[SOLVED?] please help with malware infestation, hjt log

My daughter’s laptop (WinXP Media Center edition, SP3; 1.6 GHz, 1 GB RAM, 105 GB HDD; PC-Cillin Internet Security*, SUPER AntiSpyware, Spyware Blaster, CCleaner), started malfunctioning yesterday. A toolbar she didn’t recognize had appeard in ie and any attempt to visit her usual websites was redirected. Her computer also kept freezing at apparently random times, and task manager did not work. Her first thought was virus or spyware, so she tried to run scans with PC-Cillin and SAS, but PC-Cillin wouldn’t scan and SAS wouldn’t even open. She also was had a red circle with a big “X” in her system tray, with an info balloon that said Windows had detected spyware, click here to download antispyware, etc. She also gets a dialog box titled “sh.loader” with the message “failed to extract dump” every time myspace IM attempts to launch, which is every time the computer starts up–she says it never did that before.

I was unable to scan with SAS even in safe mode, but I managed to install and scan with a recent copy of MBAM (in safe mode), which I had on a USB stick. It found and removed a trojan downloader and a few lesser threats. The fake antispyware download request was still there when I returned to normal mode, and SAS still would not open. I then installed Spyware Terminator (in safe mode–it wouldn’t install in normal mode), scanned in safe mode, and was able to remove KGBkeylogger. The scan log noted that only parts of the keylogger were there and it had possibly been partially removed. SAS will now scan, and removed a few more things. The fake antispyware “ballon” with its red x’ed circle no longer appears, but the sh.loader dialog box still appears. (I rebooted between scans.)

A friend suggested running RogueRemover (which found nothing) and VundoFix (which also found nothing).

The computer works almost normally now, but still freezes occasionally, security programs (except Spyware Terminator) are unable to access the internet to update, and attempts to visit security-related websites result in “Internet Explorer cannot display the webpage;” also, attempts to visit other websites are redirected, usually to fake antispyware pages.

I apologize for the length of this post, but I will be going to work for a few hours and wanted to include everything. Her HJT log is attached.

Thanks in advance for any helpful replies.

P.S. I have downloaded avast! install and update files, and looked up PC-Cillin removal instructions in preparation for a much-needed change. My daughter’s father had purchased a 2-year subscription nearly two years ago when he gave her the laptop as a gift, and she didn’t want to switch to avast! until the subscription ran out. She will be switching ASAP.

Unknown Fix
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

Suspect/Nasty Fix
O20 - AppInit_DLLs: karna.dat

Is this an activeX control you installed (if not fix, if needed the activeX control would be reinstalled the next time you visit the site) ?

O16 - DPF: {EA6246B4-F380-443F-8727-9AEA3371146C} (CPlayFirstWeddingDashControl Object) - http://www.shockwave.com/content/weddingdash/sis/WeddingDash.1.0.0.47.cab

O16 - DPF: {D71F9A27-723E-4B8B-B428-B725E47CBA3E} (Imikimi_activex_plugin Control) - http://imikimi.com/download/imikimi_plugin_0.5.1.cab

O16 - DPF: {21BB8360-F943-447E-98F3-3C22345375A7} (CPlayFirstChocolatierControl Object) - http://www.shockwave.com/content/chocolatier/sis/ChocolatierWeb.1.0.0.13.cab

O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} (Image Uploader Control) - http://www.fubar.com/imgs/ImageUploader5.cab

Other than that I don’t see anything obvious, though there are many who would consider viewpoint stuff undesirable.
http://www.pcpitstop.com/libraries/process/i/ViewpointService.exe.html
http://www.bleepingcomputer.com/forums/topic120989.html.

:slight_smile: Hi :

Since your daughter’s Log indicates she has Spybot, I recommend you ask
their “Malware Removal Specialists” for help on their Support Forums at
http://forums.spybot.info .

Hi DavidR,

Why viewpoint probably undesirable?This adware it is changing the default search page in a browser, enough according to me to not want this questionable software on a computer,

polonus

Karna.dat is indicative of the kenny/facebook malware

Thanks, DavidR. I’m printing your reply so I’ll have a handy reference while I work. I’ll post back with results.

