The main symptom of this malware, so far as I can tell, is massive numbers of pop-ups (primarily in IE, and each window running a separate instance of what appears as "iexplorer.exe" in the task manager which makes them a pain to close), including some for Antivirus 2007 or something (which I find ironic). The pop-ups seem to have possibly ceased since I went on my Sophos/Avenger spree and deleted the other 5 malwares. Anyway, here is my Hijack This log - I reckon most of it is garbage (all the scrambled filenames).
Thanks for any help! I can supply Avenger and Sophos logs if need be. Thanks again,
Sam
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:33:58 PM, on 12/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\FlashMute\FlashMute.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\SocketWatch\swatch.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVMain.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\sam\Desktop\avenger.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 9\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: adsoftinc - {24c9f267-e1f1-2bfd-9577-2f963666671c} - C:\WINDOWS\system32\nsf14.dll
O2 - BHO: adsoftinc browser enhancer - {37F71BE7-DD52-E949-50CC-9E682657BACC} - C:\WINDOWS\system32\gcwemqqmjd.dll
O2 - BHO: Sophos Web Content Scanner - {39EA7695-B3F2-4C44-A4BC-297ADA8FD235} - C:\Program Files\Sophos\Sophos Anti-Virus\SophosBHO.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Browser Helper Object - {AFD4AD01-58C1-47DB-A404-FBE00A6C5486} - C:\Program Files\Common\helper.dll
O2 - BHO: netupbanner browser enhancer - {D6516081-5D90-A86B-F8B6-62F170D61589} - C:\WINDOWS\system32\hbjmmxktomtlz.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: (no name) - {deec968a-440c-47c9-88a3-fe4c28faf402} - C:\WINDOWS\system32\ligijowe.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 9\SnagItIEAddin.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [pswklsfkzkokalqih] C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\system32\hbjmmxktomtlz.dll"
O4 - HKLM\..\Run: [{90BF8224-CD63-4081-A4C7-EF9A2CF6596F}] "C:\Documents and Settings\All Users\Application Data\2999BB77.exe"
O4 - HKLM\..\Run: [Rrehodizir] rundll32.exe "C:\WINDOWS\Ejapodegexi.dll",e
O4 - HKLM\..\Run: [bxgycrnrnkopc] C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\system32\gcwemqqmjd.dll"
O4 - HKLM\..\Run: [Asujitemekok] rundll32.exe "C:\WINDOWS\omuqanal.dll",e
O4 - HKLM\..\Run: [koleyoyoyi] Rundll32.exe "C:\WINDOWS\system32\batujuko.dll",s
O4 - HKLM\..\Run: [10c002aa] rundll32.exe "C:\WINDOWS\system32\neletato.dll",b
O4 - HKLM\..\Run: [CPM13f33136] Rundll32.exe "c:\windows\system32\vufurajo.dll",a
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [FlashMute] C:\Program Files\FlashMute\FlashMute.exe
O4 - HKUS\S-1-5-19\..\Run: [koleyoyoyi] Rundll32.exe "C:\WINDOWS\system32\batujuko.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [koleyoyoyi] Rundll32.exe "C:\WINDOWS\system32\batujuko.dll",s (User 'NETWORK SERVICE')
O4 - Startup: ppcb_32.lnk = C:\Program Files\ppcbooster\ppcb_32.exe
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: SocketWatch.lnk = C:\Program Files\SocketWatch\swatch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 2107924849
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 2107981581
O18 - Filter hijack: text/html - {336042fc-acb0-4e1a-9755-f31e80fa88e4} - C:\WINDOWS\system32\mst120.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL C:\WINDOWS\system32\takihiru.dll C:\WINDOWS\system32\johakehe.dll c:\windows\system32\vufurajo.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\vufurajo.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\vufurajo.dll
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
--
End of file - 6498 bytes