PC help needed - malware invasion

clpeters23 · Mar 29, 2009

I don't know if it's a virus, adware or spyware, but something's on my PC that occasionally diverts the page I'm on to another which says "your computer is infected..." I've run several different virus scans (Kaspersky, Norton and CA) and nothing's ever found. I don't have the funds right now to take my PC to be fixed. Can anyone help?

Thanks
Cathy

mrblanche · Mar 29, 2009

Go here and run this scan.

Panda Software

Make sure you have the absolute latest versions of your virus software.

Have you run Spybot?

I suspect you have a trojan that redirects your searches. It's pretty common, and some of them can be very difficult to remove. It may require a complete wipe of your hard drive, and a recovery.

snake_lady · Mar 29, 2009

try: http://housecall.trendmicro.com/

I use their online scan once a month or so.... it scans for malware, viruses, spyware, etc.

About the diverting screen, are you sure it's not a pop up? There's a bunch of them out there that say "Your computer is infected, click here for your free scan"....those are just advertising bs, pain in the butts. A pop up blocker will help.

You can also download Spybot Search and Destroy, its free, and great for removing spyware.

gailc · Mar 29, 2009

I use Malwarebytes Anti Malware (I think that is what it is called) when I had problems with a fake microsoft blue page that kept appearing. It found lots of stuff and corrected the problem.

strange_wings · Mar 29, 2009

You can also try HijackThis to see what has been infected. This will tell you everything that is running on your computer and where.

If you're using IE, there may be something on it doing this.

As for needing to completely reformat. That shouldn't be necessary unless the OS is damaged in someway. The answer to a computer problem shouldn't be reformat and reinstall, honestly. Patience, using google to help look stuff up, and manual registry cleaning can usually get the worst of stuff out.

clpeters23 · Mar 29, 2009

Originally Posted by Snake_Lady

try: http://housecall.trendmicro.com/

I use their online scan once a month or so.... it scans for malware, viruses, spyware, etc.

About the diverting screen, are you sure it's not a pop up? There's a bunch of them out there that say "Your computer is infected, click here for your free scan"....those are just advertising bs, pain in the butts. A pop up blocker will help.

You can also download Spybot Search and Destroy, its free, and great for removing spyware.

I do have the popup blocker enabled, and just what you described, "Your computer is infected, click here for your free scan", is still there.

I've tried most of recommended scans with no luck, but I'll keep trying.
Thanks everyone!

strange_wings · Mar 29, 2009

Originally Posted by clpeters23

I've tried most of recommended scans with no luck, but I'll keep trying.
Thanks everyone!

Try hijackthis and post the report in the thread.

clpeters23 · Mar 29, 2009

Originally Posted by strange_wings

Try hijackthis and post the report in the thread.

I'm running Malwarebytes right now and if that doesn't work, I will post results from hijackthis. Thanks

mrblanche · Mar 29, 2009

My brother-in-law had a trojan that was particularly nasty. I worked a whole day on it, and finally had to do a full recovery. It was one that every time you deleted all the infected and causative files, a hidden file restored them all, with new names in new places. It is one widely recognized as one of the most difficult to get rid of. Most are not that bad, fortunately.

coaster · Mar 29, 2009

I agree with strange wings. Classic browser hijack. HijackThis! is the best tool for diagnosis/removal.

coaster · Mar 29, 2009

Originally Posted by strange_wings

As for needing to completely reformat. That shouldn't be necessary unless the OS is damaged in someway. .

I wish my last infection had known that. After doing all the other usual stuff to no avail, (including booting off an uninfected drive) I reformatted. Did it work? NO. How can anything survive a reformat? Believe me, it can. After FIVE -- count 'em -- FIVE *CLEAN* reformats I finally got rid of it somehow by rejiggering the partition. This particularly nasty but clever piece of code I theorized was living OUTSIDE of the partition, in disk space unused by and unaccessible to the OS. My theory is that rejiggering the partition changed the offset from track zero that it expected to find itself. I have no idea how it loaded itself; it must have been interacting directly with the hard drive's controller to read and load its boot code. You can find it if you google; I don't remember what the name was.

strange_wings · Mar 30, 2009

That's crazy. I'm thankful that the worst I dealt with was something the antivirus couldn't take care off (too many hidden parts) but was simple enough to manually clean out. Now I don't have to worry unless I purposely choose to install something - not going to happen.