David, Polonus–I’ll ask her if the ‘viewpoint stuff’ is something she thinks is supposed to be there. Either way, I think it won’t be there much longer. :wink:

Essexboy, thanks for the additional info. Kenny/facebook malware makes sense, considering her internet habits.

Incidentally, my daughter doesn’t actually ‘have’ Spybot. I installed it today hoping for some additional removal, but it says it won’t run unless it is updated, and it is unable to update.

Terry

Because it is meant to be a legitimate program that comes packaged with some software that the user has effectively agreed to be on their system.

Viewpoint Media Player is a web browser plug-in that enables users to view 3D content and other media. It is bundled with AOL, AIM, versions of Netscape, certain Adobe products and sometimes not mentioned in the license agreement. Viewpoint is also bundled with Adobe Atmosphere and hardware manufacturers pre-install some of these applications.

Personally I wouldn’t have it on my system, that is a choice for the user, but in the greater scheme of things it is way down and probly not implicated in the more serious problem ‘malware infestation.’ Nor did viewpoint get taken out by MBAM or rogueremover, etc.

Hi t l s,

Considering: O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
Winsock Hijacker At times I’ve seen this has been a bad thing
Download this free program, lspfix, to fix this from here: http://www.cexx.org/lspfix.htm
Here you can establish whether your version of nwprovau.dll is malware:
http://www.spywaredata.com/spyware/malware/nwprovau.dll.php
Before making the fix, upload your version of nwprovau.dll to virustotal com

And indeed O20 - AppInit_DLLs: karna.dat Extremely nasty
For removal instructions see here:
http://www.bleepingcomputer.com/startups/karna.dat-24101.html

Also scan with MBAM from here: http://www.besttechie.net/tools/mbam-setup.exe
Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select “Perform Full Scan”, then click Scan.
The scan may take some time to finish, so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Copy and Paste and attach the entire Malwarebytes’ Anti-Malware report to your next reply along with a fresh HijackThis log.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

If you encounter this message:“c:\program files\malwarebytes’ Anti-Malware\mbamext.dll Unable to register the dll/ocx: RegSvr32 failed with exit code 0x5” Click on ignore mbamext.dll

polonus

There are some that say it is a legit file so care needs to be exercised, as suggested virustotal, check if the associated program is present, etc.

http://www.pchell.com/support/nwprovau_dll_file.shtml

The file nwprovau.dll is a legitimate file installed by Client Service for NetWare. Its usually installed for the IPX/SPX protocol that is rarely used anymore. This is why it doesn't show up in EVERY hijackthis log file. However, the question remains: is the file needed if Client Service for Netware is not running on the computer? In my testing, the entry in the Hijackthis log is not needed if you are not using Netware and the IPX/SPX protocol is not installed on your computer. Since most networks now have standardized on using the TCP/IP protocol, this shouldn't be a problem if its removed.

And http://www.bleepingcomputer.com/startups/nwprovau.dll-13129.html and http://www.castlecops.com/lsp-255.html.

Hi DavidR,

We try to establish the file is legit or not, a fix of Winsock LSp can be necessary in view of the update problems encountered. I would not say this file could NOT be totally legit, that is why I gave the links to assure that once and for all, but I want to make absolutely certain the file on that machine there is the legit version,

polonus

P.S. T L S should fully understand what she is doing there, so she can make a well documented decision,

Damian

Again, thank you! It seems to be getting better, but there is obviously more to be done. The computer seems to have stopped freezing, but I still can’t update and can’t access security related websites. So I’m printing instructions, following links, reading information…but it’s past my bedtime now, and I’ll be at work tomorrow. But I’ll be back.

Terry

You can try a rescue CD, i posted some rescue cd’s in the forum. Rescue CD’s scans windows like in boot mode, so the virus is fully detected and fixed.

here is the link to the post
http://forum.avast.com/index.php?topic=39521.0

Take care!

You’re welcome.

If you are having problems accessing security sites it is possible the HOSTS file has been modified to block this.

