New here. Hope I've prepared my query properly.
Important: I got nailed by WinFix about a week ago. I deleted the program. One of the anti-spyware programs you suggest detected things left behind by WinFix, and I deleted them. Strongly suspect that the following problem is related to this!
Also: maybe unrelated, but I have suddenly been receiving much much more spam e-mail than usual. And it seems my e-mail address has been hijacked to send out spam ???
My AntiVir Premium Edition (paid version) software's Guard is constantly detecting a virus infection with the following pop-up message (translated from German):
C:\WINDOWS\SYSTEM32\PMKHI.DLL
contains the signature of Ad-ware or Spyware ADSPY/Virtumobnde.P
When I run an updated scan with AntiVir, it detects the problem again, but advises that the it can only be deleted by rebooting. When I do this (immediately) nothing changes. AntiVir is apparently incapable of removing/repairing the problem.
However, updated Ad-aware SE does not detect this problem. Neither does Ewido or ANY of your other software suggestions mentioned on your opening malware page. Full scans, everything updated beforhand: no detection of any problem related to this dll file except by AntiVir. I have tried CW Shredder, Spybot S&D, DSO Exploit Fix, Ewido Security Suite, Trend Housecall, Panda Active Scan, TrojanHunter. (In the course of this, a couple of apparently unrelated trouble spots were uncovered and dealt with. There was, for example, something about IE options tabs having been hidden by something. This was apparently fixed successfully. No further detections since.)
I emailed AntiVir's support, and they only sent me general troubleshooting instructions with the following points:
1. "UPDATE virus definitions and software" ... check
2. "Deactivate "SYSTEM RESTORE" ... check
3. "Boot into SAFE MODE" ... check
4. "FULL SCAN of all partitions and file types" ... check
5. "DELETE any infected files. (Confirm their existence first with Search...)" ... check
6. "If infected files are archive files, you must manually delete them in Windows Explorer" ... PMKHI.DLL is not an archived file as far as I can tell. In any case, when I attempted to delete it in Windows Explorer, I got a message saying it was impossible to delete the file since it was being used by another program or user.)
The instructions go on about deleting cookies, emptying the cache, rebooting into Normal Mode and reactivating System Restore. And claim that the problem should be solved. But PMKHI.DLL is still there and the pop-ups continue...
Could it be that AntiVir is falsely detecting a problem in this file?
Windows Updates are all installed.
I'm running a German language XP system, by the way.
The AntiVir virus warning is popping up more and more frequently. At first the Guard would detect it every time I opened IE, now it detects constantly -- like every few seconds at times -- even if IE is off. With IE on, the system also becomes extremely slow. I have been using Firefox since yesterday, but there isn't much improvement. Even with all browsers off I continue to get AntiVir pop-up warnings. I am still using Outlook Express for e-mail, but the pop-ups continue when I have it off too.
I see no suspicious or unknown processes running (though many of the process names mean nothing to me in the first place) and no suspicious or unknown visibly installed programs in Add/Remove Programs.
I am now using Ewido Security Suite (trial version) with its guard ON with the Guard on my paid version of AntiVir turned OFF. (Ewido detects nothing and finds no viruses/problems while scanning. At least this way I don't get hassled with the incessant AntirVir pop-ups.) Though I have it turned ON, I'm not sure whether Ewido's guard is actually working since my Windows Security Center (if that's what it's called in English) says Virus Protection is INACTIVE.
OK, here's my first attempt at sending you a HJT log of my system. Hope it's what you need. Thank you in advance for any help you can offer!!
Geoff
Logfile of HijackThis v1.99.1
Scan saved at 19:35:59, on 13.10.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\AVPersonalPremium\AVWUPSRV.EXE
C:\Programme\ewido\security suite\ewidoctrl.exe
C:\Programme\ewido\security suite\ewidoguard.exe
C:\Programme\sony\giga pocket\shwserv.exe
C:\Programme\sony\giga pocket\RM_SV.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\AVPersonalPremium\AVGNT.EXE
C:\Programme\AVPersonalPremium\AVSCHED32.EXE
C:\PROGRA~1\sony\SONICS~1\SsAAD.exe
C:\Programme\iTunes\iTunesHelper.exe
C:\Programme\iPod\bin\iPodService.exe
C:\Programme\Gemeinsame Dateien\Sony Shared\AVLib\SSScsiSV.exe
C:\Programme\BBC News alerts\skinkers.exe
C:\Programme\Plaxo\2.4.1.5\InstallStub.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Programme\sony\keyboard closure setup\KSWServ.exe
C:\Programme\Outlook Express\msimn.exe
C:\Programme\sony\usbsircs\usbsircs.exe
C:\Programme\sony\giga pocket\ReserveModule.exe
C:\Programme\Sony\VAIO Action Setup\VAServ.exe
C:\Programme\FRITZ!DSL\FwebProt.exe
C:\Programme\sony\giga pocket\gps.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\wkcalrem.exe
C:\PROGRAMME\AVPERSONALPREMIUM\AVGUARD.EXE
C:\PROGRAMME\AVPERSONALPREMIUM\AVESVC.EXE
C:\PROGRAMME\AVPERSONALPREMIUM\AVMAILC.EXE
C:\Programme\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programme\Trend Micro\Tmas\tmas.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Programme\Windows NT\Zubehör\WORDPAD.EXE
C:\Programme\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\Programme\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
C:\Programme\Sunbelt Software\CounterSpy\Consumer\SunServer.exe
C:\Programme\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.c...shp?hl=en&gl=ca
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.club-vaio.sony-europe.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programme\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINDOWS\system32\pmkhi.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVGCtrl] "C:\Programme\AVPersonalPremium\AVGNT.EXE" /min
O4 - HKLM\..\Run: [AVSCHED32] C:\Programme\AVPersonalPremium\AVSCHED32.EXE /min
O4 - HKLM\..\Run: [Drag'n Drop CD+DVD] C:\Programme\drag'n drop cd+dvd\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programme\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Programme\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [SunServer] C:\Programme\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKCU\..\Run: [BBC News alerts] C:\Programme\BBC News alerts\skinkers.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Programme\Plaxo\2.4.1.5\InstallStub.exe -a
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: FRITZ!webProtect.lnk = C:\Programme\FRITZ!DSL\FwebProt.exe
O4 - Startup: Trend Micro Anti-Spyware.lnk = C:\Programme\Trend Micro\Tmas\Tmas.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Programme\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Keyboard Closure Setup.lnk = C:\Programme\sony\keyboard closure setup\KSWServ.exe
O4 - Global Startup: Microsoft Works-Kalender.lnk = ?
