Symptoms:
Dial-up, modem swamped with comm traffic as soon as there's a connection, so NO useful downloading from that machine is possible. I'm communicating from a Windows 98/Linux box in the same room. Lockups, reboots, blue-screen core-dumps to a file which gets sent to MS, which directs me to this page:
http://support.micro....com/?id=897079
on reboot.
In normal mode, taskmanager, regedit, HJT all close the instant they're opened. All will run in "safe" mode, but... no comm.
I'm downloading on another machine and moving files to the infected machine on CD. This complicates software updates. I say again, I cannot update software (definition files etc.) IN PLACE. Downloads must be on another machine.
Ad-Aware sometimes finds infected files, Antivir has found nothing. Spybot says DSO exploits, which it never seems to fix (all updates & auxiliary stuff in place).
Also means that I have to run HJT and save the output file to CD, move it back to this machine to post it. Very cumbersome.
What I've tried:
Renaming taskmgr.exe (to, say, "foo.com") so that it executes and I can see what's going on. No joy, I can't spot the culprit, even when comm is being swamped, no processor usage stands out.
Following the instructions on the MS page above... basically going into "safe" mode, removing registry entries, deleting files, running Ad-Aware SE, cwshredder, and Antivir, over and over again. Following forum threads to find the names for more suspicious files and registry entries. Repeat.
So far, I've tried dozens, and found (and removed, sometimes mutiple times) hits in these categories:
mediaacck.exe (lots of assciated folders/files/reg entries)
msdrv
sdkcore
copq
nothing has made any difference. I can tell by rebooting into normal mode and trying to invoke Task Manager- closes instantly. Connect, and comm traffic is instantly swamped. Registry entries re-appear. Oh, and I did turn off system restore.
Fascinatingly:
When I connect to the net, the thing seems to *learn*. Suddenly, taskmgr renamed as "foo.com" no longer works. Disconnect, copy taskmgr.exe to "bar.com", and "bar.com" works. Connect for too long, "bar.com" ceases to work. Spooky.
The real problem:
Is probably that I'm an Oracle dweeb, with some Linux/Unix, and the whole Windows thing is sort of alien to me. Can't say I'm getting better at it this way.
Again, many thanks for any help. Here's the HJT log (run in "safe" mode).
Logfile of HijackThis v1.99.1
Scan saved at 8:57:35 AM, on 4/21/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\HJT\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = E:\WINDOWS\System32\blank.htm
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,E:\WINDOWS\system32\userinit.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LifeScape Media Detector] C:\Program Files\Picasa\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [Windows Service Drivers] mswin32.exe
O4 - HKLM\..\RunServices: [Windows Service Drivers] mswin32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Felix] C:\Program Files\ScreenMates\Full_fel.exe
O4 - HKCU\..\Run: [Windows Service Drivers] mswin32.exe
O4 - HKCU\..\RunServices: [Windows Service Drivers] mswin32.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1093124166392
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: NetMeeting Remote Desktop Sharing (mnmsrvc) - Unknown owner - E:\WINDOWS\System32\mnmsrvc.exe (file missing)
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - E:\WINDOWS\system32\sessmgr.exe (file missing)
Edited by scarecrow, 21 April 2005 - 08:08 AM.