I have Trojan horse Generic9.AATD in C:\WINDOWS\system32\dx7v.dll and in system32\dx7v.1
Its been a bugger to remove. Ive tried everything. AVG keeps giving a warning screen, Kaspersky couldn't get rid of it, Adaware doen't find it, SUPERAntispyware cant get rid of it either. Its not a file that can be deleted. Symantec does not have it in their library.
Anyone else dealt with this?

I have not the time to google this virus, but you can try housecall (http://housecall.trendmicro.com/) online virus scanner in the meantime. You can also try google for answers, as I am sure others have had this same problem.

Either boot into safe mode and try to delete it there, or, download HijackThis. Under Misc Tools, there's an option to Delete file on reboot. This will (hopefully) delete the DLL before it gets loaded into windows on your next reboot.

Hope this helps.

Also, be sure to turn OFF system restore before trying to remove the file.

I have Trojan horse Generic9.AATD in C:\WINDOWS\system32\dx7v.dll and in system32\dx7v.1
Its been a bugger to remove. Ive tried everything. AVG keeps giving a warning screen, Kaspersky couldn't get rid of it, Adaware doen't find it, SUPERAntispyware cant get rid of it either. Its not a file that can be deleted. Symantec does not have it in their library.
Anyone else dealt with this?

If the suggestions made by the others do not work, especially remember to do this before proceeding-

Also, be sure to turn OFF system restore before trying to remove the file.

Please look at this forum post first (http://forum.hijackthis.de/showpost.php?p=164174&postcount=8), try what is suggested, and if it doesn't remove your trojan, proceed to the following-
(I authored this for another forum on July 10th of this year)-

For anyone that catches something and cannot get rid of it, try this.
The Sysclean Package by Trend Micro.
I used it a year ago and it removed the parasite.
I also became aware of how critical it is for the safety of my computer, to scan everything before opening,
as well as before seeding a torrent.
I have not been infected by anything since.

Please be mindful that it can take up to three hours or more to run while in *Safe Mode (very important to be in *S.M.),
but that if it can be cleaned by this powerful tool, it will be.
If it does not, it's a bad one and time for the shop...

Please go here-
http://www.trendmicro.com/download/dcs.asp

Read towards the bottom- Follow directions carefully.
Again, this virus clean up may take 3 or more hours...
(Download what I have typed in red)-

"If you are not a Trend Micro customer please download the following file.
Sysclean Package 3.2MB
MD5 checksum: 81a08891253807c6124a28e6acf887d6

NOTE:
For instructions on how to use this package, consult the "How to Use" section of the readme file, readme_sysclean.txt. This file also contains the description and the different features of this package.

Note that for the Trend Micro Sysclean Package to be effective, you must download and place the latest pattern file in the same folder as the Trend Micro Sysclean Package.

DCT CONTROL RELEASE
Download Latest DCT Control Release

The Damage Cleanup Template (DCT) Control Release is a pre-release version of Damage Cleanup Template (DCT) and is updated by TrendLabs almost as often as new samples come in. Since it is designed to clean registries and system files from 'in-the-wild' malware infections, DCT Control release receives only preliminary testing. DCT Control Release also must be deployed manually to your product.

Click the link above for additional information and deployment instructions. Users are advised to read the succeeding disclaimer carefully before downloading the current DCT Control Release."

Good luck!

first off...lets do this
start..run..type in..%temp%..a new window wil open..delete all folders/files in the new window..right click..select all..delete
same thing re..start..run..type in..temp..same thing..delete all of them
ok,1 more time..start,run.type in..prefetch..remove all of them.
ok..now lets go to start..run..type in..msconfig...press enter..a new windows will open up
select the START UP TAB..(if it was me..i would DISABLE ALL.press apply..press ok)..do not reboot yet..close all windows
now go to start..control panel..folder options.(if u do not see folder options..on left hand side..click switch to classic view)..folder options..view..half way down u will see...SHOW ALL HIDDEN FILES AND FOLDERS)check that..press apply..press ok..
hmm, some ppl do not suggest that u turn off system restore becaue if something happens u will not be able to restore to a earlier time. .so we will skip that part( unless u want to turn it off..(all programs..system tools..system restore..u will see option to turn off restore..u will have to pressapply and ok)
now lets go here and run a free online scan
http://support.f-secure.com/enu/home/ols.shtml
remove anything and everything f-secure finds
(this could take a couple hrs depending on what u have on pc)
u said u have superantispyware.did it detect the threat also..try to scan with it now since we have exposed folders/files
remove anyhting superantispyware finds

now if u are still infected
u can try ..
hijackthis
smitfraud fix
combo fix
if u have no idea what these are or how to use them..u can email me if interested
or u can visit one of these forums and get professional help for free
http://www.geekstogo.com/
http://forums.whatthetech.com/forums.html
http://www.castlecops.com/

I've already posted the mother of all antivirus efforts on the 8th.

use the SEARCH function.




