I've got a real mess here. Virtumonde, a whole alphabet of Smitfrauds and CoolWWWSearches, Clientman, DeepDive, ZenoSearch, Win32.Small.ny, and probably a few others as well.
Taskmanager's been disabled by one of the little pests, and I can't seem to re-enable it. I've tried using the regedit manual fix, and the command line version. Each time it looks like it works, but the key keeps popping back in.
The computer is getting constant pop up warnings for spyware and viruses found, both in ie and from 'windows security.' Also, of course, ads for products that will supposedly fix this, and (presumably bogus) demands to upgrade windows security.
Though, in retrospect, upgrading windows security would have been a good idea before all this showed up.
Spybot 1.4 was telling me to re-scan after a reboot with the network disconnected. After which it would tell me to do it again, and keep cycling. Spybot 1.5.2 just removes everything, or seems to, but it's back again at the next scan, and the pop-ups start again a few minutes later.
There was a fairly annoying infection on the same computer several months ago, that I'd thought was fixed. I don't know if it's been lurking around all this time, or if this is something that's shown up in the last few weeks.
Any help would be greatly appreciated. This is on a family computer, and my repeated failures to improve the situation have not been very good for my rep as the family geek.
HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:55:56 PM, on 6/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\new antispyware\Ad Aware 2008\aawservice.exe
C:\windows\system32\pmropn.exe
C:\WINDOWS\system32\iftuyszv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\new antispyware\avast4\aswUpdSv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe
C:\windows\system32\rwwnw64d.exe
C:\WINDOWS\system32\ncntqkdm.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\Rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\MMDiag.exe
C:\DOCUME~1\Edwina\APPLIC~1\ICROSO~1\nslookup.exe
C:\Documents and Settings\Edwina\My Documents\F?nts\r?ndll32.exe
C:\Program Files\GetPack\GetPack19.exe
C:\Program Files\GetModule\GetModule19.exe
C:\Program Files\eFax Messenger 4.3\J2GTray.exe
C:\VSTASCAN\vsaccess.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Edwina\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://as.weatherstudio.com/dp/searc.../8CgjwiE/Hpec=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://as.weatherstudio.com/dp/searc...6eMNFYAWYXowU=
R3 - URLSearchHook: (no name) - - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\iftuyszv.exe,
O2 - BHO: (no name) - {00110011-4b0b-44d5-9718-90c88817369b} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {086ae192-23a6-48d6-96ec-715f53797e85} - (no file)
O2 - BHO: (no name) - {08878A8B-3971-4643-88BB-1E1E424890EA} - C:\WINDOWS\system32\pmkhh.dll (file missing)
O2 - BHO: (no name) - {150fa160-130d-451f-b863-b655061432ba} - (no file)
O2 - BHO: (no name) - {17da0c9e-4a27-4ac5-bb75-5d24b8cdb972} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb1} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2} - (no file)
O2 - BHO: (no name) - {26D1A2E6-28F9-43E6-9A0D-A68BE6D35FA6} - C:\WINDOWS\system32\iifgFYsr.dll (file missing)
O2 - BHO: (no name) - {2ABAAC42-84DF-4C00-89DA-BC7EB2B0E70B} - C:\WINDOWS\system32\tuvtqqp.dll (file missing)
O2 - BHO: (no name) - {2d38a51a-23c9-48a1-a33c-48675aa2b494} - (no file)
O2 - BHO: (no name) - {2e9caff6-30c7-4208-8807-e79d4ec6f806} - (no file)
