Trojan Horse or Windows Hoax?? Can't get rid of it!

[newgranny]

I have a Dell Dimension 4100, Intel Pentium III that originally came with Windows 98, but I've been running Windows XP for the last two years or so without a problem.

I run defrag weekly and clean cookies & delete temp files daily, and run spyware and anti-virus scans daily.

I clicked on a link I should not have.  How do I know this?  Because my computer immediately rebooted.

After it came back up a little round red circle with a white x in it showed up on the lower right side of the task bar.

A text balloon popped up from the little red ball saying something like "Windows has detected you are infected with spyware!  To PERvent this from happening in the future, click here."  (Yes, prevent was misspelled)

So, figuring that it was legitimately from Windows (because it was on my task bar) I clicked on it.  A DOS window popped up and gave me an error message saying it could not perform that task (paraphrasing) and my printer started going crazy printing the same line over and over (an error message).

At that point, I disabled my internet connection because I didn't want to risk sending the virus out to my friends and I didn't want to risk anyone being able to 'see' into my computer.

Then I cleaned out my cookies, temp files, etc. and ran Spyware Doctor's Intelliscan.  No threats found.  Then I ran the full scan.  No threats found.

Then I ran a full computer scan on my AVG anti-virus and the result of that was it found 2 infections and deleted them.  Thank God!

But, wait ... I still had the little red ball with the white x in it giving me that warning.  Hmmm.

So, I rebooted my computer to see if it would go away.  It didn't.  So I ran another full scan with AVG.  Again, 2 threats found and deleted.  And the little red ball warning was still there.

So, I connected to the internet again and went to Windows Update.  There were a bunch of priority updates to download, so I downloaded them.  One of the downloads was XP antispyware 2009.  Immediately afterdownloading these updates the little red ball disappeared.

Great.  Or so I thought.

For the past couple days every time I run my AVG I get the message that there were threats and they were either deleted or put in the vault.

I got tired of this today (because I refuse to do any banking online until I am CERTAIN I am not infected) so I went to the vault and deleted what was put in there in the last few days, AND I deleted the newly downloaded XP antispyware 2009 from my computer.  Now they're gone, right?  Wrong.

I ran my AVG after deleting them and now I have 9 threats; 2 deleted and 6 in the vault.

This is what is in the vault:

Trojan horse Generic 11.BDQK C:\Documents and Settings\Default\Local Settings\Temp\Binaries1.cab2

Trojan horse Agent.AACZ C:\Documents and Settings\Default\Local Settings\Temp\Binaries2.cab3

Trojan horse Generic 11.BDQK C:\ Documents and Settings\Default\Local Settings\Temp\Binaries1.cab3

Trojan horse Agent.AACZ C:\Documents and Settings\Default\Local Settings\Temp\Binaries2.cab4

Trojan horse Generic 11.BDQK C:\Documents and Settings\Default\Local Settings\Temporary Internet Files\Content.IE5\NY48B96Y\Binaries1[1].cab

Trojan horse Agent.AACZ C:\Documents and Settings\Default\Local Settings\Temporary Internet Files\Content.IE5\7JJ0CWSL\Binaries2[1].cab

I would appreciate it very much if someone would tell me how to get rid of this in a way I can be sure I am not infected.

Thanks so much,

Frustrated New Granny

[newgranny]

Also, how can I find out if my Windows has SP1 or SP1a already installed?

I looked at their web page and see that it is from 2003.  If I already have this installed, will it hurt if I reinstall it?

Thanks,

Frustrated New Granny

[newgranny]

Oh, and I forgot to tell you ... when I downloaded xp antispyware 2009 and it deleted the spyware the name of the spyware was win32.renos.

When I googled that name, a bunch of sites came up saying that it was a hoax and not an actual virus or spyware.  This is why I am wondering if it IS a hoax, and if it IS then why do I keep getting these threats when I run AVG?

Thanks,

Frustrated New Granny

[evilfantasy]

http://www.computerhope.com/forum/index.php/topic,46313.msg290095.html#msg290095

[newgranny]

Okay, I followed the instructions one step at a time.

I got to:

Step 2: House Cleaning

Download CCleaner Slim and save it to your Desktop - Alternate download link

When the file has been saved, go to your Desktop and double-click on ccsetupxxx_slim.exe
Follow the prompts to install the program.