HOSTS file redirect - 127.0.0.1 check your HOSTS file using notepad or a text editor of your choice (and report the findings), C:\WINDOWS\system32\drivers\etc\hosts or do a search for HOSTS to find it if not there. http://en.wikipedia.org/wiki/Hosts_file

After I posted last, I uninstalled my daughter’s now crippled internet security app according to the instructions I found on their website, booted, and installed avast, then updated offline. After a boot time scan found 15 things to quarantine, I am happy to say I can now access security websites; and everything updates nicely. Three cheers for avast!

I installed and updated the current version of MBAM, which found and removed a few more items. Yes, some of them required a reboot to remove. I am following with another boot time scan to see if anything else has crawled out of the woodwork.

VirusTotal didn’t have anything scary to say about c:\windows\system32\nwprovau.dll.

DavidR, thanks for the HOSTS file reminder–believe it or not, that is one of the first things I checked; nothing was amiss, and I just forgot to mention it.

It’s bedtime again. I’ll post the last MBAM report and a new HJT log tomorrow.

Thanks, guys! You’re the best!
Terry

You’re welcome, looks like a good start.

OK, I’m back. Here are my last two MBAM logs, as well as a fresh HijackThis log, also a copy of my virus chest contents:
(One of the IT guys at work suggested unimmunizing then repeating the MBAM scan in case the computer might have been immunized after some infection, potentially causing removal problems.)

Malwarebytes’ Anti-Malware Logs:

Malwarebytes’ Anti-Malware 1.30
Database version: 1306
Windows 5.1.2600 Service Pack 3

10/22/2008 6:36:22 PM
mbam-log-2008-10-22 (18-36-06).txt

Scan type: Full Scan (C:|)
Objects scanned: 136170
Time elapsed: 42 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) → No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) → Data: c:\windows\system32\ → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) → Data: system32\ → No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\ (Trojan.Agent) → No action taken.
C:\WINDOWS\system32\TDSShrxr.dll (Rootkit.Agent) → No action taken.
C:\WINDOWS\system32\TDSSlxwp.dll (Rootkit.Agent) → No action taken.
C:\WINDOWS\system32\TDSSnmxh.log (Trojan.TDSS) → No action taken.
C:\WINDOWS\system32\TDSSoeqh.log (Trojan.TDSS) → No action taken.
C:\WINDOWS\system32\TDSSoiqh.dll (Rootkit.Agent) → No action taken.
C:\WINDOWS\system32\TDSSoiqt.dll (Rootkit.Agent) → No action taken.
C:\WINDOWS\system32\TDSSrhyp.dll (Rootkit.Agent) → No action taken.
C:\WINDOWS\system32\TDSSrtql.dll (Rootkit.Agent) → No action taken.
C:\WINDOWS\system32\TDSSxfum.dll (Rootkit.Agent) → No action taken.
C:\WINDOWS\system32\drivers\TDSSpqlt.sys (Rootkit.Agent) → No action taken.

Malwarebytes’ Anti-Malware 1.30
Database version: 1310
Windows 5.1.2600 Service Pack 3

10/23/2008 4:59:05 PM
mbam-log-2008-10-23 (16-59-05).txt

Scan type: Full Scan (C:|)
Objects scanned: 136719
Time elapsed: 39 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{1a26f07f-0d60-4835-91cf-1e1766a0ec56} (Trojan.Agent) → Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

New HijackThis log and contents of avast virus chest (image of virus chest attached)

New HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:27:27 PM, on 10/23/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\notepad.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.vtisp.com/start
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.vtisp.com/start
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5061129
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe
O4 - HKLM..\Run: [SpywareTerminator] “C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe”
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe”
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User ‘Default user’)
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra ‘Tools’ menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1168211069062
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\5248\SAService.exe (file missing)
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE


End of file - 7088 bytes

(edit: attached image of avast virus chest contents)

Hi t l s,

The overal HJT log has no more serious hick-ups as far as I can find.
Then I see only one entry here that should rather be restored and not fixed,

O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
Very safe
This entry was classified from our visitors as good, because SiteAdvisor, see:
http://www.castlecops.com/tk28217-SiteAdv_dll_saIE_dll.html

Why that SiteAdvisor was deleted I can only quess.

