popups, various spyware

[ichabod]

Hello all, here is my problem:
My computer (running Windows XP, SP2) has been infected with some spyware. First sign of it was when I was surfing the internet (with Firefox like a good boy) and suddenly got a window that said "downloading ErrorProtector" which I stopped with ctrl-alt-del but that apparently didn't work, as I started getting regular IE popups every few minutes. So then I ran Ad-Aware and Spybot S&D. Ad-Aware detected and removed ErrorProtector. Then Spybot detected SmitFraud-C and I opted to remove that as well.

Then I went into safe mode and ran both programs again, and only found tracking cookies (albeit ones with rather uncommon names that I haven't seen before getting these popups). Then I went to Add/Remove Programs and removed "OuterInfo," because that's what many of the popups said, and also downloaded the program with the oiuninstaller.exe from outerinfo.com; since then I don't think I've gotten the OuterInfo popups, but still get others. Then did Ad-Aware again and found the following:

Adware.BHO (generic)
Clickspring
Tracking cookie
0 Possible New Malware
and the usual MRU list

and removed them. Then I did the Trend Micro HouseCall online scan, which found the following:
FREELOADER_DRIVERCLEANER
1 Infections
TSPY_ANALOGXPROXY
1 Infections
HTTP cookies
3 Detected

and the following vulnerabilities:
(MS00-034) Office 2000 UA Control Vulnerability
(MS01-028) RTF Document Linked to Template Can Run Macros Without Warning
(MS05-004) ASP.NET Path Validation Vulnerability (887219)
(MS07-019) Vulnerability in Universal Plug and Play Could Allow Remote Code Execution (931261)
(MS07-020) Vulnerability in Microsoft Agent Could Allow Remote Code Execution (932168)
(MS07-021) Vulnerabilities in CSRSS Could Allow Remote Code Execution (930178)
(MS07-022) Vulnerability in Windows Kernel Could Allow Elevation of Privilege (931784)

I selected "clean," which removed the malware and grayware. Then I ran Ad-Aware again in safe mode and found nothing. Then I ran Spybot S&D again and only found more tracking cookies from the popups.

Then I did Hijack This and here's the log:

Logfile of HijackThis v1.99.1
Scan saved at 10:49:17 AM, on 4/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\LTSMMSG.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\xloadnet\xloadnet.exe
C:\WINDOWS\updater.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtWLan.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\notepad.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [xloadnet] "C:\Program Files\xloadnet\xloadnet.exe"
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\updater.exe 61A847B5BBF72810329B385473F001F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O15 - Trusted Zone: *.sxload.net (HKLM)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

Also ran SmitFraudFix.exe. Still getting the popups. Could somebody please tell me what to do now? Thanks so much.

Oh, PS, I just re-read the log when I previewed the post, and I saw the suspicious "xloadnet.exe"; Google results tell me it's spyware. It wasn't in Add/Remove Programs so I killed the process and deleted the entire folder from Program Files. What next? Should that solve my problem?

 

[pskelley]

Welcome to Safer Networking, if you still need help and are not receiving it elsewhere, since I do not see the required online anti-virus scan results,
it appears you have missed some important instructions our administrator has posted at the top of the forum, especially this: "BEFORE you POST" Mandatory Steps Before Requesting Assistance
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at own risk.
Please read and follow all instructions and post all required logs or reports, anything less will slow your process.
Use "Post Reply" to post the information in the instructions and stay in the same topic.

You can hold that scan, if I need it i'll let you know, but you said

I saw the suspicious "xloadnet.exe"; Google results tell me it's spyware. It wasn't in Add/Remove Programs so I killed the process and deleted the entire folder from Program Files.

It is still in this HJT log, it sounds like you experienced a "drive by shooting" and found at least one website to avoid in the future. There are many, exploits put there just for this purpose. I no long "surf the net" as a results and go only where I need to go that I know is safe.

Since you mention Smitfraud, let do a little looking to see what we find, please proceed like this and follow the directions carefully.

1) http://siri.geekstogo.com/SmitfraudFix.php <<< download Smitfraudfix from here. Follow ONLY these directions.

Search: Double-click SmitfraudFix.exe
Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt

Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/processutil/processutil.htm

2) Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.

Post the C:\rapport.txt from Smitfraudfix, the uninstall list and a new HJT log. Add any comments you think will help.

Thanks

 

[ichabod]

Hello and thanks for responding.

since I do not see the required online anti-virus scan results

Check my last post again; I posted the results of a Trend Micro online scan. I made sure to read the sticky on mandatory steps before posting, and I followed it step by step.

