Options
Problems removing reoccurring Spyware
Greetings – you were so helpful in getting rid of the Home Search Assistant problem and I thank you.
Certain problems must still remain however, because I seem to be constantly infected with reoccurring Spyware downloads. Every time I run a system screen the same problems come up. For example:
Spyware detects:
MediaPlex
Advertising.com
AvenueA, Inc
DSO Exploit
SearchForIt
Ad-Aware detects:
ClickSpring
CoolWebSearch
VX2
Pest Patrol Detects:
Trojandownloader.Win32.Agent.dq
I proceed to delete these detections, but after surfing the web and running another system screen they reappear. Where might the problem be?
Thanks for your assistance.
Certain problems must still remain however, because I seem to be constantly infected with reoccurring Spyware downloads. Every time I run a system screen the same problems come up. For example:
Spyware detects:
MediaPlex
Advertising.com
AvenueA, Inc
DSO Exploit
SearchForIt
Ad-Aware detects:
ClickSpring
CoolWebSearch
VX2
Pest Patrol Detects:
Trojandownloader.Win32.Agent.dq
I proceed to delete these detections, but after surfing the web and running another system screen they reappear. Where might the problem be?
Thanks for your assistance.
0
Comments
Here is my latest HJT log:
Logfile of HijackThis v1.97.7
Scan saved at 12:01:59 PM, on 9/14/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\iPod\Bin\iPodSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
C:\WINDOWS\LTSMMSG.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\System32\WScript.exe
C:\Program Files\iPod\Bin\iPodWatcher.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Panicware\Pop-Up Scanner\Popupscn.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe
C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\WINDOWS\System32\mrtMngr.EXE
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
c:\progra~1\Support.com\client\bin\tgcmd.exe
C:\Documents and Settings\Dennis\Start Menu\Programs\Scan Software\PestPatrol\PPControl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Dennis\My Documents\Dennis Prechtel\Programs\Virus Programs\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [CleanupProgram] C:\Sonysys\cleanup.exe
O4 - HKLM\..\Run: [iPodWatcher] C:\Program Files\iPod\Bin\iPodWatcher.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [PPMemCheck] C:\DOCUME~1\Dennis\STARTM~1\Programs\SCANSO~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\DOCUME~1\Dennis\STARTM~1\Programs\SCANSO~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\DOCUME~1\Dennis\STARTM~1\Programs\SCANSO~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKCU\..\Run: [Pop-Up_Scanner] "C:\Program Files\Panicware\Pop-Up Scanner\Popupscn.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe
O9 - Extra 'Tools' menuitem: PopThis! Options... (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
These are the Current Active Services:
Windows Audio: AudioSrv
C:\WINDOWS\System32\svchost.exe -k netsvcs
Computer Browser: Browser
C:\WINDOWS\System32\svchost.exe -k netsvcs
Cryptographic Services: CryptSvc
C:\WINDOWS\system32\svchost.exe -k netsvcs
DHCP Client: Dhcp
C:\WINDOWS\System32\svchost.exe -k netsvcs
Error Reporting Service: ERSvc
C:\WINDOWS\System32\svchost.exe -k netsvcs
COM+ Event System: EventSystem
C:\WINDOWS\System32\svchost.exe -k netsvcs
Fast User Switching Compatibility: FastUserSwitchingCompatibility
C:\WINDOWS\System32\svchost.exe -k netsvcs
Help and Support: helpsvc