After you install and update Spybot, be sure to Click on IMMUNIZE the system

Use the Advanced Mode --> Tools > Host file


Then be sure that the Spyware Blaster is updated and all protection enabled.



Then run Hijack This. Dont make changes with it yet.

http://www.bleepingcomputer.com/tutorials/tutorial42.html (http://www.bleepingcomputer.com/tutorials/tutorial42.html)



there are plenty of FREE web based scans out there that always have the most updated virus definations. Run them, and say YES when asked to disinfect.

http://www.trendmicro.com/hc_intro/default.asp

http://www.pandasoftware.com/actives...an/ascan_2.asp (http://www.pandasoftware.com/activescan/activescan/ascan_2.asp)

http://www.bitdefender.com/scan8/ie.html

http://security.symantec.com/sscv6/h...Y CZRWEJGSSKE (http://security.symantec.com/sscv6/home.asp?langid=ie&venid=sym&plfid=23&pkj=WXMPJUIYCZRWEJGSSKE)

http://www.kaspersky.com (http://www.kaspersky.com/) /scanforvirus.html

http://www3.ca.com/securityadvisor/virusinfo/scan.aspx

http://support.f-secure.com/enu/home/ols.shtml

INDIVIDUAL FILE SCAN - http://virusscan.jotti.org/




.

Hightimes I did all that and still no go.

Hightimes I did all that and still no go.
Then why don't you try what I suggested?
I may be a woman, but head the "Protect your Computer" section at our site...
I do know what I am talking about, but it's your computer....

Then why don't you try what I suggested?
I may be a woman, but head the "Protect your Computer" section at our site...
I do know what I am talking about, but it's your computer....

You can lead a horse to water but . . . .

This has always been a problem here, you spell things out and do everything but go to their house and do it FOR them, but to no avail.

Your suggestions were good, hightimes was right on with deleting the temp folders etc, and there are dozens if not hundreds of examples here to follow, let alone GOOGLE the answers.

You see why I'm an intolerant bastard? You just have to keep realistic expectations, throw your bit out there, and let the dice roll from there.




.

You can lead a horse to water but . . . .

This has always been a problem here, you spell things out and do everything but go to their house and do it FOR them, but to no avail.

Your suggestions were good, hightimes was right on with deleting the temp folders etc, and there are dozens if not hundreds of examples here to follow, let alone GOOGLE the answers.

You see why I'm an intolerant bastard? You just have to keep realistic expectations, throw your bit out there, and let the dice roll from there.




.

No shite. Today has been frustrating, not here but elsewhere (I need another wireless adapter and am having to deal with hubby's laptop while waiting on it. I hate laptops).

All I know is that I love my machine. I must say you worded my thoughts nicely, cuz I ain't in that good a mood right now and may have said the same thing, in quite a different way...<snickers to self>

Cheers!

P.S. I am quite the intolerant bi*ch as well. What's your mother's name?

okay Helena, I am now doing it your way.
Ill let you know what happens. I did not mean to diss you, I guess the other post just came up first.
The woman is usually always right, its just a guy thing to go it his way first.

okay Helena, I am now doing it your way.
Ill let you know what happens. I did not mean to diss you, I guess the other post just came up first.
The woman is usually always right, its just a guy thing to go it his way first.

Don't be dissin' Krell either. IMHO, he is the resident computer expert here.

The problem is when people don't help themselves.

I completed the procedure as outlined by HelenaP. Its still there. This one has me stumped. It does not seem to be actually doing anything, yet. Looks like a format is comming, Im due anyway.
Thanks for your help folks. By the way your guides did find a few other bugs that were laying in the bushes.

I completed the procedure as outlined by HelenaP. Its still there. This one has me stumped. It does not seem to be actually doing anything, yet. Looks like a format is comming, Im due anyway.
Thanks for your help folks. By the way your guides did find a few other bugs that were laying in the bushes.

Um... Krell is much more astute with these things...
but did the procedure finish? Or did it get "stuck?"
I ask, because if it got stuck, it's probably a worm and that's a totally different animal...
Hopefully, you say that it completed...

http://hijackthis.de/
once u get here...in the top right hand corner, u will see..."direct download"..click that ..and save it to...c/program files
once u have it saved to c/program files..go to the folder...open it up..and run hijackthis
when hijackthis opens..it will ask if u want to scan ur pc
click scan my computer "and save log file"the log file will be a notepad pop up..just save it to ur desktop
now that u have scanned pc and saved logfile
go bac to ...hijackthis.de...scroll down until u see the blank space...now open the logfile u just saved..right click and copy..now paste the log file inside the empty space.....now press analyze
u will now see...green checkmarks for good/safe
u will see red x for bad/threats
or u will see yellow ?
u should only have 2 windows open right now...hijackthis (the program)
and the website
if u look at hijackthis u wll see a box infront of all the items...u can put a checkmark next to any item that is bad and click remove checked items...REMOVE THEM ALL AT ONCE..NOT SEPERATELY..id lke to see a copy of the hijackthis log file
once u have completed this..restart pc
could ya tell me again..what detected it?....