Also, I already took the steps you recommended (running SmitFraudFix) in the past day while waiting for a response. But let me give the whole rundown of what I've done in the meantime:
I ran SmitFraudFix and got rapport.txt. Here's the FIRST version of rapport.txt I got:


SmitFraudFix v2.171

Scan done at 10:32:26.50, Sat 04/21/2007
Run from C:\Documents and Settings\Stefan\.housecall6.6\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{2E813A13-067B-44D0-B89A-E505F8E69194}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{2E813A13-067B-44D0-B89A-E505F8E69194}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{2E813A13-067B-44D0-B89A-E505F8E69194}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End



(Stefan is me in case you're wondering, and my computer name is "FRUNOBULAX.")
Then I did Ad-Aware and Spybot again and just removed more cookies.

AND THEN I ran Symantec Antivirus and found the following:
Scan type: Manual Scan
Event: Virus Found!
Virus name: Trojan.ByteVerify
File: C:\Documents and Settings\Stefan\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-7b11336d-33fcafdf.zip
Location: Quarantine
Computer: FRUNOBULAX
User: Stefan
Action taken: Clean failed : Quarantine succeeded :
Date found: Sun Apr 22 00:32:05 2007
and also:
Scan type: Manual Scan
Event: Virus Found!
Virus name: Trojan Horse
File: C:\WINDOWS\system32\qrllupht.dll
Location: Quarantine
Computer: FRUNOBULAX
User: Stefan
Action taken: Clean failed : Quarantine succeeded :
Date found: Sun Apr 22 03:00:31 2007
Scan type: Manual Scan
Event: Virus Found!
Virus name: Downloader
File: C:\WINDOWS\updater.exe
Location: Quarantine
Computer: FRUNOBULAX
User: Stefan
Action taken: Clean failed : Quarantine succeeded :
Date found: Sun Apr 22 03:03:29 2007

So then, having read the Vundo Trojan sticky thread (http://forums.spybot.info/showthread.php?t=4394) I concluded that I could be infected with Vundo, especially since some of the popups I was getting are mentioned in descriptions of Vundo/Winfixer.

So at that point I used VundoFix.exe as recommended in the Vundo thread. It found the following:
C:\WINDOWS\system32\mlnmp.bak1
C:\WINDOWS\system32\mlnmp.bak2
C:\WINDOWS\system32\mlnmp.ini
C:\WINDOWS\system32\pmnlm.dll
and was able to remove only the first two.

At this point I got another Symantec message:
Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Trojan Horse
File: C:\WINDOWS\system32\nupsskcm.dll
Location: Quarantine
Computer: FRUNOBULAX
User: Stefan
Action taken: Clean failed : Quarantine succeeded : Access denied
Date found: Sun Apr 22 04:36:34 2007

So anyway, I still had mlnmp.ini and pmnlm.dll left to remove, and Windows wasn't letting me remove them manually. So I downloaded VirtumundoBeGone (http://forums.mcafeehelp.com/viewtopic.php?t=57049) which managed to rename those files, and then I deleted them. From that point on I have had NO MORE POPUPS, but I'd still like to know if my computer is totally clean, of course. Ran VundoFix again and it found nothing.

Then I ran HijackThis again and fixed an item with the xloadnet file path in it (although the xloadnet folder was long gone already).

Then I went back and ran Ad-Aware again and just got the usual "MRU List" of cookies or whatever, BUT when I ran Spybot it found "Smitfraud-C.Toolbar888," only listed as a tracking cookie (?????). I chose to fix it and Spybot apparently did.

SO FINALLY, HERE ARE MY CURRENT LOGS:
HijackThis:

Logfile of HijackThis v1.99.1
Scan saved at 7:44:27 AM, on 4/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\LTSMMSG.exe
C:\WINDOWS\System32\WScript.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtWLan.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
c:\progra~1\Support.com\client\bin\tgcmd.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\notepad.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\adobe\acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINDOWS\system32\ublsqbmd.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\updater.exe 61A847B5BBF72810329B385473F001F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O15 - Trusted Zone: *.sxload.net (HKLM)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe



and rapport.txt from SmitFraudFix:

SmitFraudFix v2.171

Scan done at 7:09:43.79, Sun 04/22/2007
Run from C:\Documents and Settings\Stefan\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{2E813A13-067B-44D0-B89A-E505F8E69194}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{2E813A13-067B-44D0-B89A-E505F8E69194}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{2E813A13-067B-44D0-B89A-E505F8E69194}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End



Is everything gone? Or are there further steps I should take? Thanks so much.