How does one pick up these nastier malware? Simply not knowing how to protect their pc or just not knowing what type of activities to avoid?

clpeters23 · Mar 30, 2009

Originally Posted by strange_wings

Try hijackthis and post the report in the thread.

Here it is:
gfile of Trend Micro HijackThis v2.0.2
Scan saved at 05:05:53, on 3/30/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\\WINDOWS\\System32\\smss.exe
C:\\WINDOWS\\system32\\winlogon.exe
C:\\WINDOWS\\system32\\services.exe
C:\\WINDOWS\\system32\\lsass.exe
C:\\WINDOWS\\system32\\svchost.exe
C:\\WINDOWS\\System32\\svchost.exe
C:\\WINDOWS\\Explorer.EXE
C:\\WINDOWS\\system32\\spoolsv.exe
C:\\Program Files\\Norton AntiVirus\\Engine\\16.5.0.134\\ccSvcHst.exe
C:\\Program Files\\Dell Support Center\\bin\\sprtsvc.exe
C:\\WINDOWS\\system32\\svchost.exe
C:\\WINDOWS\\system32\\igfxtray.exe
C:\\WINDOWS\\system32\\hkcmd.exe
C:\\WINDOWS\\system32\\igfxsrvc.exe
C:\\WINDOWS\\system32\\igfxpers.exe
C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe
C:\\WINDOWS\\RTHDCPL.EXE
C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe
C:\\Program Files\\Roxio\\Drag-to-Disc\\DrgToDsc.exe
C:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe
C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe
C:\\Program Files\\Dell Support Center\\bin\\sprtcmd.exe
C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe
C:\\Program Files\\Canon\\MyPrinter\\BJMyPrt.exe
C:\\Program Files\\DellAutomatedPCTuneUp\\PTAgnt.exe
C:\\Program Files\\NetZero\\exec.exe
C:\\WINDOWS\\system32\\ctfmon.exe
C:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe
C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe
C:\\Documents and Settings\\Cathy\\Application Data\\Microsoft\
PsooXa.exe
C:\\Program Files\\Digital Line Detect\\DLG.exe
C:\\Program Files\\Norton AntiVirus\\Engine\\16.5.0.134\\ccSvcHst.exe
C:\\Program Files\\NetZero\\exec.exe
C:\\Program Files\\NetZero\\qsacc\\x1exec.exe
c:\\program files\\common files\\installshield\\updateservice\\isuspm.exe
C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\agent.exe
C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE
C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE
C:\\Program Files\\Trend Micro\\HijackThis\\HijackThis.exe

