Trojans keep coming back

I'd recommend dumping the file sharing apps .... Limewire, Clubbox. Good source of infections.

Otherwise, things look good. I would like for you to run a rootkit tool, just to be sure.

Download and Save Blacklight to your desktop:

Double-click blbeta.exe then accept the agreement, click > scan then > next

You'll see a list of all items found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers).

Post this log in your next reply. Don't choose the rename option yet if anything is listed! I want to see the log first, because legitimate items can also be present there.

Did you get Norton removed?

 

Here's the Backlight log:

07/24/07 18:16:10 [Info]: BlackLight Engine 1.0.64 initialized
07/24/07 18:16:10 [Info]: OS: 5.1 build 2600 (Service Pack 2)
07/24/07 18:16:10 [Note]: 7019 4
07/24/07 18:16:10 [Note]: 7005 0
07/24/07 18:16:55 [Note]: 7006 0
07/24/07 18:16:55 [Note]: 7011 1524
07/24/07 18:16:55 [Note]: 7026 0
07/24/07 18:16:55 [Note]: 7026 0
07/24/07 18:16:58 [Note]: FSRAW library version 1.7.1022
07/24/07 18:21:08 [Note]: 7007 0


Yes, I removed Norton. Also, I've got great news. My computer is no longer laggy/freezing/slow! I guess it was because I had two antiviruses running or Norton Antivirus is just really lame.

I decided to test out ComboFix to see if it would work too. I still got the same error.. but it still worked.

 

That's great!

You do (did) not have two AVs ......... only Norton, and that's enough to lag even the best of 'em

I'm sure Geri will be along shortly with some recommendations, one of which will be an antivirus program. Please don't waste any time getting one installed and updated.


BTW, I've had a suspicion that either NAV or one of the other apps you removed was causing the problem with running ComboFix in normal mode. Would you mind trying it again now and letting us know?

EDIT : I see you read my mind RE: ComboFix

 

Here's the ComboFix log:

"Song" - 2007-07-24 18:48:43 - ComboFix 07-07-14.6 - Service Pack 2 NTFS


((((((((((((((((((((((((( Files Created from 2007-06-25 to 2007-07-25 )))))))))))))))))))))))))))))))


2007-07-21 18:59 26,112 --a------ C:\WINDOWS\system32\nircmd.exe
2007-07-21 18:54 <DIR> d-------- C:\HostsXpert
2007-07-17 08:59 78,440 --a------ C:\LSPRegBackup_17072007_085926.REG
2007-07-16 20:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-07-16 20:36 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-07-16 20:36 <DIR> d-------- C:\DOCUME~1\Song\APPLIC~1\SUPERAntiSpyware.com
2007-07-16 17:07 20,280 --a------ C:\WINDOWS\system32\drivers\SSFS0BB8.sys
2007-07-16 17:07 1,520,952 --a------ C:\WINDOWS\WRSetup.dll
2007-07-16 16:30 <DIR> d-------- C:\DOCUME~1\NETWOR~1\APPLIC~1\Webroot
2007-07-16 16:29 23,864 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2007-07-16 16:29 21,816 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2007-07-16 16:29 160,056 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2007-07-16 16:29 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Webroot
2007-07-16 16:28 <DIR> d-------- C:\Program Files\Webroot
2007-07-16 16:28 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Webroot
2007-07-16 15:06 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-15 13:01 <DIR> d-------- C:\DOCUME~1\Song\APPLIC~1\Webroot
2007-07-15 10:52 <DIR> d-------- C:\HJT
2007-07-14 19:36 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-07-14 15:23 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-07-14 15:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-07-12 20:09 77,312 --a------ C:\WINDOWS\ua2.dll
2007-07-12 17:19 <DIR> d-------- C:\Program Files\Lavasoft
2007-07-10 19:27 <DIR> d--h----- C:\WINDOWS\PIF
2007-07-09 22:36 109,440 --a------ C:\WINDOWS\system32\drivers\KbdCap.sys
2007-07-09 15:08 <DIR> d-------- C:\Program Files\TriglowPictures
2007-07-04 08:04 <DIR> d-------- C:\Program Files\iTunes
2007-07-04 08:04 <DIR> d-------- C:\Program Files\iPod
2007-07-04 08:03 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-07-04 08:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-06-29 17:27 <DIR> d-------- C:\DOCUME~1\Song\APPLIC~1\Sudeki
2007-06-29 14:37 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-06-24 19:25 6,291,456 --a------ C:\DOCUME~1\Song\ntuser.dat


