Here's the HJT log...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:19:55 AM, on 6/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\PHILIP~1\VProperty.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Documents and Settings\owner\lsass.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Pinnacle\Shared Files\Programs\Remote\Remoterm.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\mjc\mjc.exe
C:\Program Files\Sakora\Sakora.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\FinePixViewer\QuickDCF2.exe
C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe
C:\Program Files\palmOne\HOTSYNC.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\TIM\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=pavilion&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.verizon.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\iftuyszv.exe,
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {64B74A5E-6EFF-43BE-BB8C-9CBC72B60CB8} - C:\WINDOWS\system32\ljJCtqRL.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: {a4f8e038-7d9e-ce3a-05a4-843c07f227ac} - {ca722f70-c348-4a50-a3ec-e9d7830e8f4a} - C:\WINDOWS\system32\rgtxdhuw.dll
O2 - BHO: (no name) - {DAE17E15-D17A-4924-B34E-DDFCFDC59A23} - C:\WINDOWS\system32\nnnkHwVO.dll (file missing)
O2 - BHO: (no name) - {F1400523-85AC-4263-83E1-F5C364C8E6E1} - C:\WINDOWS\system32\ssqOICTn.dll (file missing)
O2 - BHO: (no name) - {F94CA188-BD51-417B-8C72-F2769EEBC40E} - (no file)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetect
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ToUcamVProperty] C:\PROGRA~1\PHILIP~1\VProperty.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [LSA Shellu] C:\Documents and Settings\owner\lsass.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [lphc942j0ecph] C:\WINDOWS\system32\lphc942j0ecph.exe
O4 - HKLM\..\Run: [2386029a] rundll32.exe "C:\WINDOWS\system32\wnvmobdn.dll",b
O4 - HKLM\..\Run: [BM20b53106] Rundll32.exe "C:\WINDOWS\system32\jkxusiym.dll",s
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PMCRemote] C:\Program Files\Pinnacle\Shared Files\\Programs\Remote\Remoterm.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [mjc] C:\Program Files\mjc\mjc.exe
O4 - HKCU\..\Run: [Sakora] C:\Program Files\Sakora\Sakora.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - S-1-5-18 Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Exif Launcher 2.lnk = ?
O4 - Global Startup: HP Pavilion Webcam Tray Icon.lnk = ?
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase9563.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelgraphics.com/l2/bin/cortvrml.cab
O16 - DPF: {B6E6EEF0-F5AA-4A4D-88EC-FF43FB2029E5} (TeleVoxAudioPlayer2.TVoxAudioPlayer) - https://www.mytelevox.com/labcalls/cabs/TeleVoxAudioPlayer2.CAB
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: ljJCtqRL - C:\WINDOWS\SYSTEM32\ljJCtqRL.dll
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 11630 bytes

Originally I could not run TaskMgr but deleting WINDOWS\SYSTEM32\iftuyszv.exe fixed that. Current problems are "Warning! Spyware detected on your computer! Install an antivirus or spyware remover to clean your computer." background on my desktop. Also, Windows UPDATE function has been disabled and cannot be activated. Lots of BLUE SCREENS OF DEATH like "BOGUS DRIVER", "IRQL_NOT_LESS_OR_EQUAL", "PANIC_STACK_SWITCH", "PAGE_FAULT_IN_NONPAGED_AREA". These screens go away by themselves after 5 seconds and system is still running with all my tasks (are these malware screens?). Pop-up ads, of course, appear. Downloaded SpyBot yesterday. It found about 230 problems. I told it to get rid of all of them after reading the text for each. SmitFraud and Virtumonde refuse to go away. I have the ability to run Linux as LiveCD on the infected machine if that helps to mount Windows partition while dormant.

