View Full Version : Problems removing reoccurring Spyware
dprechtel
14 Sep 2004, 6:45pm
Greetings – you were so helpful in getting rid of the Home Search Assistant problem and I thank you.
Certain problems must still remain however, because I seem to be constantly infected with reoccurring Spyware downloads. Every time I run a system screen the same problems come up. For example:
Spyware detects:
MediaPlex
Advertising.com
AvenueA, Inc
DSO Exploit
SearchForIt
Ad-Aware detects:
ClickSpring
CoolWebSearch
VX2
Pest Patrol Detects:
Trojandownloader.Win32.Agent.dq
I proceed to delete these detections, but after surfing the web and running another system screen they reappear. Where might the problem be?
Thanks for your assistance.
SpywareShooter
14 Sep 2004, 7:57pm
Can you please post a hijackthis log?
dprechtel
14 Sep 2004, 8:10pm
Thanks for your prompt reply.
Here is my latest HJT log:
Logfile of HijackThis v1.97.7
Scan saved at 12:01:59 PM, on 9/14/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\iPod\Bin\iPodSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
C:\WINDOWS\LTSMMSG.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\System32\WScript.exe
C:\Program Files\iPod\Bin\iPodWatcher.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Panicware\Pop-Up Scanner\Popupscn.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe
C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\WINDOWS\System32\mrtMngr.EXE
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
c:\progra~1\Support.com\client\bin\tgcmd.exe
C:\Documents and Settings\Dennis\Start Menu\Programs\Scan Software\PestPatrol\PPControl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Dennis\My Documents\Dennis Prechtel\Programs\Virus Programs\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [CleanupProgram] C:\Sonysys\cleanup.exe
O4 - HKLM\..\Run: [iPodWatcher] C:\Program Files\iPod\Bin\iPodWatcher.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [PPMemCheck] C:\DOCUME~1\Dennis\STARTM~1\Programs\SCANSO~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\DOCUME~1\Dennis\STARTM~1\Programs\SCANSO~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\DOCUME~1\Dennis\STARTM~1\Programs\SCANSO~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKCU\..\Run: [Pop-Up_Scanner] "C:\Program Files\Panicware\Pop-Up Scanner\Popupscn.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe
O9 - Extra 'Tools' menuitem: PopThis! Options... (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
These are the Current Active Services:
Windows Audio: AudioSrv
C:\WINDOWS\System32\svchost.exe -k netsvcs
Computer Browser: Browser
C:\WINDOWS\System32\svchost.exe -k netsvcs
Cryptographic Services: CryptSvc
C:\WINDOWS\system32\svchost.exe -k netsvcs
DHCP Client: Dhcp
C:\WINDOWS\System32\svchost.exe -k netsvcs
Error Reporting Service: ERSvc
C:\WINDOWS\System32\svchost.exe -k netsvcs
COM+ Event System: EventSystem
C:\WINDOWS\System32\svchost.exe -k netsvcs
Fast User Switching Compatibility: FastUserSwitchingCompatibility
C:\WINDOWS\System32\svchost.exe -k netsvcs
Help and Support: helpsvc
C:\WINDOWS\System32\svchost.exe -k netsvcs
Server: lanmanserver
C:\WINDOWS\System32\svchost.exe -k netsvcs
Workstation: lanmanworkstation
C:\WINDOWS\System32\svchost.exe -k netsvcs
Network Connections: Netman
C:\WINDOWS\System32\svchost.exe -k netsvcs
Network Location Awareness (NLA): Nla
C:\WINDOWS\System32\svchost.exe -k netsvcs
Remote Access Auto Connection Manager: RasAuto