C:\WINDOWS\System32\svchost.exe -k netsvcs
Server: lanmanserver
C:\WINDOWS\System32\svchost.exe -k netsvcs
Workstation: lanmanworkstation
C:\WINDOWS\System32\svchost.exe -k netsvcs
Network Connections: Netman
C:\WINDOWS\System32\svchost.exe -k netsvcs
Network Location Awareness (NLA): Nla
C:\WINDOWS\System32\svchost.exe -k netsvcs
Remote Access Auto Connection Manager: RasAuto
C:\WINDOWS\System32\svchost.exe -k netsvcs
Remote Access Connection Manager: RasMan
C:\WINDOWS\System32\svchost.exe -k netsvcs
Task Scheduler: Schedule
C:\WINDOWS\System32\svchost.exe -k netsvcs
Secondary Logon: seclogon
C:\WINDOWS\System32\svchost.exe -k netsvcs
System Event Notification: SENS
C:\WINDOWS\system32\svchost.exe -k netsvcs
Shell Hardware Detection: ShellHWDetection
C:\WINDOWS\System32\svchost.exe -k netsvcs
System Restore Service: srservice
C:\WINDOWS\System32\svchost.exe -k netsvcs
Telephony: TapiSrv
C:\WINDOWS\System32\svchost.exe -k netsvcs
Terminal Services: TermService
C:\WINDOWS\System32\svchost.exe -k netsvcs
Themes: Themes
C:\WINDOWS\System32\svchost.exe -k netsvcs
Distributed Link Tracking Client: TrkWks
C:\WINDOWS\system32\svchost.exe -k netsvcs
Upload Manager: uploadmgr
C:\WINDOWS\System32\svchost.exe -k netsvcs
Windows Time: W32Time
C:\WINDOWS\System32\svchost.exe -k netsvcs
Windows Management Instrumentation: winmgmt
C:\WINDOWS\system32\svchost.exe -k netsvcs
Portable Media Serial Number: WmdmPmSp
C:\WINDOWS\System32\svchost.exe -k netsvcs
Automatic Updates: wuauserv
C:\WINDOWS\system32\svchost.exe -k netsvcs
Wireless Zero Configuration: WZCSVC
C:\WINDOWS\System32\svchost.exe -k netsvcs
AVG6 Service: AvgServ
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
DNS Client: Dnscache
C:\WINDOWS\System32\svchost.exe -k NetworkService
Event Log: Eventlog
C:\WINDOWS\system32\services.exe
Plug and Play: PlugPlay
C:\WINDOWS\system32\services.exe
iPodSrv: iPodSrv
C:\Program Files\iPod\Bin\iPodSrv.exe
TCP/IP NetBIOS Helper: LmHosts
C:\WINDOWS\System32\svchost.exe -k LocalService
SSDP Discovery Service: SSDPSRV
C:\WINDOWS\System32\svchost.exe -k LocalService
WebClient: WebClient
C:\WINDOWS\System32\svchost.exe -k LocalService
IPSEC Services: PolicyAgent
C:\WINDOWS\System32\lsass.exe
Protected Storage: ProtectedStorage
C:\WINDOWS\system32\lsass.exe
Security Accounts Manager: SamSs
C:\WINDOWS\system32\lsass.exe
Remote Procedure Call (RPC): RpcSs
C:\WINDOWS\system32\svchost -k rpcss
Print Spooler: Spooler
C:\WINDOWS\system32\spoolsv.exe
Windows Image Acquisition (WIA): stisvc
C:\WINDOWS\System32\svchost.exe -k imgsvc
VAIO Media Music Server (Application): VAIOMediaPlatform-MusicServer-AppServer
"C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (Application)"
VAIO Media Music Server (HTTP): VAIOMediaPlatform-MusicServer-HTTP
"C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP"
VAIO Media Music Server (UPnP): VAIOMediaPlatform-MusicServer-UPnP
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
VAIO Media Photo Server (Application): VAIOMediaPlatform-PhotoServer-AppServer
C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
VAIO Media Photo Server (HTTP): VAIOMediaPlatform-PhotoServer-HTTP
"C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP"
VAIO Media Photo Server (UPnP): VAIOMediaPlatform-PhotoServer-UPnP
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
WAN Miniport (ATW) Service: WANMiniportService
"C:\WINDOWS\wanmpsvc.exe"
Post a fresh log when you have done that, don't worry about posting an active services log.
Dexter...
