Hey guys
Here is my HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:49:44 AM, on 7/8/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\svchost.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O4 - HKLM\..\Run: [16826524] C:\Documents and Settings\All Users\Application Data\16826524\16826524.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [nvd32_r] rundll32.exe "C:\Documents and Settings\Owner\Application Data\unobi.dll" s
O4 - HKCU\..\Run: [DiskChk help] rundll32.exe "C:\Documents and Settings\All Users\proto.dll" run
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: cablki.dll ymwazv.dll wwqozw.dll chklvr.dll whynme.dll ozyhkl.dll lvvsjl.dll vdjmdi.dll xjewlj.dll pvqygx.dll xicnhs.dll omhxxv.dll cmxrqj.dll qlylfv.dll bjoaeb.dll wmpepn.dll rnhqoj.dll tberkr.dll nsanpc.dll lraiak.dll uszpgu.dll tbiind.dll hdwmym.dll yrevto.dll mdmfyl.dll xlxhmp.dll C:\WINDOWS\system32\kijazere.dll c:\windows\system32\ c:\windows\system32\ c:\windows\system32\
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Machine Debug Manager (MDM) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE (file missing)
--
End of file - 3626 bytes
*********
when i start my computer, it becomes really slow on my log in screen
and takes even longer once i log on and windows is starting up at the
bottom of the screen.
i ran spybot S&D numerous times even when rebooting my computer.
it mainly deleted Virtumonde a bunch of times and some new trojans
came up such as "Security Microsoft Something" and others I can't really remember.
Afterwards, my computer freezes, an older version of Windows xp takes
place, causing my audio to not work on websites (only on games installed on the computer) and says I have no audio device installed.
Then usually a prompt comes up saying "Windows has files that have recently been replaced, please reinstall the windows.exe with your discs" (I lost my discs a while ago.. this is an old Dell) I click off the window and it keeps reappearing. Maybe this is all the same virus?
I checked my Task Manager and I see a lot of these .exe processees that i try and end before it takes over and changes my windows settings.
Known processees are:
versclid.exe
spoolsv.exe (these first two always pop up when my windows xp becomes the older version and the audio hardware doesn't work)
alg.exe
0134246.exe (not exactly the same but two usually come up with random numbers)
wsctfy.exe
backweb-2349084.exe (once again an example)
& then a BUNCH of svchost.exe files which leads into my next problem
I open up the internet browser i use currently(which is Google Chrome).
and my internet works for just a little bit
and then I'll get pop ups saying Application Error - the instruction at "0x00f2220e" referenced memory at "0x3138e000" couldn't not be written. Svchost.exe has an unsuspecting error and has to terminate. Click OK to terminate the program.
*When I check the taskmanager, a few of the svchost.exe files start increasing drasticaly with Mem usage causing my internet to crash. If I end that process, it turns my internet back to being fast but then when I open up a new page it comes back and slows it down again. If I delete the wrong exe it countdown a restart on my computer.. this becomes an enormous pain.
I saved a back up registry in case you guys need it.
Any help would be greatly appreciated
Thanks!