C:\WINDOWS\System32\svchost.exe -k netsvcs
Remote Access Connection Manager: RasMan
C:\WINDOWS\System32\svchost.exe -k netsvcs
Task Scheduler: Schedule
C:\WINDOWS\System32\svchost.exe -k netsvcs
Secondary Logon: seclogon
C:\WINDOWS\System32\svchost.exe -k netsvcs
System Event Notification: SENS
C:\WINDOWS\system32\svchost.exe -k netsvcs
Shell Hardware Detection: ShellHWDetection
C:\WINDOWS\System32\svchost.exe -k netsvcs
System Restore Service: srservice
C:\WINDOWS\System32\svchost.exe -k netsvcs
Telephony: TapiSrv
C:\WINDOWS\System32\svchost.exe -k netsvcs
Terminal Services: TermService
C:\WINDOWS\System32\svchost.exe -k netsvcs
Themes: Themes
C:\WINDOWS\System32\svchost.exe -k netsvcs
Distributed Link Tracking Client: TrkWks
C:\WINDOWS\system32\svchost.exe -k netsvcs
Upload Manager: uploadmgr
C:\WINDOWS\System32\svchost.exe -k netsvcs
Windows Time: W32Time
C:\WINDOWS\System32\svchost.exe -k netsvcs
Windows Management Instrumentation: winmgmt
C:\WINDOWS\system32\svchost.exe -k netsvcs
Portable Media Serial Number: WmdmPmSp
C:\WINDOWS\System32\svchost.exe -k netsvcs
Automatic Updates: wuauserv
C:\WINDOWS\system32\svchost.exe -k netsvcs
Wireless Zero Configuration: WZCSVC
C:\WINDOWS\System32\svchost.exe -k netsvcs
AVG6 Service: AvgServ
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
DNS Client: Dnscache
C:\WINDOWS\System32\svchost.exe -k NetworkService
Event Log: Eventlog
C:\WINDOWS\system32\services.exe
Plug and Play: PlugPlay
C:\WINDOWS\system32\services.exe
iPodSrv: iPodSrv
C:\Program Files\iPod\Bin\iPodSrv.exe
TCP/IP NetBIOS Helper: LmHosts
C:\WINDOWS\System32\svchost.exe -k LocalService
SSDP Discovery Service: SSDPSRV
C:\WINDOWS\System32\svchost.exe -k LocalService
WebClient: WebClient
C:\WINDOWS\System32\svchost.exe -k LocalService
IPSEC Services: PolicyAgent
C:\WINDOWS\System32\lsass.exe
Protected Storage: ProtectedStorage
C:\WINDOWS\system32\lsass.exe
Security Accounts Manager: SamSs
C:\WINDOWS\system32\lsass.exe
Remote Procedure Call (RPC): RpcSs
C:\WINDOWS\system32\svchost -k rpcss
Print Spooler: Spooler
C:\WINDOWS\system32\spoolsv.exe
Windows Image Acquisition (WIA): stisvc
C:\WINDOWS\System32\svchost.exe -k imgsvc
VAIO Media Music Server (Application): VAIOMediaPlatform-MusicServer-AppServer
"C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (Application)"
VAIO Media Music Server (HTTP): VAIOMediaPlatform-MusicServer-HTTP
"C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP"
VAIO Media Music Server (UPnP): VAIOMediaPlatform-MusicServer-UPnP
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
VAIO Media Photo Server (Application): VAIOMediaPlatform-PhotoServer-AppServer
C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
VAIO Media Photo Server (HTTP): VAIOMediaPlatform-PhotoServer-HTTP
"C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP"
VAIO Media Photo Server (UPnP): VAIOMediaPlatform-PhotoServer-UPnP
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
WAN Miniport (ATW) Service: WANMiniportService
"C:\WINDOWS\wanmpsvc.exe"
Dexter
16 Sep 2004, 10:46pm
You have an older version of HJT. Please update to the newer version (1.98) from our Security Downloads page. Either install it over top of your existing one, or install it as per these instructions:http://www.short-media.com/forum/showpost.php?p=172584&postcount=2.
Post a fresh log when you have done that, don't worry about posting an active services log.
Dexter...
dprechtel
17 Sep 2004, 5:50pm
Glad to hear from you...thanks for the reply.