I have downloaded HJT 1.98.2 and here is the new log:
Logfile of HijackThis v1.98.2
Scan saved at 9:43:19 AM, on 9/17/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\iPod\Bin\iPodSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\LTSMMSG.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\System32\WScript.exe
C:\Program Files\iPod\Bin\iPodWatcher.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\DOCUME~1\Dennis\STARTM~1\Programs\SCANSO~1\PESTPA~1\PPMemCheck.exe
C:\DOCUME~1\Dennis\STARTM~1\Programs\SCANSO~1\PESTPA~1\PPControl.exe
C:\DOCUME~1\Dennis\STARTM~1\Programs\SCANSO~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Panicware\Pop-Up Scanner\Popupscn.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe
C:\WINDOWS\System32\mrtMngr.EXE
c:\progra~1\Support.com\client\bin\tgcmd.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Dennis\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [CleanupProgram] C:\Sonysys\cleanup.exe
O4 - HKLM\..\Run: [iPodWatcher] C:\Program Files\iPod\Bin\iPodWatcher.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [PPMemCheck] C:\DOCUME~1\Dennis\STARTM~1\Programs\SCANSO~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\DOCUME~1\Dennis\STARTM~1\Programs\SCANSO~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\DOCUME~1\Dennis\STARTM~1\Programs\SCANSO~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKCU\..\Run: [Pop-Up_Scanner] "C:\Program Files\Panicware\Pop-Up Scanner\Popupscn.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe
O9 - Extra button: (no name) - {91663649-416A-42A5-8E54-B63C1ECA0548} - C:\Program Files\mathies.com\PopThis!\PopThis.dll (file missing)
O9 - Extra 'Tools' menuitem: PopThis! Options... - {91663649-416A-42A5-8E54-B63C1ECA0548} - C:\Program Files\mathies.com\PopThis!\PopThis.dll (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O9 - Extra button: (no name) - {91663649-416A-42A5-8E54-B63C1ECA0548} - C:\Program Files\mathies.com\PopThis!\PopThis.dll (file missing)
O9 - Extra 'Tools' menuitem: PopThis! Options... - {91663649-416A-42A5-8E54-B63C1ECA0548} - C:\Program Files\mathies.com\PopThis!\PopThis.dll (file missing)
You can delete those, they aren't bad, but are doing nothing except cluttering up your log, since the file is missing. Also fix this entry:
R3 - Default URLSearchHook is missing
Meanwhile, as I surf the web and the new page loads I get strange beeping sounds as if spyware is being dropped on my system. This never used to happen before I had the HSA problem.
In addition, even with the latest AVG 6.0 update, AVG notices a virus but cannot get rid of it.
The virus is as follows: Trojan Horse downloader.agent.2.bm
Location: c:\system volume information\_restore{58E30938-66A1-4D08-9DCD-360CE25B3A88}-\RP30\A0001051.dll
latest HJT log:
Logfile of HijackThis v1.97.7
Scan saved at 11:49:10 AM, on 9/20/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\iPod\Bin\iPodSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\LTSMMSG.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\WINDOWS\System32\WScript.exe
C:\Program Files\iPod\Bin\iPodWatcher.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
C:\DOCUME~1\Dennis\STARTM~1\Programs\SCANSO~1\PESTPA~1\PPMemCheck.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\DOCUME~1\Dennis\STARTM~1\Programs\SCANSO~1\PESTPA~1\PPControl.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\DOCUME~1\Dennis\STARTM~1\Programs\SCANSO~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Panicware\Pop-Up Scanner\Popupscn.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\mrtMngr.EXE
c:\progra~1\Support.com\client\bin\tgcmd.exe
C:\Documents and Settings\Dennis\My Documents\Dennis Prechtel\Programs\Virus Programs\Hijackthis\HijackThis.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [CleanupProgram] C:\Sonysys\cleanup.exe
O4 - HKLM\..\Run: [iPodWatcher] C:\Program Files\iPod\Bin\iPodWatcher.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [PPMemCheck] C:\DOCUME~1\Dennis\STARTM~1\Programs\SCANSO~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\DOCUME~1\Dennis\STARTM~1\Programs\SCANSO~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\DOCUME~1\Dennis\STARTM~1\Programs\SCANSO~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKCU\..\Run: [Pop-Up_Scanner] "C:\Program Files\Panicware\Pop-Up Scanner\Popupscn.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
I would highly recommend switching browser. IE is so ridden with security holes that it is almost inevitable that you will get infected again. Switch to Mozilla FireFox. Read the article in my sig (How did you get infected....)
To "empty" your system restore, right click on "My computer" --> Properties --> System Restore tab.
Check the box that says "Turn off system restore on all drives"
Then reboot, and turn it back on.
That will get the trojan out of your system restore archives.