 

[ichabod]

Oh, and I forgot to post my uninstall list; here it is:

Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Photoshop 7.0
Adobe Photoshop Elements
Adobe SVG Viewer 3.0
AOL Instant Messenger
ArcSoft PhotoImpression
Audacity 1.2.4
Blender (remove only)
DigitalPrint 1.1
DiMAGE Viewer
DVgate
EPSON Copy Utility
EPSON Photo Print
EPSON Printer Software
EPSON Scanner Reference Guide
EPSON Smart Panel
EPSON TWAIN 5
Experience VAIO
Gaim (remove only)
GCN
GTK+ Runtime 2.6.9 rev a (remove only)
HijackThis 1.99.1
hp print screen utility
ImageStation
ImageStation Demo
Insight
Java 2 Runtime Environment Standard Edition v1.3.1_06
Java 2 Runtime Environment, SE v1.4.2
Jitter 1.5.1
Joshua Lightshow 1 Screen Saver
Joshua Lightshow 2 Screen Saver
Joshua Lightshow 3 Screen Saver
K-Lite Codec Pack 2.25 Full
ky2 Screen Saver
Lernout & Hauspie TruVoice American English TTS Engine
LimeWire 4.9.23
Live Midi Keyboard
LiveUpdate 1.7 (Symantec Corporation)
Lost Horizons1024 Screen Saver
Lucent Technologies Soft Modem AMR
MaxMSP 4.5.5
Microsoft .NET Framework 1.1
Microsoft Office 2000 Premium
Motion JPEG Software Decoder
MovieShaker 3.3
Mozilla Firefox (1.5.0.11)
Mozilla Thunderbird (1.5)
MSXML 4.0 SP2 (KB927978)
Music Visualizer Library
NVIDIA Windows 2000/XP Display Drivers
OpenMG Secure Module 3.0.03
Opera 9.02
P5 Glove
PicoPlayer
PicoPlayer Demo
PicoPlayerSplashScreen
POV-Ray for Windows v3.6.1a
PowerDVD
Quicken 2002 New User Edition
QuickTime
QuickTime Alternative 1.34
Real Alternative 1.27
Rejoice v1.6
ScanToWeb
Screenblast ACID 2.0a
Screenblast Sound Forge 1.0b
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929969)
Semagic (remove only)
Shockwave
SiS Audio Driver
SiS Compatible VGA V2.07f.01
Smart Capture
SonicStage 1.2.00
SonicStage CD-R Writing Module
Sony Certificate PCH
Sony DV Shared Library
Speakonia
Spybot - Search & Destroy 1.4
Steinberg Cubase LE
Support Actions Win2K,WinXP
Symantec AntiVirus Client
Tweak UI
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB929338)
Update for Windows XP (KB931836)
VAIO Action Setup
VAIO Brezza Wallpaper
VAIO Clock Screen Saver
VAIO Grid Wallpaper
VAIO Help & Support
VAIO Registration
VAIO Serenus Wallpaper
VAIO Support
VAIO System Information
WG111v2 Configuration Utility
Windows Defender
Windows Defender Signatures
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinRAR archiver
WordPerfect Office 2002 OEM
Zerius Vocoder (remove only)

 

[ichabod]

Oh, BTW, just saw tashi's post in "So how did I get infected...?" about uninstalling old versions of Java and getting the newest version, so I'm doing that now as well.

 

[pskelley]

First, I apologize for missing your scan results. I also need to say that if you post for help, you should wait for it, it appears you have no need for my advice, and I do not have a problem with that, there are many folks who do.

I will comment that Smitfraudfix search found nothing and the reason we stop you there is the creator of the fix advises us NOT to run the clean function on an uninfected computer, which you did. Hopefully without causing a problem.

You are also tossing a lot of information at me that I may or may not need, I will take just a moment to post this link:
http://au.answers.yahoo.com/question/index.php?qid=20060822234144AAyk3HY Just read the first Q&A, that will do.

and this information: FALSE POSITIVE
http://forums.spybot.info/showthread.php?t=8668
Smitfraud-C.Toolbar888
If your version of Spybot and all datas bases are up to date, then ignore the item or over ride so you don't have to see it.

Now to the HJT log: Review the instructions again, it appears you have word wrap turned on and my scanners do not like that:

Note: In notepad under Format, uncheck "Word Wrap" Produce all HJT logs like this, single spaced.
It is preferable, and the log easier to read, if you do not use the

 or [php] options.[/QUOTE]

I see this in your HJT log: 
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
CastleCops has this to say: http://www.castlecops.com/startuplist-4638.html
[B]That is your call[/B].

I do use Vundofix and when that will not remove the infection I will also use VundoBegone.

You have Notepad running three times, to be sure it is not an infection, please close all instances of Notepad before you post the final HJT log.

Let's clean a little and see how the computer is running.

1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.  Click OK.
You may reverse this for safety when we are finished.