* Double-click the CCleaner shortcut on the desktop to start the program.
* Click on the Options block on the left, then choose Cookies.
* Under Cookies to Delete, highlight any cookies you would like to retain permanently
* Click the right arrow > to move them to the Cookies to Keep window.
* Go into Options > Advanced uncheck Only delete files in Windows Temp folders older than 48 hours
* Click Cleaner on the left then Run Cleaner on the right to run the program.

and I clicked 'cleaner.'

Then the next line said:

* Important: Make sure that ALL browser windows are closed before selecting Run Cleaner

So, I immediately closed the browser window that had the instructions I was following on it.

After the cleaner was finished, I came back to the instruction page.  THEN the next step was this:

Caution: Only use the Registry feature if you are very familiar with the registry.
Always back up your registry before making any changes.Exit CCleaner after it has completed it's process.

(sigh)

So now the cleaner has run and I did not do a back up of the registry.

Does this mean I am scr*wed?

I have not clicked on anything else, and the ccleaner window is still open showing me the files that have been deleted.

Gratefully awaiting your response,

Feeling Really Stupid New Granny

[evilfantasy]

Do not worry about that as you just ran the normal cleaner and not the Registry cleaner. Just skip top the next step.

[newgranny]

I did it!  (patting self on back) 

I downloaded all of the programs you wanted me to, and saved the logs successfully in .txt format.

I also verified that my Java was the current version.

Here is the SUPERAntiSpyware log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/19/2008 at 08:30 PM

Application Version : 4.21.1004

Core Rules Database Version : 3602
Trace Rules Database Version: 1588

Scan type       : Complete Scan
Total Scan Time : 01:23:57

Memory items scanned      : 398
Memory threats detected   : 0
Registry items scanned    : 5629
Registry threats detected : 13
File items scanned        : 54534
File threats detected     : 27

Adware.Tracking Cookie
   C:\Documents and Settings\Default\Cookies\default@realmedia[1].txt
   C:\Documents and Settings\Default\Cookies\[email protected][1].txt
   C:\Documents and Settings\Default\Cookies\default@zedo[2].txt
   C:\Documents and Settings\Default\Cookies\default@coolsavings[2].txt
   C:\Documents and Settings\Default\Cookies\default@tribalfusion[2].txt
   C:\Documents and Settings\Default\Cookies\default@mediaplex[2].txt
   C:\Documents and Settings\Default\Cookies\default@2o7[1].txt
   C:\Documents and Settings\Default\Cookies\default@atdmt[2].txt
   C:\Documents and Settings\Default\Cookies\default@revsci[1].txt
   C:\Documents and Settings\Default\Cookies\[email protected][1].txt
   C:\Documents and Settings\Default\Cookies\default@bluestreak[1].txt
   C:\Documents and Settings\Default\Cookies\default@apmebf[2].txt
   C:\Documents and Settings\Default\Cookies\default@fastclick[1].txt
   C:\Documents and Settings\Default\Cookies\[email protected][1].txt
   C:\Documents and Settings\Default\Cookies\default@directtrack[1].txt
   C:\Documents and Settings\Default\Cookies\[email protected][2].txt
   C:\Documents and Settings\Default\Cookies\default@casalemedia[2].txt
   C:\Documents and Settings\Default\Cookies\[email protected][2].txt
   C:\Documents and Settings\Default\Cookies\default@hypertracker[1].txt
   C:\Documents and Settings\Default\Cookies\default@adrevolver[2].txt
   C:\Documents and Settings\Default\Cookies\default@interclick[1].txt
   C:\Documents and Settings\Default\Cookies\default@trafficmp[2].txt
   C:\Documents and Settings\Default\Cookies\[email protected][2].txt
   C:\Documents and Settings\Default\Cookies\default@advertising[1].txt
   C:\Documents and Settings\Default\Cookies\[email protected][1].txt
   C:\Documents and Settings\Default\Cookies\default@doubleclick[1].txt

Trojan.Unclassified/C00-WL
   HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\__C0078A2A
   HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\__C0078A2A#Asynchronous
   HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\__C0078A2A#DllName
   HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\__C0078A2A#Impersonate
   HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\__C0078A2A#Startup
   HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\__C0078A2A#Logon
   HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\__C00ECE84
   HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\__C00ECE84#Asynchronous
   HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\__C00ECE84#DllName
   HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\__C00ECE84#Impersonate
   HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\__C00ECE84#Startup
   HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\__C00ECE84#Logon

Rogue.XP AntiSpyware 2009
   HKU\S-1-5-21-57989841-688789844-1343024091-1003\Control Panel\don't load#wscui.cpl [ No ]
   C:\Program Files\XP_AntiSpyware