R1 - HKCU\\Software\\Microsoft\\Internet Explorer\\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\\Software\\Microsoft\\Internet Explorer\\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R0 - HKCU\\Software\\Microsoft\\Internet Explorer\\Main,Start Page = http://forums.ledzeppelin.com/index.php?showforum=4
R1 - HKLM\\Software\\Microsoft\\Internet Explorer\\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\\Software\\Microsoft\\Internet Explorer\\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\\Software\\Microsoft\\Internet Explorer\\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\\Software\\Microsoft\\Internet Explorer\\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\\Software\\Microsoft\\Internet Explorer\\Search,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=4080308
R1 - HKCU\\Software\\Microsoft\\Internet Explorer\\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\\Software\\Microsoft\\Internet Connection Wizard,ShellNext = http://my.netzero.net/s/sp?r=al&cf=s...SSUSER&O=I&UT=
R1 - HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings,ProxyServer = http=127.0.0.1:7900
R1 - HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings,ProxyOverride = 64.136.44.66;64.136.52.66;64.136.52.70;searchap.untd.com;127.0.0.1;localhost;*mi crosoft.com;*windowsupdate.com;*wustat.windows.com;*.pogo.com;*test-speed.com;liveupdate.symantecliveupdate.com;*symantec.com;*.nai.com;*.networkass ociates.com;*.dir.untd.com;cf.netzero.net;qs.netzero.net;*.aolcdn.com;*.quicken. com;<local>
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\\Program Files\\NetZero\\SearchEnh1.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\\Program Files\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroIEHelper.dll
O2 - BHO: Pop-up Blocker - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\\Program Files\\NetZero\\qsacc\\x1IEBHO.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\\Program Files\\Norton AntiVirus\\Engine\\16.5.0.134\\IPSBHO.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\\Program Files\\Java\\jre1.5.0_06\\bin\\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\\Program Files\\Google\\Google Toolbar\\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\\Program Files\\Google\\GoogleToolbarNotifier\\5.0.926.3450\\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\\Program Files\\Google\\Google Toolbar\\Component\\fastsearch_219B3E1547538286.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\\Program Files\\Dell\\BAE\\BAE.dll
O2 - BHO: Ask.com Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\\Program Files\\Ask.com\\GenericAskToolbar.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\\Program Files\\NetZero\\Toolbar.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\\Program Files\\Google\\Google Toolbar\\GoogleToolbar.dll
O3 - Toolbar: Ask.com Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\\Program Files\\Ask.com\\GenericAskToolbar.dll
O4 - HKLM\\..\\Run: [IgfxTray] C:\\WINDOWS\\system32\\igfxtray.exe
O4 - HKLM\\..\\Run: [HotKeysCmds] C:\\WINDOWS\\system32\\hkcmd.exe
O4 - HKLM\\..\\Run: [Persistence] C:\\WINDOWS\\system32\\igfxpers.exe
O4 - HKLM\\..\\Run: [SunJavaUpdateSched] C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe
O4 - HKLM\\..\\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\\..\\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\\..\\Run: [ISUSPM Startup] C:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\ISUSPM.exe -startup
O4 - HKLM\\..\\Run: [ISUSScheduler] "C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe" -start
O4 - HKLM\\..\\Run: [RoxioDragToDisc] "C:\\Program Files\\Roxio\\Drag-to-Disc\\DrgToDsc.exe"
O4 - HKLM\\..\\Run: [PDVDDXSrv] "C:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"
O4 - HKLM\\..\\Run: [Google Desktop Search] "C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe" /startup
O4 - HKLM\\..\\Run: [ECenter] C:\\Dell\\E-Center\\EULALauncher.exe
O4 - HKLM\\..\\Run: [Adobe Reader Speed Launcher] "C:\\Program Files\\Adobe\\Reader 8.0\\Reader\\Reader_sl.exe"
O4 - HKLM\\..\\Run: [dscactivate] "C:\\Program Files\\Dell Support Center\\gs_agent\\custom\\dsca.exe"
O4 - HKLM\\..\\Run: [DellSupportCenter] "C:\\Program Files\\Dell Support Center\\bin\\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\\..\\Run: [CanonSolutionMenu] C:\\Program Files\\Canon\\SolutionMenu\\CNSLMAIN.exe /logon
O4 - HKLM\\..\\Run: [CanonMyPrinter] C:\\Program Files\\Canon\\MyPrinter\\BJMyPrt.exe /logon
O4 - HKLM\\..\\Run: [CAPPActiveProtection] "C:\\Program Files\\CA\\CA Internet Security Suite\\CA Anti-Spyware\\CAPPActiveProtection.exe"
O4 - HKCU\\..\\Run: [DellAutomatedPCTuneUp] "C:\\Program Files\\DellAutomatedPCTuneUp\\PTAgnt.exe" /startup
O4 - HKCU\\..\\Run: [NetZero_uoltray] C:\\Program Files\\NetZero\\exec.exe regrun
O4 - HKCU\\..\\Run: [MSMSGS] "C:\\Program Files\\Messenger\\msmsgs.exe" /background
O4 - HKCU\\..\\Run: [DellSupportCenter] "C:\\Program Files\\Dell Support Center\\bin\\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\\..\\Run: [ctfmon.exe] C:\\WINDOWS\\system32\\ctfmon.exe
O4 - HKCU\\..\\Run: [swg] C:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe
O4 - HKCU\\..\\Run: [] C:\\Documents and Settings\\Cathy\\Application Data\\Microsoft\
PsooXa.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\\WINDOWS\\system32\\GPhotos.scr/200
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\\Program Files\\NetZero\\qsacc\\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\\Program Files\\NetZero\\qsacc\\appres.dll/227
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\\Program Files\\Java\\jre1.5.0_06\\bin\\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\\Program Files\\Java\\jre1.5.0_06\\bin\\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\\Program Files\\Messenger\\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\\Program Files\\Messenger\\msmsgs.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/betaact.../as2stubie.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O17 - HKLM\\System\\CCS\\Services\\Tcpip\\..\\{7ED9D6F7-1CC2-4566-B58B-BEEEDC88FC7B}: NameServer = 64.136.52.73 64.136.44.73
O18 - Filter hijack: text/html - {8afad42d-92a0-4711-8837-d8b7786d33d3} - C:\\WINDOWS\\system32\\mst123.dll
O20 - AppInit_DLLs: C:\\PROGRA~1\\Google\\GOOGLE~2\\GOEC62~1.DLL
O23 - Service: DellAMBrokerService - Unknown owner - C:\\Program Files\\DellAutomatedPCTuneUp\\brkrsvc.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\\Program Files\\Google\\Common\\Google Updater\\GoogleUpdaterService.exe
O23 - Service: Norton AntiVirus - Symantec Corporation - C:\\Program Files\\Norton AntiVirus\\Engine\\16.5.0.134\\ccSvcHst.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\\Program Files\\Dell Support Center\\bin\\sprtsvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\\Program Files\\Common Files\\SureThing Shared\\stllssvr.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\\Program Files\\Webroot\\WebrootSecurity\\SpySweeper.exe