O2 - BHO: BhoApp Class - {32131238-5434-4234-4234-432432423432} - C:\Program Files\altcmd\altcmd32.dll
O2 - BHO: Helper Class - {3670A914-63C2-4E67-8C9B-370AE1922143} - C:\Program Files\BChanger\bchanger.dll
O2 - BHO: (no name) - {467faeb2-5f5b-4c81-bae0-2a4752ca7f4e} - (no file)
O2 - BHO: (no name) - {4D7F9440-8E65-44B9-98B1-0C72697E376C} - C:\WINDOWS\system32\ljJCuUmm.dll (file missing)
O2 - BHO: (no name) - {5321e378-ffad-4999-8c62-03ca8155f0b3} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\new antispyware\Spybot - Search & Destroy 1-5\SDHelper.dll
O2 - BHO: (no name) - {587dbf2d-9145-4c9e-92c2-1f953da73773} - (no file)
O2 - BHO: (no name) - {6cc1c91a-ae8b-4373-a5b4-28ba1851e39a} - (no file)
O2 - BHO: (no name) - {79369d5c-2903-4b7a-ade2-d5e0dee14d24} - (no file)
O2 - BHO: (no name) - {799a370d-5993-4887-9df7-0a4756a77d00} - (no file)
O2 - BHO: WeatherStudio - {849CC480-5983-4D30-A12C-774E8E8D8291} - C:\Program Files\WeatherStudio\bin\WeatherStudio.dll
O2 - BHO: (no name) - {8D384FC7-4CB4-4B13-B718-E148B20CA232} - C:\WINDOWS\system32\hgGabYQG.dll (file missing)
O2 - BHO: {03a11f25-4752-36c8-5894-c28d80db7249} - {9427bd08-d82c-4985-8c63-257452f11a30} - C:\WINDOWS\system32\jjcikwfs.dll
O2 - BHO: (no name) - {98dbbf16-ca43-4c33-be80-99e6694468a4} - (no file)
O2 - BHO: (no name) - {a55581dc-2cdb-4089-8878-71a080b22342} - (no file)
O2 - BHO: (no name) - {b847676d-72ac-4393-bfff-43a1eb979352} - (no file)
O2 - BHO: (no name) - {bc97b254-b2b9-4d40-971d-78e0978f5f26} - (no file)
O2 - BHO: gooochi browser optimizer - {c51e870a-f9f7-fe03-2f90-5dcc80d02b1d} - C:\WINDOWS\system32\{cc781633-302b-b76d-2f5f-2ef83eace530}.dll
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765721306} - (no file)
O2 - BHO: (no name) - {CFE82785-BE10-4186-9597-C2B5B9FE9290} - C:\WINDOWS\system32\awtss.dll (file missing)
O2 - BHO: (no name) - {D149BF6F-2388-7F51-F94E-7BA2E3E718C4} - C:\WINDOWS\system32\wyr.dll
O2 - BHO: (no name) - {e2ddf680-9905-4dee-8c64-0a5de7fe133c} - (no file)
O2 - BHO: (no name) - {e3eebbe8-9cab-4c76-b26a-747e25ebb4c6} - (no file)
O2 - BHO: (no name) - {e7afff2a-1b57-49c7-bf6b-e5123394c970} - (no file)
O2 - BHO: (no name) - {E89CD8A6-BD36-459C-B131-96167C31B28D} - C:\WINDOWS\system32\geBuRjhG.dll (file missing)
O2 - BHO: (no name) - {F9DF827A-8FA7-48A3-B268-CA4DB563EA40} - C:\WINDOWS\system32\ddcBSKAR.dll
O2 - BHO: (no name) - {fcaddc14-bd46-408a-9842-cdbe1c6d37eb} - (no file)
O2 - BHO: (no name) - {fd9bc004-8331-4457-b830-4759ff704c22} - (no file)
O2 - BHO: (no name) - {ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880} - (no file)
O3 - Toolbar: WeatherStudio - {C6139A57-16FB-4FA4-8045-A847FBFFD695} - C:\Program Files\WeatherStudio\bin\WeatherStudio.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: (no name) - {5CBE2611-C31B-401F-89BC-4CBB25E853D7} - (no file)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [WeatherStudio Desktop] "C:\Program Files\WeatherStudio Desktop\WeatherStudio Desktop.exe"
O4 - HKLM\..\Run: [PDUiP6600DMon] C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [eFax 4.3] "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [UADC_3354481086] "C:\Program Files\AdvancedCleaner Free\UADCcw.exe" -c
O4 - HKLM\..\Run: [PremierOpinion] c:\windows\system32\pmropn.exe -boot
O4 - HKLM\..\Run: [{D4-40-06-61-DW}] C:\windows\system32\rwwnw64d.exe DWram
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\ncntqkdm.exe DWram
O4 - HKLM\..\Run: [70bd40ce] rundll32.exe "C:\WINDOWS\system32\lryehrsd.dll",b
