Help with Virtumonde on Son's computer

[Mikey1946]

My son dropped off his Dell Dimension 4300 last night and asked me to figure out why it runs so slow and is plagued by pop-ups. After considerable clean-up I'm left with Virtumonde. Looks like there are no simple fixes so please help me remove this Trojan horse.

After 3 Spybot scans I'm left with the following



Virtumonde: [SBI $779C9C0D] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP

Virtumonde: [SBI $FD08B4B7] Configuration file (File, nothing done)
C:\WINDOWS\system32\aKQXxyxx.ini2

Virtumonde: [SBI $2A2DCEAC] Configuration file (File, nothing done)
C:\WINDOWS\system32\aKQXxyxx.ini

Thanks for your consideration and help.

[Bio-Hazard]

Hello and Welcome to forums!

My name is Bio-Hazard and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:

• I will be working on your Malware issues this may or may not solve other issues you have with your machine.
• The fixes are specific to your problem and should only be used for this issue on this machine.
• I f you don't know or understand something please don't hesitate to ask.
• Please DO NOT run any other tools or scans whilst I am helping you.
• It is important that you reply to this thread. Do not start a new topic.
• Absence of symptoms does not mean that everything is clear.

NOTE: Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe


Download HijackThis

To get things going i need you to download HijackThis see the instructions below.

• Click HERE to download HijackThis Installer
• Save HijackThis Installer to your desktop.
• Doubleclick on the HijackThis Installer icon on your desktop.
• By default it will install to C:\Program Files\Trend Micro\HijackThis .
• Click on Install.
• It will create a HijackThis icon on the desktop.
• Once installed it will launch Hijackthis.
• Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
• Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
• Come back here to this thread and Paste the log in your next reply.

DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.


Malwarebytes' Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.

• Alternate download link 1
  Alternate download link 2

• Make sure you are connected to the Internet.
• Double-click on mbam-setup.exe to install the application.
• When the installation begins, follow the prompts and do not make any changes to default settings.
• When installation has finished, make sure you leave both of these checked:
  
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
  
  
• Then click Finish.
• MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
• On the Scanner tab:
  
  • Make sure the Perform Full Scan option is selected.
  • Then click on the Scan button.
  
  
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
• The scan will begin and Scan in progress will show at the top. It may take some time to complete so please be patient.
• When the scan is finished, a message box will say The scan completed successfully. Click 'Show Results' to display all objects found.
• Click OK to close the message box and continue with the removal process.
• Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
• Make sure that everything is checked, and click Remove Selected.
• When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Logs/Information to Post in Next Reply

Please post the following logs/Information in your reply:

• Malwarebytes Antimalware Log
• A HijackThis Log ( after all the above has been done)
• A description of how your computer is behaving

[Mikey1946]

Malwarebytes' Anti-Malware 1.30
Database version: 1434
Windows 5.1.2600 Service Pack 2

11/29/2008 1:19:05 PM
mbam-log-2008-11-29 (13-19-05).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 111520
Time elapsed: 1 hour(s), 1 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 5
Registry Keys Infected: 43
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 4
Files Infected: 39

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\xxyxXQKa.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\vbddjn.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\hfwhrk.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\fgbrcy.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\psuajk.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{774cbb01-755f-450b-9772-4304d97b14b1} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{774cbb01-755f-450b-9772-4304d97b14b1} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c61f020e-d55d-4278-aa1f-6b05b8955743} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{c61f020e-d55d-4278-aa1f-6b05b8955743} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{aadfed38-03c6-488d-ab7f-4d1ed9a89a34} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c5f05b78-929c-4b0d-b14d-ea4f2fe6eb36} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ee4167c3-ddd2-4fe3-b1a7-21c75fab74ac} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{774cbb01-755f-450b-9772-4304d97b14b1} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bho_myjavacore.mjcore (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bho_myjavacore.mjcore.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\c:/windows/downloaded program files/popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\testcpv6.bho (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\testcpv6.bho.1 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{17e44256-51e0-4d46-a0c8-44e80ab4ba5b} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e4a04a1-a24d-45ae-aca4-949778400813} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{e0f01490-dcf3-4357-95aa-169a8c2b2190} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{63334394-3da3-4b29-a041-03535909d361} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{80ef304a-b1c4-425c-8535-95ab6f1eefb8} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{ff46f4ab-a85f-487e-b399-3f191ac0fe23} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d88e1558-7c2d-407a-953a-c044f5607cea} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{15421b84-3488-49a7-ad18-cbf84a3efaf6} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a63e645f-13bd-45ed-b15f-6e8c1bd57279} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a63e645f-13bd-45ed-b15f-6e8c1bd57279} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\BHO_MyJavaCore.DLL (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\testCPV6.DLL (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpeedRunner (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\SpeedRunner (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MediaHoldings (Adware.PlayMP3Z) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gadcom (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\xxyxxqka -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\xxyxxqka -> Delete on reboot.