Furthermore the computer as is shown from the HJT logfile does not have any active software firewall running, a thing which we encounter a lot lately. On certain false grounds people think they do not need an active firewall anymore, but this is putting them at additional risks, because the built-in MS firewall is only partly active by default.
As far as SiteAdvisor there are other alternatives: using scandoo.com as search engine does more or less the same, and there are other browser better add-ons to use like WOT or finjan (IE and/or firefox),

Then on the Trojan agent, Files Infected:
C:\WINDOWS\system32\ (Trojan.Agent) → No action taken.
C:\WINDOWS\system32\TDSShrxr.dll (Rootkit.Agent) → No action taken.
C:\WINDOWS\system32\TDSSlxwp.dll (Rootkit.Agent) → No action taken.
C:\WINDOWS\system32\TDSSnmxh.log (Trojan.TDSS) → No action taken.
C:\WINDOWS\system32\TDSSoeqh.log (Trojan.TDSS) → No action taken.
C:\WINDOWS\system32\TDSSoiqh.dll (Rootkit.Agent) → No action taken.
C:\WINDOWS\system32\TDSSoiqt.dll (Rootkit.Agent) → No action taken.
C:\WINDOWS\system32\TDSSrhyp.dll (Rootkit.Agent) → No action taken.
C:\WINDOWS\system32\TDSSrtql.dll (Rootkit.Agent) → No action taken.
C:\WINDOWS\system32\TDSSxfum.dll (Rootkit.Agent) → No action taken.
C:\WINDOWS\system32\drivers\TDSSpqlt.sys (Rootkit.Agent) → No action taken.

Please read here:
http://www.bleepingcomputer.com/forums/topic175337.html

One or more of the identified infections was related to a rootkit component. Rootkits and backdoor Trojan are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

If this computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read
http://www.dslreports.com/faq/10451

Although the rootkit was identified and removed (or in the process of being removed), this PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because the rootkit has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:
http://www.dslreports.com/faq/10063
http://www.microsoft.com/technet/community/columns/secmgmt/sm0504.mspx
http://miekiemoes.blogspot.com/2008/06/malware-removal-where-to-draw-line.html

polonus

Thanks, Polonus. SiteAdvisor was deleted to be re-installed. It seemed to be behaving a bit strangely, was often disabled. It seems OK now. The computer had PC-Cillin Internet Security installed, and kept updated, until it stopped working during this mess; so I uninstalled it and installed avast! I will be installing a new software firewall soon, after testing on the remains of a laptop I bought at a yard sale and reconstructed. (That one, too, needs a firewall other than the inadequate Windows “firewall;” I just haven’t had time to take a good look at them. Also, like the infected computer, its most sensitive use is for checking e-mail (Yahoo), so I wasn’t in a hurry. Whatever I install for her must be very user-friendly as well as functional. I will be trying out PC Tools firewall first, based on what I have read as well as the opinions of a few people I know who are using it.

My daughter changed all of her passwords, as soon as we found out her computer was compromised, using my desktop computer. That one is not used for any risky surfing, etc., and is more adequately protected.

We are seriously considering wiping the drive clean, formatting and re-installing XP. Although her computer is not currently used for any critical purposes and contains no sensitive information, that could change in the future. Most of the important contents of this computer, mainly pictures and her music library, were already backed up, in one form or another. The music will take longest to restore, although it wasn’t downloaded, but copied for portability and transfer to her iPod–so she has the originals.

We really appreciate all your help, including the additional information and links you have given.

Hi t l s,

I think your evaluation of the situation is very much like I should have put it. You can postpone the total-recall of that machine to the days where your daughter starts to take after her mum’s excellent security attitudes, and I hope that day will come soon.
On the other hand I think you have grasped a couple of additional insights about what cybersecurity is about, and again I say that you have got what it takes to be a real good malware fighter.
Try to contact this nice Belgian Malware Fighter, the lady is Microsoft-MPV, and she might like to welcome you and train you,
http://miekiemoes.blogspot.com/ & http://support.bluemedicine.be/mybb/user-1.html

polonus (malware-fighter)