Plz Help... So much Spyware

You have a pile of problems! Just look at all the stuff that Bitdefender found too. Where have you been surfing and what have you been downloading.

This is going to take some work. I have to tell you up front that you should have had an realtime antispyware blocker and a firewall installed and much of this probably would have been prevented.

I also see remnants of Symantec antivirus that we will need to remove since you have AVG installed. If you still have Symantec installed, goto Add/Remove programs and uninstall it now before continuing. Do not reboot if it tells you it needs too! Just continue with the below.

Also while in Add/Remove Programs uninstall the below if found:
SysProtect Free
SurfSideKick 3

If you find them but they will not uninstall, just continue on because I'm leaving them in manual steps below.

In the below procedure for Stopping, Disabling, and deleting NT Services, ONLY stop, disable, and delete EXACTLY what I give. If it does not match exactly, don't touch it.

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to aol software (if that is not found, look for the short name: aswUpdSv)... then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Now repeat the above stop and disable for the following services:
Command Service
Remote Index
Microsoft Windows Spooler Service
Windows web messenger

Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

Aol Software

Now repeat the Delete NT Service steps for:
cmdService
Remote Call Procedure
Windows Spooler Service
Windows web messenger

If you receive any error messages just ignore them and continue.

Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.

C:\WINDOWS\smss.exe
C:\WINDOWS\RGF2ZSBLZW50\command.exe
C:\WINDOWS\services.exe
C:\WINDOWS\Msnweb.exe
C:\Program Files\SysProtect Free\USYP.exe
C:\PROGRA~1\COMMON~1\DOBE~1\NTEPAD~1.EXE


After killing all the above processes, click Back.
Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [newname] C:\\newname25.exe
O4 - HKLM\..\Run: [NI.USYP_0001_N76M2004] "C:\WINDOWS\Downloaded Program Files\USYP_0001_N76M2004NetInstaller.exe" -nag /BEFOREINSTALL
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [Lsrr] "C:\WINDOWS\SMANTE~1\msiexec.exe" -vt yazr
O4 - HKCU\..\Run: [Fopoxz] C:\PROGRA~1\COMMON~1\DOBE~1\NTEPAD~1.EXE
O4 - HKCU\..\Run: [SysProtect Free] "C:\Program Files\SysProtect Free\USYP.exe" /min
O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} - http://advnt01.com/dialer/int_ver34.CAB
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://locator1.cdn.imagesrvr.com/sites/sysprotect.com/scanner/pages/scanner/SysProtectScannerInstall.cab
O20 - AppInit_DLLs: repairs303169590.dll,alg.dll
O20 - Winlogon Notify: Controls Folder - C:\WINDOWS\system32\wrpcd.dll (file missing)
O20 - Winlogon Notify: StillImage - C:\WINDOWS\system32\kt2ql7f51.dll (file missing)
O20 - Winlogon Notify: WebCheck - C:\WINDOWS\system32\muidntld.dll

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\SysProtect Free <--- the whole folder
C:\Program Files\SurfSideKick 3 <--- the whole folder
C:\WINDOWS\RGF2ZSBLZW50 <--- the whole folder
C:\WINDOWS\Temp <--- delete all files in this Temp folder. About 2 or 3 of them may be refused because Windows is using them.
C:\WINDOWS\smss.exe
C:\WINDOWS\msexplore.exe
C:\WINDOWS\services.exe
C:\WINDOWS\Msnweb.exe
C:\WINDOWS\system32\wrpcd.dll
C:\WINDOWS\system32\muidntld.dll
C:\WINDOWS\system32\repairs303169590.dll
C:\WINDOWS\system32\alg.dll
C:\newname25.exe
C:\keyboard25.exe
C:\mousepad25.exe

Additional step to delete files in the Downloaded Program Files folder :
- Click Start, Run, and enter cmd in the box and click OK. This opens a command prompt windows.
- Enter the following command lines each followed by the enter key
cd C:\WINDOWS\Downloaded Program Files\
attrib -r -h -s USYP_0001_N76M2004NetInstaller.exe
del USYP_0001_N76M2004NetInstaller.exe
exit

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and continue.

Now let's work on your Virtumonde infection. Run the below procedure and then attach the VundoFix log.

Virtumonde aka Trojan Vundo Removal


Now attach a new HJT log and the VundoFix log and tell me how all these steps went.

Also tell me make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

You say "owner"! Where did the "owner" get this PC from? It sounds like it belongs to someone else or a company PC. If the owner does not have the Administrator password or priviledges and also does not have the password needed to uninstall Symantec, it would appear that he is not the real owner. When you boot into safe mode, only accounts that are admins will show. And yes the account with the name Administrator appears only in safe mode. It is the original default windows Administrator account when Windows is installed. Sometimes people do not set the password for it (bad idea) and it would just be a blank.

 

You can try fixing things in normal boot mode but you are going to have problems in the long run without knowing the Administrator Password. And not knowing the Symantec software password will eventually be a problem for them too.

Your options:

1) format and reinstall

2) make a bootable CD using a utility like the below discusses and use it to erase/blank the Windows administrator password. This will not resolve the issue with not knowing the Symantec password:

http://home.eunet.no/~pnordahl/ntpasswd/

 

You still have the AppInit_DLL entry

O20 - AppInit_DLLs: alg.dll

Did you find the C:\WINDOWS\system32\alg.dll file. And did you delete it? Do not confuse it with alg.exe.

Also another new item showed up that we need to fix.
O20 - Winlogon Notify: Setup - C:\WINDOWS\system32\nyptools.dll

What happens if you simply have HJT fix the below two lines?
O20 - AppInit_DLLs: alg.dll
O20 - Winlogon Notify: Setup - C:\WINDOWS\system32\nyptools.dll

How are things running right now?

 

Please run the below procedure and attach the requested log:

Look2Me VX2 Removal


Then attach a new HJT log too.

 

Looks clean! Now let's see if we can stop the Symantec stuff from running since you cannot uninstall it.

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to Symantec AntiVirus Client ... then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Now repeat the above stop and disable for the following services:
DefWatch


Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

Norton AntiVirus Server

Now repeat the Delete NT Service steps for:
DefWatch


If you receive any error messages just ignore them and continue.

Now exit HJT but do not reboot when it tells you it needs to. We will reboot later.


Now run HijackThis and fix any of the below lines if the still show:
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

Now exit HJT and reboot.

After reboot, look for the below folder and see if you can delete it:
C:\Program Files\SYMANT~1

Now attach a new HJT log.

 

Please complete the instructions I gave to you.

 

Your log is clean. If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you must work thru the below link ASAP:

How to Protect yourself from malware!