spyware is killing me.
May 17, 2008 12:25 PM   Subscribe

Spyware infected. Help!

So my pc is infected with some spyware. I keep getting pop-up from my system tray and internet explorer window. And my desktop background changed, saying "warning spyware threat has been detected on your pc". I downloaded hijackthis to do the logfile and i'm trying to download ComboFix, but the links they have up to download combofix don't come up. Can anyone help me? Below is my hijackthis logfile...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:41:17 PM, on 5/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Common Files\Verizon Online\ConnMgr\cmisrv.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\AVG\AVG8\avgui.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Verizon Online\AppMgr\vzOpenUIServer.exe
C:\Program Files\AVG\AVG8\avgscanx.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.netzero.net/s/sp?r=al&cf=sp&mem=salrecio123&key=b3b4bd844209d892e645b93683ae30ec&ts=41dc097d&A=368498140004309&B=1104825600000&C=1104825600000&D=1099814400000&I=7.NH4&N=PLHS&O=I
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\xwusuhzh.exe,
O2 - BHO: (no name) - {00110011-4b0b-44d5-9718-90c88817369b} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {086ae192-23a6-48d6-96ec-715f53797e85} - (no file)
O2 - BHO: (no name) - {150fa160-130d-451f-b863-b655061432ba} - (no file)
O2 - BHO: (no name) - {17da0c9e-4a27-4ac5-bb75-5d24b8cdb972} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb1} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2} - (no file)
O2 - BHO: (no name) - {2d38a51a-23c9-48a1-a33c-48675aa2b494} - (no file)
O2 - BHO: (no name) - {2e9caff6-30c7-4208-8807-e79d4ec6f806} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {467faeb2-5f5b-4c81-bae0-2a4752ca7f4e} - (no file)
O2 - BHO: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - C:\WINDOWS\DOWNLO~1\vzbb.dll (file missing)
O2 - BHO: Popup-Blocker Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\X1IEBHO.dll (file missing)
O2 - BHO: (no name) - {5321e378-ffad-4999-8c62-03ca8155f0b3} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {587dbf2d-9145-4c9e-92c2-1f953da73773} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {6cc1c91a-ae8b-4373-a5b4-28ba1851e39a} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {79369d5c-2903-4b7a-ade2-d5e0dee14d24} - (no file)
O2 - BHO: (no name) - {799a370d-5993-4887-9df7-0a4756a77d00} - (no file)
O2 - BHO: (no name) - {98dbbf16-ca43-4c33-be80-99e6694468a4} - (no file)
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: (no name) - {a55581dc-2cdb-4089-8878-71a080b22342} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {b847676d-72ac-4393-bfff-43a1eb979352} - (no file)
O2 - BHO: (no name) - {bc97b254-b2b9-4d40-971d-78e0978f5f26} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765721306} - (no file)
O2 - BHO: (no name) - {e2ddf680-9905-4dee-8c64-0a5de7fe133c} - (no file)
O2 - BHO: (no name) - {e3eebbe8-9cab-4c76-b26a-747e25ebb4c6} - (no file)
O2 - BHO: (no name) - {e7afff2a-1b57-49c7-bf6b-e5123394c970} - (no file)
O2 - BHO: (no name) - {fcaddc14-bd46-408a-9842-cdbe1c6d37eb} - (no file)
O2 - BHO: (no name) - {fd9bc004-8331-4457-b830-4759ff704c22} - (no file)
O2 - BHO: (no name) - {ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880} - (no file)
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll (file missing)
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - C:\WINDOWS\DOWNLO~1\vzbb.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [A Verizon App] C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [ctfmona] C:\WINDOWS\system32\ctfmona.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Nero PhotoShow Media Manager] C:\PROGRA~1\Nero\NERO7~1\NEROPH~2\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\RunOnce: [Ceedo Repair] C:\DOCUME~1\Penelope\LOCALS~1\Temp\AutoDetect.exe /repair /drive=G /name=Ceedo
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Sonic INSTALLit! Setup.lnk = C:\Documents and Settings\Penelope\Local Settings\Temp\VIES2786\Setup.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/227
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Windows Action Script - Unknown owner - C:\WINDOWS\system32\scvhost.exe

End of file - 15937 bytes
posted by likeapen to Computers & Internet (12 answers total) 4 users marked this as a favorite
The only way to be really sure that you're free of viruses/spyware/etc. - and probably a considerable time-saver over checking in with the CastleCops and spyware forums and working through a log file piece-by-piece - is to nuke it from orbit and reinstall your OS. Given the massive amount of bloatware you seem to be running, that probably wouldn't be a bad idea anyway. You should also update to IE7 or switch to Firefox if you're not wedded to IE6 for some other reason.
posted by Inspector.Gadget at 12:34 PM on May 17, 2008

Have you tried the HijackThis forums (there are others, but the first link appears to be the official one)?