AVG - - Generic9.AATD
BitDefender - - Trojan.Spy.Bzub.NGP
F-Secure - - Trojan.Win32.BHO.abo
Kaspersky - - Trojan.Win32.BHO.abo
Prevx1 - - Trojan.DoS.Win32.Opdos
these are all the same threat just different names from av company
i believe u said avg detected this.....all of these antivirus do detect the threat and should remove it pretty easily( lol, i bet u dont think so)

http://www.bitdefender.com/scan8/ie.html
http://info.prevx.com/downloadcsi.asp

when dealing with hijackthis..please be very careful ad do not remove anything u are not sure of....if u have no idea...just post a copy of hijackthis or send to my email and ill help ya....sorry took so long to get back to ya

Try Windows Defender it will find these pests and remove them.

Try Windows Defender it will find these pests and remove them.

......LOL!

......LOL!

Really..almost as funny as Vista.

Really..almost as funny as Vista.



Windows background runner?

This looks like a job for..........................................KillB ox!

Unless I was stupid enough to miss someone posting that idea already.

and, if you've tried all options and still it does not work,

May I recommend the surest thing that will work!!>>>FORMAT 'C'

That'll teach them not to fuck with your 'puter.:icon_thum

HelenaP,
It got "stuck".
I noticed nothing at all happening in other locations.
I have not formated yet but am preparing to do so. I usualy format every 90 days anyway so its not a big deal. Im just perplexed at not being able to rid the drive of this. I am usually very astute with this type of infection but found myself at a loss with this one. All of you have given very good advice and I thank you. Your methods found other things that were laying in wait. I thank you.
Do any of you have any experience dealing with dedicated windows sys dll files?

Ok boys and girls . . before this guy fomats the shit out of his computer . . .

What's the # 1 thing I suggest to everyone . . . the universal "get out of jail card" ? Whats the ONE FREAKIN THING that I want you to have in your grubby little panhandlin hands?


And why y y y y ?

why?

why?

why?


.

miniPE-XT?

Ok boys and girls Whats the ONE FREAKIN THING that I want you to have in your grubby little panhandlin hands?





.Is it a can of easy cheese

HelenaP,
It got "stuck".
I noticed nothing at all happening in other locations.
I have not formated yet but am preparing to do so. I usualy format every 90 days anyway so its not a big deal. Im just perplexed at not being able to rid the drive of this. I am usually very astute with this type of infection but found myself at a loss with this one. All of you have given very good advice and I thank you. Your methods found other things that were laying in wait. I thank you.
Do any of you have any experience dealing with dedicated windows sys dll files?

Krell, not ignoring your post, but I just saw his post...

mustang80- I think you have a worm and...that's bad. Look for the answer to Krell's question before reformatting (reformatting.. you are going to have to start clean if it's a worm, which I believe it is.).

It "got stuck." That's very bad. Replication has most likely begun..

DING DING DING DING

DigitalJunkie wins the prize.

The MiniXP CD will give you tools to work with while your problematic or victimized OS is not in use. On the MiniXT Cd, there are a number of anti-virus softwares, and you can run an instance of Norton, on each drive letter or partition, AT THE SAME TIME.

Let's assume that this virus\work has rendered his system useless. Even so, the MiniXT CD will give you better tools to wipe and repartition and test the system with.

Ok, so you used the MiniXT CD to migrate your data, wipe the drives and then re installed your OS, drivers, and got everything j u u u s t the way you want it, with the least amount of software installed, such as firewall etc. Things are picture perfect and you have a big grin on your face after 8 hours of labor . . .

Now use the MiniXT cd to make an IMAGE by using Acronis and Ghost, call the image <date><known good with drivers> etc and save it to a local partition. Then, using the MiniXT CD, you use the Nero on there to burn that image to a DVD for a second copy, safe keeping.

In the future, when your system goes to hell in a hand basket, you can RESTORE from your known good image in 2 minutes!!! Two freakin minutes.

The other thing you may want to consider, is to get the "everestultimate_build_0989" and run a full report as a txt file, and post the info so I can examine your system and look for other factors, such as drive partition sizes, drives etc etc. If you're concerned about PII, Personally Identifiable Information, you can email or IM me the txt file, and I can edit it and post.

And finally, did you know that you can back up ALL of the drivers on your system to folders and save for a re install with one small util?

I posted the links to the MiniXT and the 3-n-1 torrent in the past week, you should be able to search and find them.