--
End of file - 10599 bytes

strange_wings · Mar 30, 2009

Hey, you didn't happen to buy your PC from a Best Buy did you? (no, the report doesn't suggest that)

I have no clue what rPsooXa.exe is. Does anyone else?

Other than that - do you use NetZero? If not, that report says you have a lot of stuff installed from it. That there's three toolbars: from netzero, Ask, and google - plus some google updater?

Norton - there's one of your problems. It's not the best antivirus.
Am I seeing two spyware scanners?

Digital Line Detect is preinstalled Dell junk. Rather unneeded.

Looking at a lot of that, and that so much is running at once, if you're experiencing slow down - that's why.

2dogmom · Mar 30, 2009

I'm coming into this late but I'd recommend Superantispyware
http://www.superantispyware.com/download.html

(the free version)

strange_wings · Mar 30, 2009

^Because three or four of them are needed on one computer?

I'm not seeing any spyware in that scan. The toolbars are legit, though sometimes not intentionally installed by the user, thus most scanners ignore them. Ditch the toolbars and see if that fixes things.

coaster · Mar 30, 2009

Originally Posted by strange_wings

How does one pick up these nastier malware? Simply not knowing how to protect their pc or just not knowing what type of activities to avoid?

I suspect mine happened when I wasn't paying attention or was sleepy or something and accidently clicked on the wrong button. I ususually go into task manager and terminate when I see something suspicious, because malicious javascript CAN be set to run when the close-window is clicked.

coaster · Mar 30, 2009

This is what I found suspicious on just scanning through:

C:\\WINDOWS\\RTHDCPL.EXE - non-OS executables don't run from the Windows folder

C:\\Documents and Settings\\Cathy\\Application Data\\Microsoft\
PsooXa.exe
O4 - HKCU\\..\\Run: [] C:\\Documents and Settings\\Cathy\\Application Data\\Microsoft\
PsooXa.exe
This is the most suspicious thing I saw; nothing, and I mean I have never seen any executable run from the users' Documents folder

2 - exec.exe
2 - iexplore.exe
There are two copies of each of these; that's not necessarily a problem, just confirm there were two IE windows open; and I don't know what the other one is, but naming an executable "exec" is sort of unusual

R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\\Program Files\\NetZero\\SearchEnh1.dll
I started to copy these NetZero thing then gave up; there are so many of them. I counted at least three different entities trying to grab some piece of the internet browsing through redirectors, toolbars, whatever. No wonder there are problems.

