Problem with Malware; just can't shift it!

Welcome to Majorgeeks!

You need to follow the directions in step 7 of the READ ME and make sure that you are not using MSconfig to control startups. Please run MSconfig and select Normal Startup. Then attach new logs from GetRunKey and HijackThis. You were hiding a load of stuff we need to see.

You should also goto Add/Remove programs and uninstall the below old version of Sun Java:
Java 2 Runtime Environment Standard Edition v1.3.1_01
Java 2 Runtime Environment, SE v1.4.2_03


Also I have a couple questions!

Is the below really for iRiver? And why is it installed like this to be running from the root folder? And does it need to always load and run at startup?

O4 - HKLM\..\Run: [iRiver Updater] \Updater.exe


Do you recognize the below URL to be valid?
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = stoke.ramesys.com,crick.ramesys.com

 

You attach new logs from GetRunKey and ShowNew. I needed a new log from GetRunKey and HJT so just attach a new HJT log now that msconfig is disable.

If you don't need that URL line for an old job, we will remove it. As for the iRiver update, you don't need to run it. You can get the updates for it manual when desired. We will fix that too later after I get the new HJT log.

 

Start by downloading - - Pocket KillBox

Extract it to its own folder somewhere that you will be able to locate it later.


Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now (some of these may no longer be found if the uninstalls above worked):

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iRiver Updater] \Updater.exe
O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe C:\WINDOWS\System32\stlbdist.DLL,DllRunMain
O4 - HKLM\..\Run: [ydocsm] C:\WINDOWS\System32\ydocsm.exe
O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINDOWS\uptodate.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [NastySex] C:\WINDOWS\NastySex.exe -n
O4 - HKLM\..\Run: [msbb] c:\program files\internet optimizer\sim\msbb.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [dcxkvsl] C:\WINDOWS\dcxkvsl.exe
O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe
O4 - HKLM\..\Run: [bdit142k] C:\WINDOWS\System32\bdit142k.exe
O4 - HKLM\..\Run: [AZ1jp.exe] C:\documents and settings\helen\local settings\temp\AZ1jp.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [Adult_Chat] C:\WINDOWS\Adult_Chat.exe -n
O4 - HKLM\..\Run: [5SCG53R3BYJFJW] C:\WINDOWS\System32\Sfr88l14.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = stoke.ramesys.com,crick.ramesys.com

After clicking Fix, exit HJT.

Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\System32\stlbdist.DLL
C:\WINDOWS\System32\ydocsm.exe
C:\WINDOWS\uptodate.exe
C:\Program Files\Power Scan\powerscan.exe
C:\WINDOWS\NastySex.exe
c:\program files\internet optimizer\sim\msbb.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\WINDOWS\System32\dp-him.exe
C:\WINDOWS\dcxkvsl.exe
C:\Program Files\ClearSearch\Loader.exe
C:\WINDOWS\System32\bdit142k.exe
C:\documents and settings\helen\local settings\temp\AZ1jp.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\WINDOWS\Adult_Chat.exe
C:\WINDOWS\System32\Sfr88l14.exe

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).
If Killbox does not reboot just reboot your PC yourself.

After reboot locate the below folders and delete them if found:
C:\Program Files\Power Scan
c:\program files\internet optimizer
C:\Program Files\ISTsvc
C:\Program Files\ClearSearch
C:\Program Files\AutoUpdate

Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\TEMP\
C:\Documents and Settings\John\Local Settings\Temp\

Now attach a new HJT log and tell me how the steps went.

Also attach a new logs from ShowNew and GetRunKey.

Make sure you tell me how things are working now!

 

Let's see if a one at a time copy and past works. You may have a problem with copy and paste and may need to use the browse function in Killbox to locate each file one at a time.

Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
Now back on Killbox's main window, Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note some of the files listed below may not exist but we need to check for them anyway.

C:\WINDOWS\System32\stlbdist.DLL
C:\WINDOWS\System32\ydocsm.exe
C:\WINDOWS\uptodate.exe
C:\Program Files\Power Scan\powerscan.exe
C:\WINDOWS\NastySex.exe
c:\program files\internet optimizer\sim\msbb.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\WINDOWS\System32\dp-him.exe
C:\WINDOWS\dcxkvsl.exe
C:\Program Files\ClearSearch\Loader.exe
C:\WINDOWS\System32\bdit142k.exe
C:\documents and settings\helen\local settings\temp\AZ1jp.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\WINDOWS\Adult_Chat.exe
C:\WINDOWS\System32\Sfr88l14.exe


If Killbox does not reboot or if you get a Pending Operations type error message just click OK to continue and then just reboot your PC yourself.

Then continue as instructed in my previous message.

 

Remain in normal startup! But you are not in Normal Startup anyway. You have 3 services unchecked from loading at startup (they look like things related to Symantec Proxy Service, Norton Internet Security Stats, and Norton Firewall ). Even though it may look like MSconfig is in Normal Startup mode these registry entries indicate those services are unchecked.

Why do you want to use MSconfig? Exactly what is it that you do not want to run at startup. MSconfig is not supposed to be used for permanent disabling. It is meant only as a temporary debugging tool! If you don't use software, uninstall it. If you don't want or need it to load at startup, configure the program not to load at startup. If it does not provide an option to not load at startup, then you can use HJT to remove the registry key from the startups.

A tool like this Startup CPL should be used to control startups otherwise.

Are your copies of Spyware Doctor and Ewido free trials or paid version? You should not keep Spyware Doctor, Ewido, and Windows Defender all installed. Only one should be used.

Your logs are clean! You need to tell me how things are running now.

 

Well did you fix what I was saying now?

The Received time is when your ISP received them. You need to find out when they are sent. You need a more detail mail header report. A spammer could just be sending your spam and they could even spoof (fake) your IP address. Did your ISP actually have an experience person check to make sure that your address is not being spoofed.

Do you have other user accounts, are they all having this problem?
If you do not have another user account, can you create one and give it a mail address and see if it gets spammed.

No to part 1? And no the check don't look for corrupt DLLs. They look for malware.

 

I don't really use Outlook so I'm not sure. But you would need to have more experience at doing this tracing. Just looking at expanded header info is not suich an easy thing to do. DID YOU ask your ISP to check to see if your address is being spoofed.

Your account is the email address that is known to the spammer. Thus they are spamming you. They don't have the address in your email address book, they have yours.

But my question is, are any of the other user accounts on this PC being spammed. If not, and also based on the fact that you say others in your domain are being spammed, it sounds to me like your problem is from an external spammer and not a problem local to your PC. This is not anything out the normal for spammers. Once you are on one list, you get on dozens of more lists. And if you ever respond to one their emails or click a link that tells you click this to remove from our list, you just confirmed your email address is valid and got yourself added to more lists.

 

Can you create a new user email account to your ISP? Usually they allow you to have 5 to 6 email addresses that the main account (I assume this would be your account) can set up. If you setup a new account, obviously no one would have the email address yet since it is new. Thus it could not be on any spammer lists yet. If it starts having the same problems right away, then your PC could definitely be infected. But the downside of this is that, if it does not have the same problem, it does not prove that your original account is not infected. If only would mean at the higher level (the PC level) there is no infection but a particular user account could be infected. But based on what I saw in your logs, you are not infected. Your address is just known to spammers. A solution for this would be to actually change the user account email handle to a new name. Then no one would have it. Then do not use this account on any questionable sites and do not give it to anyone unless you trust them with your email address. Friends who are careless in protecting their own PCs could easily have their email address books stolen. This can get anyone in their address book added to spam lists.