Googling for 'HijackThis logs' also returns quite a few results, including what appear to be online analysis tools.
posted by box at 12:37 PM on May 17, 2008

Follow the directions in the following link and you will most likely rid your computer of malware:


I've had to use this before and it worked. It's a little on the time consuming side, but then you can be rest assured you've cleaned out all the baddies. If you follow all the directions in the link and you are still having problems, then you can post on the forum and they can give you further directions.
posted by MaryDellamorte at 12:39 PM on May 17, 2008 [1 favorite]

Upon further reflection, what Inspector.Gadget said.

But your Dell probably came with, rather than an install CD, a 'restore' CD. When you reinstall, be sure to use an installation CD, and not a restore CD, or else I have a feeling you'll quickly be in the same bloatware hell that you're currently occupying.
posted by box at 12:39 PM on May 17, 2008

I am a software developer, and basically when there's any chance my system has been compromised beyond a trivial infection, I can the entire OS and reinstall from scratch. I'd rather pay for a little security with an hour of my time... plus it's like driving a new car as far as system resources and speed. That C:\WINDOWS\system32\xwusuhzh.exe program looks like something one of my computers got back in March. It absolutely could not be removed short of an OS reinstall.
posted by crapmatic at 1:35 PM on May 17, 2008

Lucky for you, this is a change to test your backup procedures, as you're going to either restore using Dell's rescue CD (I believe it's on a hidden partition on your hard drive; call Dell to see how to make the CD), or you're going to waste days and still not be able to root out all the evil from your system.

Luckily for you, again, Windows XP SP3 came out recently, so at least it's one shot to catch up on your Windows updates, instead of a few hundred updates and several reboots.

Here's what I would do:

1) Buy an external hard drive, and back up your personal files to that. Don't bother backing up applications. While you're at the store, buy a router/firewall if you don't already have one. Maybe pick up a few blank CDs while you're there, if you don't have any handy.

2) Install your router, if you don't already have one.

3) Call Dell and figure out how to create rescue/restore CDs for your system. Use those to reformat the hard drive and restore Windows.

4) Install XP SP3 from windowsupdate.microsoft.com. Install AVG 8, or, if you feel like paying, something like NOD32. Update your antivirus, and then run a scan on your external hard drive, in case bits of malware came with your personal files.

5) Re-install your programs, documents, etc. Search online for safer alternatives to whatever you had been using (Firefox instead of IE, etc.).

6) In the future, remember that antivirus programs are at best a second line of defense agaisnt malware. The first line of defense is your own behavior, in terms of keeping your computer up to date, not going to bad sites, not randomly clicking on links, etc. Also, in the future, have a sound backup strategy. That backup strategy should also be considered as part of your overall computer security.
posted by chengjih at 1:52 PM on May 17, 2008

Agree with the bloatware/reinstall suggestion, there's a lot of crap running.

Some other things;

-You have a process called ctfmona.exe running. Ctfmon.exe is a windows process, this is named similarly for concealment, but it seems to be spyware. You could kill the process from task manager, and delete the file (or reboot in safe mode and do so).

-C:\WINDOWS\system32\xwusuhzh.exe seems a bit dubious

-Also, two virus scanners? (Symantec, AVG)?

-And you have some applications running from your documents and settings folder, I think no legitimate apps should be doing that.

Even if you remove the ones I point out, there are possibly others. Again though, given all the crap toolbars, etc on it, I'd suggest just starting from scratch.
posted by Boobus Tuber at 3:44 PM on May 17, 2008

Once you do your reinstall, please, for the love of all that's holy, don't login as an administrator to use your computer.
posted by me & my monkey at 6:21 PM on May 17, 2008

It used to be that Windows was the It Just Works operating system choice, and Linux was what you ran if your time was not worth accounting for. These days, it's the other way around. Seriously consider changing platforms.

If that's out of the question for whatever reason: what everybody else said.
posted by flabdablet at 8:00 PM on May 17, 2008

You have a spyware called smitfraud. This is the removal tool.