Folders Infected:
C:\Program Files\Webtools (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Mjcore (Trojan.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Deanna and Jeff\Application Data\gadcom (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Deanna and Jeff\Application Data\speedrunner (Adware.SurfAccuracy) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\psuajk.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\xxyxXQKa.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\aKQXxyxx.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\aKQXxyxx.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ccbwumnh.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hnmuwbcc.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\eaydguiv.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\viugdyae.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nepvrgrd.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drgrvpen.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nvdubbfi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ifbbudvn.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pvwidmow.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\womdiwvp.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vorarqvn.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nvqrarov.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vbddjn.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\hfwhrk.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\fgbrcy.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
C:\Program Files\Mjcore\Mjcore.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\Program Files\Webtools\webtools.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Deanna and Jeff\Local Settings\Temporary Internet Files\Content.IE5\CJFOFQ5E\zc113432[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Deanna and Jeff\Local Settings\Temporary Internet Files\Content.IE5\ZLXBBLPH\index[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\qfqq\qfqqa.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\qfqq\qfqql.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\qfqq\qfqqp.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\qfqq\qfqqd\qfqqc.dll (Adware.TargetServer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{16BCF36D-2658-49E3-8031-A87E3D98FB13}\RP578\A0114158.exe (Trojan.Adclicker) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\olxshbjq.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\obprmllc.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ohyevgbu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pvdazw.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\juwwwlrq.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xkydwqtx.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Deanna and Jeff\Application Data\speedrunner\config.cfg (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fqAy1I1J.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\FqBRJWl4.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully.


Hijackthis report after above scan

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:26:04 PM, on 11/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Netscape\Navigator 9\navigator.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {3571F42A-E6F3-417E-B440-BEAA0095EBF4} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {573C4CFD-92A3-46EB-A73A-FCBF44D97341} - (no file)
O2 - BHO: (no name) - {5AC3814C-4C56-487F-A926-4F5A21214000} - (no file)
O2 - BHO: (no name) - {6C9D475F-14EC-4E35-B8C1-E7A8C666304E} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: (no name) - {90198772-08F8-4D28-9144-85E5C6563080} - (no file)
O2 - BHO: (no name) - {A0A5C793-83E0-4315-8601-722564756CFD} - (no file)
O2 - BHO: (no name) - {BDC91C76-E923-4059-8D97-1073E7CB6C83} - (no file)
O2 - BHO: (no name) - {C151026B-B7D6-4445-AF34-D272B586BFBF} - (no file)
O2 - BHO: (no name) - {EB41AA2B-ADDC-425C-842B-3BD0D7696A61} - (no file)
O3 - Toolbar: (no name) - {A8EA8CB2-5391-4492-A82C-CBE438C35252} - (no file)
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [CheckNetworkConnection] "C:\Program Files\Support.com\providerComcast\desktopdoctor.exe" /flow /flow=diagnosenetwork /trayclick=true /haveconfirmedwiring=true /haverenewed=true /haverestartedmodem=true /onrestart=true /havehealed=true /issuenumber=592fe0a5-29c9-4626-bcb5-4d6ba95ce6fb
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://zone.msn.com/bingame/rock/def...caploader1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1163832925908
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
O20 - AppInit_DLLs: crpekp.dll vbddjn.dll sqdiqy.dll xrtknx.dll hfwhrk.dll fgbrcy.dll psuajk.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe

--
End of file - 5252 bytes

[Mikey1946]

Before I started this repair I had replaced his Microsoft Explorer web browser with Netscape. I had heard that the former was buggy and I didn't care for the updated version of Explorer. I had some problems with Explorer on my laptop ( excessive pop-ups) and Netscape was my fix in that case.

Anyway, now using Netscape, and with the repair you recommended above, his computer is running better than it ever has, with no annoying pop-ups and slow downs. Thanks for you help

[Mikey1946]

Another thing . . . the "automatic updates" is now working. THANKS

[Bio-Hazard]

Before I started this repair I had replaced his Microsoft Explorer web browser with Netscape. I had heard that the former was buggy and I didn't care for the updated version of Explorer. I had some problems with Explorer on my laptop ( excessive pop-ups) and Netscape was my fix in that case.

Anyway, now using Netscape, and with the repair you recommended above, his computer is running better than it ever has, with no annoying pop-ups and slow downs.

Popups was a produced by the infection. I would recommend you to start a new thread about your laptop. Internet explorer is not that bad as long as it kept up to date. Netscape has now been discontinued. I would recommend using either Firefox or Opera.

Firefox or Opera


Download and Run ComboFix

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

HOW TO USE COMBOFIX

IMPORTANT: combofix.exe MUST be on your Desktop for us to proceed.

Please continue as follows:

• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• Double click on ComboFix.exe and follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

NOTE: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

• Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
  
  
• Click on Yes, to continue scanning for malware.
• Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Combofix should never take more that 20 minutes including the reboot if malware is detected.


Antivirus

Looking over your log it seems you don't have any evidence of an anti-virus software.

Anti-virus software are programs that detect cleans and erase harmful virus files on a computer
Web server or network. Unchecked virus files can unintentionally be forwarded to others including trading partners and thereby spreading infection. Because new viruses regularly emerge anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present and will clean delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these excellent vendors NOW:

• Avira AntiVir Personal - Free anti-virus software for Windows. Detects and removes more than 50000 viruses. Free support.
• avast! 4 Home Edition - Anti-virus program for Windows. The home edition is freeware for noncommercial users.
• AVG Anti-Virus Free Edition - Free edition of the AVG anti-virus program for Windows.

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts. If you choose to install more than one antivirus program on your computer then only one of them should be active in memory at a time.



Next Reply

Please reply with:

• ComboFix log (found at C:\Combofix.txt)
• New HijackThis log