2) Please download ATF Cleaner by Atribune 
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINDOWS\system32\ublsqbmd.dll (file missing)
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\updater.exe 61A847B5BBF72810329B385473F001F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
([COLOR="red"]you know what the next item is, if HJT does not remove it, see the removal method below[/COLOR])
O15 - Trusted Zone: *.sxload.net (HKLM)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

4) RIGHT Click on Start then click on Explore. Locate and delete these items:

C:\WINDOWS\[COLOR="red"]updater.exe <<< delete that file[/COLOR]

5) Run ATF Cleaner 
Double-click ATF-Cleaner.exe to run the program. 
Click Select All found at the bottom of the list. 
Click the Empty Selected button. 
Click Exit on the Main menu to close the program. 

Restart and post a [B]last HJT log[/B], please add any [B]comments[/B] you think will help.

Thanks

[COLOR="red"]Alt removal of[/COLOR] *.sxload.net
Right click http://mvps.org/winhelp2002/DelDomains.inf and select Save As to download WinHelp2002's DelDomains.inf. 
Please save the file somewhere you can find it like on the desktop.
To run the inf file, right click on it and select Install.
[COLOR="red"]This will clean the "Trusted Zone" in case you are using it for other reasons[/COLOR].

I will add the Uninstall list, even the Java which you may ignore if you have done that.

Java 2 Runtime Environment Standard Edition v1.3.1_06 <<< I have never seen one this old?
Java 2 Runtime Environment, SE v1.4.2 <<< very old and may be the reason you got infected.

LimeWire 4.9.23 <<< Your call
http://www3.ca.com/securityadvisor/pest/Pest.aspx?id=453088059  and see this:
http://www.spywareinfo.com/articles/p2p/

Mozilla Firefox (1.5.0.11)
Mozilla Thunderbird (1.5)
I am sure you will find these are both out of date, if you are going to run them, just like with Windows Updates, you must keep them updated.

That is all I see but I do not know all of those programs, I would have a hard look yourself and investigate anything you do not know and uninstall anything you are done with.

 

[ichabod]

Hi pskelley, I'm working through your new advice and will post results when done. Sorry I didn't wait for a response before going ahead with things, but now I'm on track with the steps you've given me. And sorry for having posted so much stuff! Installed up-to-date Java just a few minutes ago. I'm on Firefox 1.5 because when I tried 2 it was horrendously slow for me, and 1.5 is still being supported for security/stability -- unfortunately when I checked on that just now I see Mozilla is only supporting it until April 24, 2007 so it looks like I'll have to install Firefox 2 now. I only use Thunderbird as an archive of an old mailbox, not as a regular e-mail program.

I'm almost positive I turned Word Wrap off in Notepad but here's the same log that I posted before with word wrap definitely off. But I'm not sure how to get it not to wrap in the post even when it doesn't wrap in Notepad.
Logfile of HijackThis v1.99.1
Scan saved at 7:44:27 AM, on 4/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\LTSMMSG.exe
C:\WINDOWS\System32\WScript.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtWLan.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
c:\progra~1\Support.com\client\bin\tgcmd.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\notepad.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\adobe\acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINDOWS\system32\ublsqbmd.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\updater.exe 61A847B5BBF72810329B385473F001F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O15 - Trusted Zone: *.sxload.net (HKLM)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe


(And the three instances of Notepad were just all the logs I had open at the time.)

Will post a new log when I'm done with your instructions. Thanks again!

 

[pskelley]

Same log posted twice:
Logfile of HijackThis v1.99.1
Scan saved at 7:44:27 AM, on 4/22/2007

Logfile of HijackThis v1.99.1
Scan saved at 7:44:27 AM, on 4/22/2007

Slow down a little this post is hard to work with because of all the information not needed.

Thanks

 

[ichabod]

Yeah, note that I said it was the same one reposted without word wrap to make it more readable. Sorry for the confusion, but after you mentioned the word wrap issue I was trying to save you the trouble of reading the other version.

Anyway, I just followed all the steps listed in your last post (killed server.vbs as well) and have a new log after doing all that:

Logfile of HijackThis v1.99.1
Scan saved at 9:32:57 AM, on 4/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\LTSMMSG.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtWLan.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\hijackthis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\adobe\acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe





Again, this is with no word wrap but I'm not sure how it shows up in the post. Sorry to post so soon after the last one, but please don't feel rushed or anything; the help you've been giving me has been excellent.

 

[pskelley]

This log: Logfile of HijackThis v1.99.1 Scan saved at 9:32:57 AM, on 4/22/2007
Looks to be clean of malware. Any other malware issues?

System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam

Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

 

[ichabod]

No more issues, everything is working fine. Thanks so much for the help, it was a lifesaver!

 

[tashi]

Glad we could help, as the problem appears to be resolved this topic has been archived.

If you need it re-opened, please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.