.

Did everything you all said. Its still there.
Its found by AVG.
It was also detected by Kaspersky.

Here is the "cleaned" log file from highjackthis.
Logfile of HijackThis v1.99.1
Scan saved at 6:26:23 PM, on 12/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Coast to Coast AM Media Center\Coast to Coast AM Media Center.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\DOCUME~1\LOUMIR~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis_199[1].zip\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {E0CC0317-BA29-4C79-A5FF-440ADC0989D2} - C:\WINDOWS\system32\dx7v.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [Coast to Coast AM] C:\Program Files\Coast to Coast AM Media Center\Coast to Coast AM Media Center.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15030/CTSUEng.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {D1548A26-B8F6-4E86-AE74-E7062CCC2E2A} (igLoader Content on Demand) - http://www.miniclip.com/igloader/igloader.CAB
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15030/CTPID.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DL L
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

OK, at a quick glance, did you download something (I don't remember if you mentioned yes or no already) before all this happened? Something...erm, not payed for? Not free software?

Something looking familiar to these items-

O2 - BHO: (no name) - {E0CC0317-BA29-4C79-A5FF-440ADC0989D2} - C:\WINDOWS\system32\dx7v.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

??

DO NOT CLICK BLUE LINK

DO NOT CLICK BLUE LINK


C:\WINDOWS\system32\dx7v.dll..........trojan.DOS.W IN32.OPDOS

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -
O2 - BHO: (no name) - {E0CC0317-BA29-4C79-A5FF-440ADC0989D2} -
C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL.......TROJAN ZLOB
Demand) - http://www.miniclip.com/igloader/igloader.CAB
O16 - DPF: {D1548A26-B8F6-4E86-AE74-E7062CCC2E2A} (igLoader Content on
C:\DOCUME~1\LOUMIR~1\LOCALS~1\Temp\Temporary Directory 1 for
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer
Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {E0CC0317-BA29-4C79-A5FF-440ADC0989D2
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime

i hope ididnt miss nothing....a few items..such as quicktime and real player are probally ok..but hijackthis said they wasnt in right location..so please remove all these items
open hjt. select scan my pc...now when it pops up...u will see a square box next to each entry..go through the list and check each item i have showed u that is bad.....click fix all checked items..restart pc..hopefully u are ok now.....i would still go through with F-SECURE and scan pc one more time

PLEASE DO NOT CLICK BLUE LINK

DO NOT CLICK BLUE LINK

DO NOT CLICK BLUE LINK


C:\WINDOWS\system32\dx7v.dll..........trojan.DOS.W IN32.OPDOS

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -
O2 - BHO: (no name) - {E0CC0317-BA29-4C79-A5FF-440ADC0989D2} -
C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL.......TROJAN ZLOB
Demand) - http://www.miniclip.com/igloader/igloader.CAB
O16 - DPF: {D1548A26-B8F6-4E86-AE74-E7062CCC2E2A} (igLoader Content on
C:\DOCUME~1\LOUMIR~1\LOCALS~1\Temp\Temporary Directory 1 for
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer
Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {E0CC0317-BA29-4C79-A5FF-440ADC0989D2
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime

i hope ididnt miss nothing....a few items..such as quicktime and real player are probally ok..but hijackthis said they wasnt in right location..so please remove all these items
open hjt. select scan my pc...now when it pops up...u will see a square box next to each entry..go through the list and check each item i have showed u that is bad.....click fix all checked items..restart pc..hopefully u are ok now.....i would still go through with F-SECURE and scan pc one more time

PLEASE DO NOT CLICK BLUE LINK

I would run a rootkit revealer too-
http://www.download.com/AVG-Anti-Rootkit-Free/3000-8022_4-10662685.html

geez...After 3 pages of unsuccessful attempts, I would have finished formatting and installing all my updates and software by now and be done with it.

I can appreciate all the warm fuzzy helpful people that have given advise though. I know your hearts are in the right place.

aww, racknrail....that is true, but also...he said he coulda reformatted already...said he does every 3 months...but he wants to try and remove without the reformat..(probally because he is somewhat computer savy and its piising him off he cant remove regular way)..i try to help when i can
like was suggested though..after all is done...best bet..create image using acronis true image, then u can restore in no time at all.

Maybe he clicked the blue link...

I just wanted to thank all of you for your insight into this problem. I did format, in fact I wiped the drive to 0's just to be sure. It was a strange trojan/worm whatever it was. Freaking annoying as hell. If it comes up again Ill just wipe the drive.
The advice on creating an image for the reinstall is invaluable. Funny how I never came across that before. You guys are sharp as tacks!

Really..almost as funny as Vista.


http://i66.photobucket.com/albums/h251/ifhopedied/1190300086_00003467.jpg

i just had to post this