Well, I don't know what I have going on here....

If you have run ALL the steps from Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal and you still have a problem, do the below.

Make sure you have HJT Version 1.98.2 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis as a .txt file attachment to your message. All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

 

Okay so follow the steps of my previous message.

 

Please remember that no browsers should be running anytime you are using HijackThis. You had IE running:
C:\Program Files\Internet Explorer\iexplore.exe

Is there a reason you did not run the Symantec online scan?

 

ake sure you have system restore disabled and viewing of hidden files enabled.

Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Find the below processes and End them:
AutoUpdate.exe
caclogon.exe
sfcrib.exe
CxtPls.exe


Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O2 - BHO: SDWin32 Class - {16774354-00A1-47F9-95DA-20927C3B2884} - C:\WINDOWS\System32\xjfot.dll (file missing)
O2 - BHO: (no name) - {18896729-C131-73B5-8251-115505F82C11} - C:\WINDOWS\System32\tykrk.dll (file missing)

O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [satmat] C:\WINDOWS\satmat.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [q3oh34e] sfcrib.exe
O4 - HKCU\..\Run: [Hza] C:\WINDOWS\System32\w?nlogon.exe
O4 - HKCU\..\Run: [b07nRQKpT] caclogon.exe
O4 - HKCU\..\Run: [Tsa2] C:\PROGRA~1\COMMON~1\tsa\tsm2.exe
O15 - Trusted Zone: *.db105.com
O15 - Trusted Zone: *.windupdates.com
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/installer.v3/vet_install_popup.pl?1&4&04.00.07.02&unknown&unknown&http://www.toyota.com/images/vehicles/prius/prius_3d/3d_hsd/pc/index.html
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab


Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\AutoUpdate <--- the whole directory
C:\Program Files\VBouncer <--- the whole directory
C:\Program Files\CxtPls <--- the whole directory
C:\Program Files\Common Files\tsa <--- the whole directory
C:\WINDOWS\System32\caclogon.exe
C:\WINDOWS\System32\sfcrib.exe
C:\WINDOWS\satmat.exe


Now reboot in normal mode and post a new HJT log. And tell us how things are working.


The below lines seem a little strange for Norton Antivirus. I'm not sure what they are yet. Seems strange that the O4 line loads 1544.exe but 1545.exe is found running. So leave them be for now.

E:\Program Files\Norton AntiVirus\1544\1545.exe
O4 - HKLM\..\Run: [Seti] E:\Program Files\Norton AntiVirus\1544\1544.exe

 

Yes! You missed a step. Are you sure the browser was closed? Minimized would still be running.

 

Okay! Complete the items I gave you in message # 8. I'll be back later.

 

Okay! That log looks good! How are things working?