And, here is the mbam log:

Malwarebytes' Anti-Malware 1.29
Database version: 1292
Windows 5.1.2600 Service Pack 3

10/19/2008 9:06:18 PM
mbam-log-2008-10-19 (21-06-18).txt

Scan type: Quick Scan
Objects scanned: 53246
Time elapsed: 8 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 2
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\APMFC1 (Rogue.AntiTrojanPro) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a00f68bd4e7.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adwarepromfc (Rogue.Ad-WarePro) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\Ad-Ware Pro (Rogue.Ad-WarePro) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\Ad-Ware Pro\uninstall.exe (Rogue.Ad-WarePro) -> Quarantined and deleted successfully.

And, here is the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:32:04 PM, on 10/19/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv2.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\ABCThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by @Home
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy:8080
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [WUSB54Gv2] C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "c:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Walgreens PhotoShow Media Manager] C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Resolution Assistant.lnk = C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\matcli.exe
O4 - Global Startup: Windows Media PowerPoint Helper.lnk = C:\Program Files\Windows Media Components\Tools\nsppthlp.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: @Home - {AD96D1C0-3FA0-11D9-94A1-00010326322D} - http://home.excite.com (file missing) (HKCU)
O9 - Extra button: Dell Home - {C1B40280-B0C6-11D4-9482-00010326322D} - http://www.my.delleworks.com (file missing) (HKCU)
O12 - Plugin for .mts: C:\Program Files\MetaCreations\MetaStream\npmetastream.dll
O16 - DPF: Blackjack Carnival by pogo - http://game1.pogo.com/applet-8.0.1.23/vbjack2/vbjack2-en_US.cab
O16 - DPF: First Class Solitaire by pogo - http://game1.pogo.com/applet-6.8.4.51/firstclass2/firstclass2-en_US.cab
O16 - DPF: Fortune Bingo by pogo - http://game1.pogo.com/applet-6.8.3.35/superbingo/superbingo-en_US.cab
O16 - DPF: Hog Heaven Slots by pogo - http://game1.pogo.com/applet-8.0.3.20/fancy/fancy-en_US.cab
O16 - DPF: Keno by pogo - http://game1.pogo.com/applet-6.9.1.32/keno/keno-en_US.cab
O16 - DPF: Lottso by pogo - http://game1.pogo.com/applet-8.0.5.30/lottso/lottso-en_US.cab
O16 - DPF: Payday FreeCell by pogo - http://game1.pogo.com/applet-6.7.3.30/freecell/freecell-en_US.cab
O16 - DPF: Perfect Pair Solitaire by pogo - http://game1.pogo.com/applet-6.7.2.24/waterwheel/waterwheel-en_US.cab
O16 - DPF: Quick Quack by pogo - http://game1.pogo.com/applet-6.8.0.25/hotstreak/hotstreak-en_US.cab
O16 - DPF: Spider Solitaire by pogo - http://game1.pogo.com/applet-8.0.5.30/spider/spider-en_US.cab
O16 - DPF: Tri-Peaks by pogo - http://game1.pogo.com/applet-8.0.6.49/peaks/peaks-en_US.cab
O16 - DPF: Turbo 21 v2 by pogo - http://game1.pogo.com/applet-6.7.4.28/turbo22/turbo22-en_US.cab
O16 - DPF: Vaults of Atlantis Slots by pogo - http://game1.pogo.com/applet-8.0.6.49/mlslots/mlslots-en_US.cab
O16 - DPF: Win32 Classes -
O16 - DPF: Word Craft by pogo - http://game1.pogo.com/applet-6.8.3.35/babble/babble-en_US.cab
O16 - DPF: Word Search Daily by pogo - http://game1.pogo.com/applet-8.0.6.49/wordsearch/wordsearch-en_US.cab
O16 - DPF: Word Whomp by pogo - http://game1.pogo.com/applet-8.0.0.20/wordwhomp2/whomp2-en_US.cab
O16 - DPF: World Class Solitaire by pogo - http://game1.pogo.com/applet-8.0.5.30/worldclass/worldclass-en_US.cab
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - http://www.worldwinner.com/games/v46/sol/sol.cab
O16 - DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} (FamilyFeud Control) - http://www.worldwinner.com/games/v47/familyfeud/familyfeud.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
O16 - DPF: {E2739AFF-FA40-4527-9A19-DE81795C2C03} (MSN Money Ticker) - http://moneycentral.msn.com/cabs/ticker.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.auctiva.com/hostedimages/activex/xupload/XUpload.ocx
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: WUSB54Gv2SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

--
End of file - 10525 bytes

I did not 'fix' or 'delete' anything from the HJT scan.  I'm going to just leave it open until you tell me what to do.

