1. I can't boot into Safe Mode. Each time I try, I get the Blue Screen.
2. So I ran Spybot Search & Destroy in Normal Mode. It found FirstRunRRR in the registry and I clicked Fix.
3. I rebooted, and get a popup window that says "Select File to Crack" and displays "My Documents"
4. I can't run the Online Virus Checker Kapersky. I click Accept, but nothing happens.
5. I found the files hldrrr.exe and mdelk.exe in windows/system32/drivers, I delete them and they reappear. I went to Trend Micro first, and they recommend that I turn off System Restore and run my Antivirus. No such luck there, so I am here now.
6. I can't find where the problem is, and why it keeps reappearing....
Here is my HijackThis Log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:49, on 2008-04-28
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ISS\Proventia Desktop\blackd.exe
C:\AdventNet\WebNMS\apache\bin\Apache.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\ISS\Proventia Desktop\RapApp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\SupportSoft_Amer_Motorola\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\SupportSoft_Amer_Motorola\bin\tgsrvc.exe
C:\Program Files\ISS\Proventia Desktop\vpatch.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\ISS\Proventia Desktop\RapUISvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\SupportSoft_Amer_Motorola\bin\sprtcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.mot.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.mot.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = wwwgate0.mot.com:1080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.mot.com;*.gi.com;<local>
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: RSAToolbar - {749F8452-7D28-4658-A903-9B047E5A2CE8} - C:\Program Files\RSA Security\IE Toolbar\RSAToolbar.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [CSCAdvantage] "C:\Program Files\Help Desk\CSCAdv.exe" /s
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [CSCLogonInfo] C:\WINDOWS\UsrLogon.exe
O4 - HKLM\..\Run: [SupportSoft_Amer_Motorola] "C:\Program Files\SupportSoft_Amer_Motorola\bin\sprtcmd.exe" /P SupportSoft_Amer_Motorola
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SDFix] C:\SDFix\RunThis.bat /second
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [URLy Warning] "C:\Program Files\URLy Warning\URLyWarning.exe" -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-863651691-3918403040-59684098-1006\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'sdm')
O4 - HKUS\S-1-5-18\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'Default user')
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {164B406B-0FD6-4E7F-BA7E-64D227D4CA37} (dnlplayer Class) - http://www.digitalwebbooks.com/reader/dbplugin.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://access.motorola.com/dana-cached/setup/JuniperSetupSP1.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ds.mot.com
O17 - HKLM\Software\..\Telephony: DomainName = ds.mot.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ds.mot.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = am.mot.com,e1.bcs.mot.com,gic.gi.com,w1.bcs.mot.com,gi.com,corp.mot.com,ds.mot.com,mot.com,sps.mot.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = am.mot.com,e1.bcs.mot.com,gic.gi.com,w1.bcs.mot.com,gi.com,corp.mot.com,ds.mot.com,mot.com,sps.mot.com
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ApacheForSDM - Apache Software Foundation - C:\AdventNet\WebNMS\apache\bin\Apache.exe
O23 - Service: Adaptive Server Anywhere - WebNmsDB (ASANYs_WebNmsDB) - iAnywhere Solutions, Inc. - C:\Sybase\SQL Anywhere 9\win32\dbsrv9.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\blackd.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\RapApp.exe
O23 - Service: Reflection Line Printer Daemon - WRQ, Inc. - C:\Program Files\Reflection\lpdserv.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Motorola SDM (SDM Service) - Unknown owner - C:\WINDOWS\JavaService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SupportSoft Sprocket Service (supportsoft_amer_motorola) (sprtsvc_supportsoft_amer_motorola) - SupportSoft, Inc. - C:\Program Files\SupportSoft_Amer_Motorola\bin\sprtsvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SupportSoft Repair Service (supportsoft_amer_motorola) (tgsrvc_supportsoft_amer_motorola) - SupportSoft, Inc. - C:\Program Files\SupportSoft_Amer_Motorola\bin\tgsrvc.exe
O23 - Service: ISS Buffer Overflow Exploit Prevention (VPatch) - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\vpatch.exe
--
End of file - 11322 bytes