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-25 00:49:02 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-07-25 00:49:01 -------- d-----w C:\Program Files\Symantec
2007-07-25 00:44:55 -------- d-----w C:\Program Files\Norton Internet Security
2007-07-20 06:02:34 -------- d-----w C:\Program Files\Winamp
2007-07-20 05:45:29 -------- d-----w C:\Program Files\Messenger
2007-07-20 05:40:57 -------- d-----w C:\Program Files\Classic PhoneTools
2007-07-20 05:40:51 -------- d-----w C:\Program Files\AIM
2007-07-17 02:19:45 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-07-09 22:08:11 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-18 03:36:22 -------- d-----w C:\DOCUME~1\Song\APPLIC~1\Apple Computer
2007-06-17 08:03:35 -------- d-----w C:\DOCUME~1\Song\APPLIC~1\Skype
2007-06-14 02:37:22 -------- d-----w C:\DOCUME~1\Song\APPLIC~1\DivX
2007-06-13 20:01:45 -------- d-----w C:\DOCUME~1\Song\APPLIC~1\BitTorrent
2007-06-12 03:55:01 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-06-09 22:32:41 -------- d-----w C:\Program Files\DivX
2007-06-04 22:18:48 9,344 ----a-w C:\windows\system32\drivers\NSDriver.sys
2007-06-04 22:17:02 8,320 ----a-w C:\windows\system32\drivers\AWRTRD.sys
2007-06-04 22:14:56 6,272 ----a-w C:\windows\system32\drivers\AWRTPD.sys
2007-05-31 07:02:22 -------- d-----w C:\Program Files\QuickTime
2007-05-31 07:00:00 -------- d-----w C:\Program Files\Apple Software Update
2007-05-31 06:45:07 524,288 ----a-w C:\windows\system32\DivXsm.exe
2007-05-31 06:44:55 823,296 ----a-w C:\windows\system32\divx_xx07.dll
2007-05-31 06:44:54 823,296 ----a-w C:\windows\system32\divx_xx0c.dll
2007-05-31 06:44:54 802,816 ----a-w C:\windows\system32\divx_xx11.dll
2007-05-31 06:44:54 740,442 ----a-w C:\windows\system32\DivX.dll
2007-05-09 18:53:54 1,224,704 ----a-r C:\windows\system32\clubbox.exe
2007-05-06 08:07:55 61,440 ----a-w C:\windows\system32\nod.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
2005-05-31 01:04 853672 --a------ C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2007-07-12 04:00 501136 --a------ C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CapFax "= "C:\Program Files\Classic PhoneTools\CapFax.EXE" [2001-12-10 17:34]
"AGRSMMSG "= "AGRSMMSG.exe" [2004-06-29 09:06 C:\WINDOWS\AGRSMMSG.exe]
"AdaptecDirectCD "= "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2003-03-26 11:15]
"SoundMan "= "SOUNDMAN.EXE" [2004-09-16 05:39 C:\WINDOWS\SOUNDMAN.EXE]
"iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-28 09:14]
"!AVG Anti-Spyware "= "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-07-14 19:38]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter "= "RUNDLL32.exe" [2004-08-04 05:00 C:\WINDOWS\system32\rundll32.exe]
"MsnMsgr "= "C:\Program Files\MSN Messenger\MsnMsgr.exe" [2006-01-24 12:37]
"ctfmon.exe "= "C:\windows\system32\ctfmon.exe" [2004-08-04 05:00]
"SUPERAntiSpyware "= "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8} "= "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-07-14 19:37]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 13:55]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll --a------ 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]
"C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r


Contents of the 'Scheduled Tasks' folder
2007-07-22 21:07:00 C:\windows\tasks\AppleSoftwareUpdate.job
2007-07-25 01:47:00 C:\windows\tasks\Symantec NetDetect.job

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-24 18:50:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-24 18:50:27
C:\ComboFix-quarantined-files.txt ... 2007-07-24 18:50
C:\ComboFix2.txt ... 2007-07-22 15:08
C:\ComboFix3.txt ... 2007-07-21 14:52

--- E O F ---


I was thinking of getting AVG Antivirus, but I'll wait for Geri.