I found alll those proxy overrides disconcerting, but I don't know what kind of internet access is being used, or what kind of home network.

What I'd do:

Download Eset NOD32 AV & F/W - best retail out there IMO and worth $80
Disable network connection
Uninstall NetZero
Uninstall Norton
Search for all instances of files, shortcuts, and Registry entries that match rPsooXa.exe and delete
Install Eset
Reconnect to internet
Say temporary "no" to everything that wants access except Eset
Update Eset files
Run full virus & spyware scan
Then start teaching your firewall which apps are OK to connect, and just say no to all the rest
Try to eliminate about half of your startup programs; some of them are probably unecessary or duplicating others.

Just saying, that's what I'd do based on that log. But a better recommendation, and one you're more likely to get a definitive fix, is to post it on the HijackThis forum.

clpeters23 · Mar 31, 2009

Originally Posted by strange_wings

Hey, you didn't happen to buy your PC from a Best Buy did you? (no, the report doesn't suggest that)

I have no clue what rPsooXa.exe is. Does anyone else?

Other than that - do you use NetZero? If not, that report says you have a lot of stuff installed from it. That there's three toolbars: from netzero, Ask, and google - plus some google updater?

Norton - there's one of your problems. It's not the best antivirus.
Am I seeing two spyware scanners?

Digital Line Detect is preinstalled Dell junk. Rather unneeded.

Looking at a lot of that, and that so much is running at once, if you're experiencing slow down - that's why.

I bought the PC from Dell direct.
I do use Netzero as my ISP
What should I use instead of Norton?
Thanks

clpeters23 · Mar 31, 2009

Originally Posted by coaster

This is what I found suspicious on just scanning through:

C:\\WINDOWS\\RTHDCPL.EXE - non-OS executables don't run from the Windows folder

C:\\Documents and Settings\\Cathy\\Application Data\\Microsoft\
PsooXa.exe
O4 - HKCU\\..\\Run: [] C:\\Documents and Settings\\Cathy\\Application Data\\Microsoft\
PsooXa.exe
This is the most suspicious thing I saw; nothing, and I mean I have never seen any executable run from the users' Documents folder

2 - exec.exe
2 - iexplore.exe
There are two copies of each of these; that's not necessarily a problem, just confirm there were two IE windows open; and I don't know what the other one is, but naming an executable "exec" is sort of unusual

R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\\Program Files\\NetZero\\SearchEnh1.dll
I started to copy these NetZero thing then gave up; there are so many of them. I counted at least three different entities trying to grab some piece of the internet browsing through redirectors, toolbars, whatever. No wonder there are problems.

I found alll those proxy overrides disconcerting, but I don't know what kind of internet access is being used, or what kind of home network.

What I'd do:

Download Eset NOD32 AV & F/W - best retail out there IMO and worth $80
Disable network connection
Uninstall NetZero
Uninstall Norton
Search for all instances of files, shortcuts, and Registry entries that match rPsooXa.exe and delete
Install Eset
Reconnect to internet
Say temporary "no" to everything that wants access except Eset
Update Eset files
Run full virus & spyware scan
Then start teaching your firewall which apps are OK to connect, and just say no to all the rest
Try to eliminate about half of your startup programs; some of them are probably unecessary or duplicating others.

Just saying, that's what I'd do based on that log. But a better recommendation, and one you're more likely to get a definitive fix, is to post it on the HijackThis forum.

Netzero's my ISP, so I can't remove it. Should I uninstall and reinstall it?
Thanks

PC help needed - malware invasion

TCS Member

Thread starter

TCS Member

TCS Member

TCS Member

TCS Member

TCS Member

Thread starter

TCS Member

TCS Member

Thread starter

TCS Member

TCS Member

TCS Member

TCS Member

TCS Member

Thread starter

TCS Member

TCS Member

TCS Member

TCS Member

TCS Member

TCS Member

Thread starter

TCS Member

Thread starter