I have downloaded HJT 1.98.2 and here is the new log:
Logfile of HijackThis v1.98.2
Scan saved at 9:43:19 AM, on 9/17/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\iPod\Bin\iPodSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\LTSMMSG.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\System32\WScript.exe
C:\Program Files\iPod\Bin\iPodWatcher.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\DOCUME~1\Dennis\STARTM~1\Programs\SCANSO~1\PESTPA~1\PPMemCheck.exe
C:\DOCUME~1\Dennis\STARTM~1\Programs\SCANSO~1\PESTPA~1\PPControl.exe
C:\DOCUME~1\Dennis\STARTM~1\Programs\SCANSO~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Panicware\Pop-Up Scanner\Popupscn.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe
C:\WINDOWS\System32\mrtMngr.EXE
c:\progra~1\Support.com\client\bin\tgcmd.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Dennis\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [CleanupProgram] C:\Sonysys\cleanup.exe
O4 - HKLM\..\Run: [iPodWatcher] C:\Program Files\iPod\Bin\iPodWatcher.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [PPMemCheck] C:\DOCUME~1\Dennis\STARTM~1\Programs\SCANSO~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\DOCUME~1\Dennis\STARTM~1\Programs\SCANSO~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\DOCUME~1\Dennis\STARTM~1\Programs\SCANSO~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKCU\..\Run: [Pop-Up_Scanner] "C:\Program Files\Panicware\Pop-Up Scanner\Popupscn.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe
O9 - Extra button: (no name) - {91663649-416A-42A5-8E54-B63C1ECA0548} - C:\Program Files\mathies.com\PopThis!\PopThis.dll (file missing)
O9 - Extra 'Tools' menuitem: PopThis! Options... - {91663649-416A-42A5-8E54-B63C1ECA0548} - C:\Program Files\mathies.com\PopThis!\PopThis.dll (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
SpywareShooter
17 Sep 2004, 8:02pm
I believe those are just tracking cookies. I know mediaplex, Avenue A and advertising.com are known for tracking cookies. I don't see anything bad in your log, so that is most likely what your problem is.
O9 - Extra button: (no name) - {91663649-416A-42A5-8E54-B63C1ECA0548} - C:\Program Files\mathies.com\PopThis!\PopThis.dll (file missing)
O9 - Extra 'Tools' menuitem: PopThis! Options... - {91663649-416A-42A5-8E54-B63C1ECA0548} - C:\Program Files\mathies.com\PopThis!\PopThis.dll (file missing)
You can delete those, they aren't bad, but are doing nothing except cluttering up your log, since the file is missing. Also fix this entry:
R3 - Default URLSearchHook is missing
dprechtel
20 Sep 2004, 8:05pm
Thanks for the advice...I have 'fixed' the issues you indicated with HJT. My latest HJT log is listed below.
Meanwhile, as I surf the web and the new page loads I get strange beeping sounds as if spyware is being dropped on my system. This never used to happen before I had the HSA problem.
In addition, even with the latest AVG 6.0 update, AVG notices a virus but cannot get rid of it.
The virus is as follows: Trojan Horse downloader.agent.2.bm
Location: c:\system volume information\_restore{58E30938-66A1-4D08-9DCD-360CE25B3A88}-\RP30\A0001051.dll
latest HJT log:
Logfile of HijackThis v1.97.7
Scan saved at 11:49:10 AM, on 9/20/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\iPod\Bin\iPodSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\LTSMMSG.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\WINDOWS\System32\WScript.exe
C:\Program Files\iPod\Bin\iPodWatcher.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
C:\DOCUME~1\Dennis\STARTM~1\Programs\SCANSO~1\PESTPA~1\PPMemCheck.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\DOCUME~1\Dennis\STARTM~1\Programs\SCANSO~1\PESTPA~1\PPControl.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\DOCUME~1\Dennis\STARTM~1\Programs\SCANSO~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Panicware\Pop-Up Scanner\Popupscn.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\mrtMngr.EXE
c:\progra~1\Support.com\client\bin\tgcmd.exe
C:\Documents and Settings\Dennis\My Documents\Dennis Prechtel\Programs\Virus Programs\Hijackthis\HijackThis.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [CleanupProgram] C:\Sonysys\cleanup.exe
O4 - HKLM\..\Run: [iPodWatcher] C:\Program Files\iPod\Bin\iPodWatcher.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [PPMemCheck] C:\DOCUME~1\Dennis\STARTM~1\Programs\SCANSO~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\DOCUME~1\Dennis\STARTM~1\Programs\SCANSO~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\DOCUME~1\Dennis\STARTM~1\Programs\SCANSO~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKCU\..\Run: [Pop-Up_Scanner] "C:\Program Files\Panicware\Pop-Up Scanner\Popupscn.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
primesuspect
21 Sep 2004, 4:03am
Your log looks clean.
I would highly recommend switching browser. IE is so ridden with security holes that it is almost inevitable that you will get infected again. Switch to Mozilla FireFox. Read the article in my sig (How did you get infected....)
To "empty" your system restore, right click on "My computer" --> Properties --> System Restore tab.
Check the box that says "Turn off system restore on all drives"
Then reboot, and turn it back on.
That will get the trojan out of your system restore archives.
vBulletin® v3.8.1, Copyright ©2000-2009, Jelsoft Enterprises Ltd.