O4 - HKLM\..\Run: [{0bc23157-a980-81ae-62a3-a8ba9f67cfdd}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{cc781633-302b-b76d-2f5f-2ef83eace530}.dll" DllStart
O4 - HKLM\..\Run: [avast!] C:\Program Files\new antispyware\avast4\ashDisp.exe
O4 - HKLM\..\Run: [BM738e7352] Rundll32.exe "C:\WINDOWS\system32\lmlwpokg.dll",s
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\new antispyware\Spybot - Search & Destroy 1-5\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA4210] command /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5930] cmd /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"
O4 - HKLM\..\RunOnce: [SpybotDeletingA1448] command /c del "C:\WINDOWS\system32\geBuRjhG.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9433] cmd /c del "C:\WINDOWS\system32\geBuRjhG.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA6879] command /c del "C:\WINDOWS\system32\ljJCuUmm.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9085] cmd /c del "C:\WINDOWS\system32\ljJCuUmm.dll_old"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [DellTransferAgent] "C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uaol] "C:\DOCUME~1\Edwina\APPLIC~1\ICROSO~1\nslookup.exe" -vt ndrv
O4 - HKCU\..\Run: [Mpsp] "C:\Documents and Settings\Edwina\My Documents\F?nts\r?ndll32.exe"
O4 - HKCU\..\Run: [SfKg6wIP] C:\Documents and Settings\Edwina\Application Data\Microsoft\Windows\byprcb.exe
O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
O4 - HKCU\..\Run: [GetPack19] "C:\Program Files\GetPack\GetPack19.exe"
O4 - HKCU\..\Run: [GetModule19] "C:\Program Files\GetModule\GetModule19.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\new antispyware\Spybot - Search & Destroy 1-5\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\ncntqkdm.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\rwwnw64d.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: UMAX VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe
O4 - Global Startup: eFax 4.3.lnk = C:\Program Files\eFax Messenger 4.3\J2GTray.exe
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: ShopperReports - Compare product prices - {C5428486-50A0-4a02-9D20-520B59A9F9B2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: ShopperReports - Compare travel rates - {C5428486-50A0-4a02-9D20-520B59A9F9B3} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\new antispyware\Spybot - Search & Destroy 1-5\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\new antispyware\Spybot - Search & Destroy 1-5\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1201740934859
O17 - HKLM\System\CCS\Services\Tcpip\..\{D3A4583A-A704-4733-BC1F-E18CEA58111D}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 207.68.160.190 194.25.2.129 208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 207.68.160.190 194.25.2.129 208.67.222.222
O20 - AppInit_DLLs: C:\WINDOWS\system32\pmai.dll
O20 - Winlogon Notify: ddcBSKAR - C:\WINDOWS\SYSTEM32\ddcBSKAR.dll
O20 - Winlogon Notify: PremierOpinion - C:\WINDOWS\system32\pmls.dll
O20 - Winlogon Notify: tuvtqqp - tuvtqqp.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\new antispyware\Ad Aware 2008\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\new antispyware\avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\new antispyware\avast4\ashserv.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\444.470.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
--
End of file - 15945 bytes
End of HJT log
Thanks,
Ura-Maru
--
I suppose it's like swimming away from a shark. I just have to be more of a geek than the rest of my family, without regard to my absolute geek ranking.