 

Thanks for the ComboFix log. I'm sure Geri would approve of AVG.

I'd also recommend running the Norton Removal Tool to help clean up some of the junk the Norton uninstaller leaves behind.

http://fileforum.betanews.com/detail/Norton_Removal_Tool_for_Windows_2000XPVista/1169144666/1

When done, after a reboot, check for the presence of the following leftovers (from your combofix log) and remove them if there.

C:\windows\tasks\Symantec NetDetect.job
C:\Program Files\Common Files\Symantec Shared
C:\Program Files\Symantec
C:\Program Files\Norton Internet Security

 

Alrighty, done.

Thank you guys so much for ALL of your help!

 

Very happy to help.

Please post a fresh HijackThs log.

 

Here's the HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 11:05:40 PM, on 7/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\windows\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Classic PhoneTools\CapFax.EXE
C:\windows\AGRSMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\windows\SOUNDMAN.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\windows\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\windows\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\windows\system32\wscntfy.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Winamp\winamp.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [CapFax] "C:\Program Files\Classic PhoneTools\CapFax.EXE "
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe "
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
O4 - HKCU\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe "
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} -
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WRNotifier - C:\windows\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DiamondCS ProcessGuard Service v3.405 (DCSPGSRV) - Unknown owner - C:\Program Files\ProcessGuard\dcsuserprot.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

 

Hi Helenster

OK Dave asked me to finish up. (Thanks Dave)

Your log is clean, just a few things to do.

First Get a AV and Firewall, These are a Must Have,

Here are some good ones and the best part, they are Free!

Please Download only One AV and only one firewall.

Anti-Virus
AVGFree
Avast

FireWall
Comodo Firewall
zonealarm firewall

Download, Update and scan your computer with the AV. Quarantine/Delete anything it finds.

Also I suggest you read this.
understanding firewalls


You can delete any tools you were asked to download, There will be newer versions if ever needed again any way.


We have just a few more things to do, mostly maintenance and then our recommendations:

Delete all your cookies, and empty your recycle bin. (ATF Cleaner is good for this See link below) But remember, by deleting your cookies, you will have to re-enter any passwords and log-in info for any sites you are usually required to do so with.

This would also be a good time to set a new system restore point for your machine.
Set New System Restore Point. Do not do this unless there are no other user accounts to be diagnosed.

Also, as you are an XP user, if there are any other accounts on this machine, they too, must be cleaned with AdAware, Spybot S&D, then HJT. Not all infections are global, nor are all the HJT fixes global. You can post each user account here into this thread, but please, do only one at a time to avoid confusion. It is very rare that anything significant is ever found.

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

1. Spybot Search & Destroy - A powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
   
   
2. AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
   
   
3. SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
   
   
4. SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
   
   
5. IE-SpyAd - puts over 23,000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all,
   and MVPS Hosts File will accomplish a similar tactic and provide another layer of protection.
   
   
6. Install WinPatrol to prevent unknown applications from being inserted to start up on your machine
   
   Now just because you have security apps installed, they are useless unless updated regularly.
   
   
7. Another thing I would suggest, is to install SiteAdvisor. It gives sites a few different 'ratings' and while not fool proof, a good additional layer of information about many sites.
   
   
8. ATF Cleaner by Atribune.
   This program is for XP and Windows 2000 only, Cleans out temporary files all the garbage you collect while surfing the web.
   
   
9. Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
   
   
10. Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
    
11. Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein

Surf Safely
Geri

 

Thanks again for your help!