O4 - Global Startup: Outlook Express.lnk = C:\Programme\Outlook Express\msimn.exe
O4 - Global Startup: Remocon-Treiber.lnk = ?
O4 - Global Startup: Timer Recording Manager.lnk = C:\Programme\sony\giga pocket\ReserveModule.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Programme\Trend Micro\Tmas\Tmas.exe
O4 - Global Startup: tvtvforPC.lnk = C:\Programme\tvtvforPC\tvtvforPC.exe
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\programme\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\programme\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\programme\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\programme\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: LEO English <-> German - C:\Programme\LEO-Ext-for-IE\DE_EN.htm
O8 - Extra context menu item: LEO French <-> German - C:\Programme\LEO-Ext-for-IE\DE_FR.htm
O8 - Extra context menu item: Similar Pages - res://c:\programme\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\programme\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\programme\fritz!dsl\sarah.dll
O10 - Unknown file in Winsock LSP: c:\programme\fritz!dsl\sarah.dll
O10 - Unknown file in Winsock LSP: c:\programme\fritz!dsl\sarah.dll
O10 - Unknown file in Winsock LSP: c:\programme\fritz!dsl\sarah.dll
O10 - Unknown file in Winsock LSP: c:\programme\fritz!dsl\sarah.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.club-vaio.sony-europe.com/
O15 - Trusted Zone: *.sony-europe.com
O15 - Trusted Zone: *.sonystyle-europe.com
O15 - Trusted Zone: *.vaio-link.com
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.co...laxoInstall.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft....204&clcid=0x409
O16 - DPF: {59136DB4-6CA3-4B40-8F2F-BBF84B6F1E91} (Attachment Upload Control) - https://img.web.de/v...upload_1124.cab
O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (Hewlett-Packard Printer Diagnostics) - http://ispe.sdc.hp.c...SWebManager.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1120088862437
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1126657825826
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall-Kontrolle) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {DF6504AC-3EFE-4287-B259-FB299B069C95} (WEBDE Fotoalbum Upload Control) - https://img.web.de/v...upload_1130.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{83348D94-E4A5-4C0B-B5F8-219018C9DB02}: NameServer = 192.168.122.252,192.168.122.253
O20 - Winlogon Notify: pmkhi - C:\WINDOWS\system32\pmkhi.dll
O23 - Service: AntiVir Mail Security Service (AntiVirMailService) - AntiVir PersonalProducts GmbH. - C:\PROGRAMME\AVPERSONALPREMIUM\AVMAILC.EXE
O23 - Service: AntiVir Service (AntiVirService) - AntiVir PersonalProducts GmbH - C:\PROGRAMME\AVPERSONALPREMIUM\AVGUARD.EXE
O23 - Service: AVE Service (AVEService) - AntiVir PersonalProducts GmbH - C:\PROGRAMME\AVPERSONALPREMIUM\AVESVC.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonalPremium\AVWUPSRV.EXE
O23 - Service: CWShredder Service - Unknown owner - C:\Dokumente und Einstellungen\geoffrey\Lokale Einstellungen\Temporary Internet Files\Content.IE5\E4UDFHKK\cwshredder[2].exe (file missing)
O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Programme\Gemeinsame Dateien\AVM\de_serv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programme\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Programme\ewido\security suite\ewidoguard.exe
O23 - Service: Giga Pocket Hardware Detector - Sony Corporation - C:\Programme\sony\giga pocket\shwserv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Programme\Gemeinsame Dateien\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Programme\Gemeinsame Dateien\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony TV Tuner Controller - Sony Corporation - C:\Programme\sony\giga pocket\halsv.exe
O23 - Service: Sony TV Tuner Manager - Sony Corporation - C:\Programme\sony\giga pocket\RM_SV.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Programme\Gemeinsame Dateien\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Programme\Gemeinsame Dateien\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Programme\sony\vaio media music server\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (file missing)
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Programme\Gemeinsame Dateien\Sony Shared\vaio media platform\sv_httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing)
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Programme\Gemeinsame Dateien\Sony Shared\vaio media platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Programme\sony\photo server\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Programme\Gemeinsame Dateien\sony shared\vaio media platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing)
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Programme\Gemeinsame Dateien\sony shared\vaio media platform\UPnPFramework.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Unknown owner - C:\Programme\sony\giga pocket\GPVSvr.exe" /Service=VAIOMediaPlatform-VideoServer-AppServer /DisplayName="VAIO Media Video Server (file missing)
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Unknown owner - C:\Programme\Gemeinsame Dateien\sony shared\vaio media platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-VideoServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\VideoServer\HTTP (file missing)
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Programme\Gemeinsame Dateien\sony shared\vaio media platform\UPnPFramework.exe