THANKS SO MUCH for all of your help (and patience with me) I really appreciate it!

Feelin' Like Tap Dancing New Granny

[Saving space - attachment deleted by admin]

[evilfantasy]

You have two antivirus running, AVG and Norton/Symantec.

You need to uninstall one of them. Which would you like to keep?

[newgranny]

I uninstalled Norton antivirus two years ago and some of its 'parts' still show up in my computer.

I can't remove these parts, not through 'add or remove' or by trying to delete manually.  It won't allow me to.

I only use AVG.

[evilfantasy]

Download the Norton Removal Tool (SymNRT) to your Desktop.

Once downloaded please close ALL open browsers, also save any work because this may require a restart.

• Go to your desktop and double click on the removal tool and then click Setup.
  
• Once open Click Next
  
• Accept the license agreement and click Next
  
• Type in the letters/numbers that you see into the text box then click Next.
  
• Then click Next and the tool will start running.
  
• Once finished restart the PC and run the tool again to ensure everything has been removed.
• Delete Nortonremoval tool from your Desktop.

----------

Now run a new HijackThis scan and post the log.

Also let me know what problems, if any, still remain.

[newgranny]

I followed your instructions, and here is the new hjt log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:29:17 PM, on 10/20/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\SYSTEM32\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv2.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Trend Micro\ABCThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by @Home
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy:8080
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [WUSB54Gv2] C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "c:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Walgreens PhotoShow Media Manager] C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Resolution Assistant.lnk = C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\matcli.exe
O4 - Global Startup: Windows Media PowerPoint Helper.lnk = C:\Program Files\Windows Media Components\Tools\nsppthlp.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: @Home - {AD96D1C0-3FA0-11D9-94A1-00010326322D} - http://home.excite.com (file missing) (HKCU)
O9 - Extra button: Dell Home - {C1B40280-B0C6-11D4-9482-00010326322D} - http://www.my.delleworks.com (file missing) (HKCU)
O12 - Plugin for .mts: C:\Program Files\MetaCreations\MetaStream\npmetastream.dll
O16 - DPF: Blackjack Carnival by pogo - http://game1.pogo.com/applet-8.0.1.23/vbjack2/vbjack2-en_US.cab
O16 - DPF: First Class Solitaire by pogo - http://game1.pogo.com/applet-6.8.4.51/firstclass2/firstclass2-en_US.cab
O16 - DPF: Fortune Bingo by pogo - http://game1.pogo.com/applet-6.8.3.35/superbingo/superbingo-en_US.cab
O16 - DPF: Hog Heaven Slots by pogo - http://game1.pogo.com/applet-8.0.3.20/fancy/fancy-en_US.cab
O16 - DPF: Keno by pogo - http://game1.pogo.com/applet-6.9.1.32/keno/keno-en_US.cab
O16 - DPF: Lottso by pogo - http://game1.pogo.com/applet-8.0.5.30/lottso/lottso-en_US.cab
O16 - DPF: Payday FreeCell by pogo - http://game1.pogo.com/applet-6.7.3.30/freecell/freecell-en_US.cab
O16 - DPF: Perfect Pair Solitaire by pogo - http://game1.pogo.com/applet-6.7.2.24/waterwheel/waterwheel-en_US.cab
O16 - DPF: Quick Quack by pogo - http://game1.pogo.com/applet-6.8.0.25/hotstreak/hotstreak-en_US.cab
O16 - DPF: Spider Solitaire by pogo - http://game1.pogo.com/applet-8.0.5.30/spider/spider-en_US.cab
O16 - DPF: Tri-Peaks by pogo - http://game1.pogo.com/applet-8.0.6.49/peaks/peaks-en_US.cab
O16 - DPF: Turbo 21 v2 by pogo - http://game1.pogo.com/applet-6.7.4.28/turbo22/turbo22-en_US.cab
O16 - DPF: Vaults of Atlantis Slots by pogo - http://game1.pogo.com/applet-8.0.6.49/mlslots/mlslots-en_US.cab
O16 - DPF: Win32 Classes -
O16 - DPF: Word Craft by pogo - http://game1.pogo.com/applet-6.8.3.35/babble/babble-en_US.cab
O16 - DPF: Word Search Daily by pogo - http://game1.pogo.com/applet-8.0.6.49/wordsearch/wordsearch-en_US.cab
O16 - DPF: Word Whomp by pogo - http://game1.pogo.com/applet-8.0.0.20/wordwhomp2/whomp2-en_US.cab
O16 - DPF: World Class Solitaire by pogo - http://game1.pogo.com/applet-8.0.5.30/worldclass/worldclass-en_US.cab
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - http://www.worldwinner.com/games/v46/sol/sol.cab
O16 - DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} (FamilyFeud Control) - http://www.worldwinner.com/games/v47/familyfeud/familyfeud.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
O16 - DPF: {E2739AFF-FA40-4527-9A19-DE81795C2C03} (MSN Money Ticker) - http://moneycentral.msn.com/cabs/ticker.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.auctiva.com/hostedimages/activex/xupload/XUpload.ocx
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: WUSB54Gv2SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