Install linux is not an answer to this question and flabbys answer should be deleted. If linux gets the market share windows gets then we'll still be in the same boat.
posted by damn dirty ape at 8:57 PM on May 17, 2008

Recently in a very similar situation....Kaspersky AV came through for me where several other packages failed.
posted by gimonca at 10:28 PM on May 17, 2008

likeapen has Smitfraud this week. What's she going to have next week?

Install linux is not an answer to this question

You're entitled to that opinion. I am, after all, an admitted Linux fanboi.

However, I posted that answer after working on a Packard Bell Windows box that (a) needed to be in working condition by Monday (b) was similarly infested by spyware and system-assembler bloatware (c) had had the dubious benefit of assorted helpful friends and relatives installing assorted removal tools of assorted quality, none of which made things better and several of which made things worse. In fact, the last of them (Trend Internet Security Pro 2008) not only failed to fix any problems, but installing it had broken Windows networking altogether; then its uninstaller failed (hung forever at "removing services"), leaving Windows networking fatally, totally broken. System Restore also failed (surprise, surprise), and manual removal of all Trend-related files (including those in C:\WINDOWS\system32) followed by a repair install of Windows didn't improve things any.

The symptom was that both network adapters (LAN connection and RAS async adapter) got yellow alert marks in the Device Manager, and reinstalling the device drivers would always fail; according to setupapi.log, the actual device driver installation always worked but the associated class installer always failed with "the system cannot find the file specified". Turning on verbose logging didn't offer any real clues, either; it was really quite impossible to work out which missing file or registry key was the one actually making the installer barf, even after cross-correlating the setupapi timestamps with object-access timestamps from SysInternals' ProcMon.

I continued to apply every bit of my considerable cunning and experience to the task of making networking come alive again, finally giving up after going at it for fifteen hours. So I ended up doing the backup, nuke and pave dance, which I hate doing and will generally go to great lengths to avoid. And that customer now has an Ubuntu/Windows dual boot setup, and likes the look of Ubuntu, and is already finding it more straightforward to get things done with than Windows ever was.

If linux gets the market share windows gets then we'll still be in the same boat.

First off, Linux is never going to get the market share Windows has got. It's never even going to get close. The Windows juggernaut is just too big and heavy and unstoppable, and Microsoft has literally billions of marketing and legal dollars available to make sure it stays that way. Most people will continue to run Windows, just because it's what most people run.

For seconds, there's a fundamental difference between open-source software and commercial software. Open-source software is redistributable. That means that Linux distributors can and do set up centralized repositories for their own distros, containing verifiably malware-free software pre-packaged for use with that distro, and provide users with some kind of package manager that centralizes the software-installation task. This is in stark contrast with commercial software, where the normal way to install what you want is to buy it from wherever and run the software's own installer, or steal it and run some installer that may well have been tampered with by a black hat.

Linux users tend not to reach out and grab the shiny shiny things that are on offer and stuff them willy-nilly into their systems, because they're accustomed to just putting checkmarks next to something in their package manager and clicking Apply. So if some random website offers to install something in some other way, the initial reaction will be suspicion (why do I need this if it's not available in my package manager?) rather than the kind of Ooo! Shiny! Free! response that seems so prevalent in Windows culture.

Linux users tend not to be running Internet Explorer, best described as an enormous security hole wrapped in a little browser.

But the really big thing is that Linux users don't run with administrative privileges by default, and have no incentive to do so, because they don't have a decades-old legacy of broken apps pushing them in that direction. It's much, much harder for malware to bury itself deeply into a box that doesn't give it instant superuser access by default. And malware running in your own user profile has a single, consistent fix: log out, or reboot single-user; rename /home/mine to /home/mine.infested; log in; move documents from /home/mine.infested back to /home/mine as needed. This is more like urban renewal than nuke and pave. And for what it's worth, I've never heard of anybody actually needing to do it on a home Linux box.

As m&mm points out, running non-admin on Windows is certainly doable, and certainly should be done. But the fact remains that running non-admin on Linux is easier because it's the cultural norm.

The bottom line: anybody who is about to do a nuke and pave is ideally placed to give Linux a whirl, may well find that it's a definitive and permanent solution to their malware problem, and may well find that this makes living within Linux's gated software community worthwhile for them.
posted by flabdablet at 8:28 PM on May 18, 2008 [1 favorite]

« Older My fridge is failing to cool my food.   |   Where, oh where, is the plus-size travel underwear... Newer »
This thread is closed to new comments.