Well, I can see from the number of posts on this forum that lots of people are being hit with Virtumonde and SmitFraud this week. This doesn't give me much hope of getting advice specific for my machine. But I'm not complaining. I see that one guy (Bluefoot - Virtumonde Strikes Back) says he reformatted his machine and got bit again. Yikes! Anyway, reinitializing my machine to the way it looked when I brought it home from the store in January 2007 is what I'm going to do. I spent all day today running Linux as a LiveCD and copying all *my* data files onto a USB flash device and over to another Linux machine I have in the house. Thank goodness it was only about 9GB of data - took 5 passes on my 2GB device and the reads went slower than the writes since the infected machine is USB2.0 and the older machine is USB1.0. Now I'm ready to try the recovery procedure that wipes out the C drive using data from the recovery D drive. (If, for some reason the D drive is corrupted I also have 3 backup DVDs that I made when the machine was new.)

When I get up and running again I wonder if it makes sense to create another account other than "owner" that does *not* have administrator privileges and use that account for all my work? Is WindowsXP smart enough to prevent threads of code running under "lowly" user authority from writing to bad places like C:\WINDOWS\SYSTEM32? I've got to get better security.

Yesterday I managed to move *all* of my own data files from the infected machine to another machine running Linux (MEPIS7.0). BTW, I tried running the infected machine and burning a DVD with data files I wanted to save but only about 3 minutes into the burn an "unrecoverable" error occurred and my backup program told me to throw away the DVD. I've never had a failure of a burn so I attributed this to the spyware and used the Linux USB flash method of data moving instead.

Today I'm looking just a little closer before I take the big step of initializing the infected machine with the D: recovery partition. There are always data files of importance stuck under the C:\PROGRAM FILES folder (like under 'palmOne' for my ZIRE31) that I try to locate so I don't lose them.

One thing of interest I noticed were folders C:\PROGRAM FILE\SAKORA and C:\PROGRAM FILES\TEMPORARY. These were both created 6/26/08 at 8:46am. This is the time I booted my machine. There's a SAKORA.EXE file that sounds scary. Just passing this info on.

About noon today I convinced my self I had proper backup of my data and read the HP user guide about doing a RECOVERY on my DV9005 laptop. There are several "recoveries" you can do. My machine has the D: partition with all the software that came from the factory. If that's intact you can (1) wipe your C: drive and install from D: (2) keep your user data on C: intact and have the recovery logic restore the OS and factory applications only. If your D: drive is kaput you can (3) boot from the recovery DVDs you burned when you bought your machine and wipe both the C: and D: drives and they will be initialized to factory pristine status. Since I now had resigned myself to restoring all my own data (else, why would I have made a copy of it on my Linux machine) I decided to, why not, use option (2) to see how this works. Boot with F11 down and the BIOS looks at D: and starts the RECOVERY program. It took about 45 minutes to (almost) make the C: drive look like factory new while leaving my files intact. When the machine booted it was just like I had brought it home from the store and I had to go thru the pain of initializing stuff. One of the factory programs is Norton Anti-Virus and it pulled fresh up-to-date definitions from the internet and found about 16 virus and/or spyware files. It fixed every one of them after its full scan (which took an hour or so). Meanwhile, I had spybot running and it saw Virtumonde still in existence as a suspicious registry entry. I did *not* tell spybot to clean up anything, though. Once Norton was done (it said it processed 500,000 files) a second run of spybot found absolutely nothing. OK, so now maybe I was confident that the RECOVERY program truly sets up clean C:\WINDOWS and C:\WINDOWS\SYSTEM32 folders at a minimum and guarantees the OS will run as intended by its creators! But I knew I was at risk since there were lots of WindowsXP automatic updates that hadn't been applied. About 6PM the Windows automatic update procedure told me there were 93 updates. I clicked "Install" and they only took about 30 minutes to get applied (I've only got 768kbps DSL connection) including IE7 replacing IE6 for free. So now I've got Norton running, all updates in, spybot and teatime running, and created both administrative and non-administrative users (I'm still fumbling a little with *that* mess, tho). And I didn't have to restore any of my own files from the backup machine. Knock on wood. Maybe HP has something good in this recovery partition business. I'll post a followup once some mileage has been put on this restored machine, but for now I'm feeling relieved.

Hi there,

Did you miss this sticky: "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)

Because of the volume of posts, helpers may think you are already being assisted. They look for topics without a response.

Consider starting a new topic posting only the HJT log, with a link back to this one.

Then this thread will be closed.