--
End of file - 9217 bytes

THANKS FOR ALL YOUR HELP!

[Saving space - attachment deleted by admin]

[evilfantasy]

Spyware Doctor's OnGuard protective functionality may interfere with certain HijackThis fixes we need to make. Please follow these instructions to disable it.

To deactivate Spyware Doctor's OnGuard Tools

• Click the Spyware Doctor icon in the System Tray.
• Click Settings.
• Click Startup Settings under Pick a Category.
• Uncheck Run at Windows startup.
  
• Click Apply and Exit Spyware Doctor.
• From within Spyware Doctor, click the OnGuard button on the left side.
• Uncheck Activate OnGuard.
  
• (When we are done, you can re-enable Spyware Doctor)

.
----------

Open HijackThis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: @Home - {AD96D1C0-3FA0-11D9-94A1-00010326322D} - http://home.excite.com (file missing) (HKCU)
O9 - Extra button: Dell Home - {C1B40280-B0C6-11D4-9482-00010326322D} - http://www.my.delleworks.com (file missing) (HKCU)
O16 - DPF: Win32 Classes -

Important: Close all windows except for HijackThis and then click Fix checked.

Exit HijackThis.

----------

Run CCleaner.

Are there still any problems?

[newgranny]

Okay, I deleted what you told me to delete and ran CCleaner again.

What showed up in Ccleaner all seems to be legitimate.

I ran a full AVG scan overnight, and this morning there were no threats detected.

So, I have one thing to say to you.

Thank you!  Thank you!  Thank you!  Thank you!  Thank you!

 

Now, I'm gonna go upstairs and start working on my husbands computer.

It's really, REALLY slow even though I clean his temp files and cookies and run defrag regularly AND he is only using about 1/3 of his hard drive space.

I read the information on this site about possible reasons for this and I think we may have to cut out the back of the desk slot where the tower is, to improve air flow.

If this doesn't work, I'll start a new thread here.

Again, THANKS SO MUCH for all your help, it is GREATLY appreciated!

New Granny

[evilfantasy]

Set a New Restore Point to prevent possible reinfection from an old one
Setting a new restore point AFTER cleaning your system will enable your computer to roll-back to a clean working state if needed.

• Go to Start > Programs > Accessories > System Tools and click System Restore
  
• Choose the radio button marked Create a Restore Point on the first screen then click Next Give the Restore Point a name then click Create.
  
• The new restore point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
• Next go to Start > Run and type Cleanmgr
  
• Click OK
  
• Click the More Options Tab.
  
• Click Clean Up in the System Restore section to remove all previous restore points except the newly created clean one.

You can find instructions on how to enable and re-enable system restore here:

Windows XP System Restore Guide or Windows Vista System Restore Guide
.
----------

Use the Secunia Software Inspector to check for out of date software.

• Click Start Now
  
• Check the box next to Enable thorough system inspection.
  
• Click Start
  
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.

.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

Here are some great FREE tools to help you keep from getting infected again. These tools use little or no resources so won't slow down your PC.

Concerned about Browser Security? Consider using Mozilla Firefox 3.0 with Adblock Plus and NoScript

To prevent unknown applications from being installed on your computer install WinPatrol 2008
* Using Winpatrol to protect your computer from malicious software

I suggest using SiteAdvisor. SiteAdvisor rates sites on business practices and spam. Safety ratings from McAfee SiteAdvisor are based on automated safety tests of Web sites.

SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.