Date: Aug 2007 Posts: 14 OS: Vista	Re: Vista Vitumonde Problem There were 5 I was not able to locate and delete they were C:\Windows\system32\hldbungd.dll C:\Windows\system32\xalsitmf.dll C:\Windows\system32\efhkj.bak2 C:\Windows\system32\efhkj.bak1 C:\Windows\system32\jkhfe.dll My computer is running fine and I will give you another highjack report I just wanted to see if I could get these off first. Last edited by Antwon; 08-07-2007 at 10:33 AM.

08-07-2007, 10:56 AM	#10 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 23,247 OS: N/A	Re: Vista Vitumonde Problem Run another DSS scan. See if they turn up in the resultant log. Post that log if you're unsure __________________

08-07-2007, 11:54 AM	#12 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 23,247 OS: N/A	Re: Vista Vitumonde Problem Open up the command prompt. Go to Start > Run - type cmd.exe In the ensuing window, type this in ... Del /a C:\Windows\system32\efhkj.bak* __________________

08-07-2007, 05:11 PM	#13 (permalink)
Antwon Registered User Join Date: Aug 2007 Posts: 14 OS: Vista	Re: Vista Vitumonde Problem It didn't do anything.

08-07-2007, 06:20 PM	#14 (permalink)
Antwon Registered User Join Date: Aug 2007 Posts: 14 OS: Vista	Re: Vista Vitumonde Problem It says it can't find the path specified.

08-08-2007, 08:34 AM	#16 (permalink)
Antwon Registered User Join Date: Aug 2007 Posts: 14 OS: Vista	Re: Vista Vitumonde Problem No it says "Could Not Find C:\Windows\system32\efhkj.bak*"

08-08-2007, 11:29 AM	#17 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 23,247 OS: N/A	Re: Vista Vitumonde Problem Probably not there anymore. Let's leave it for the moment & continue with the online scan. Have you done the Kaspersky scan yet? Kindly refer to post #8 __________________

08-08-2007, 12:28 PM	#18 (permalink)
Antwon Registered User Join Date: Aug 2007 Posts: 14 OS: Vista	Re: Vista Vitumonde Problem Do I do all the scans or just one of them? Last edited by Antwon; 08-08-2007 at 12:38 PM.

08-08-2007, 12:44 PM	#19 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 23,247 OS: N/A	Re: Vista Vitumonde Problem Just the Kaspersky scan will do. __________________