Tech Support Forum - View Single Post - IE Popups, system slow, Symantec Fails to Detect Cause

azscottd · 12-01-2008, 11:13 PM

This is a friend's PC. Symantec installed and up-to-date. Ran stinger, spybot, adaware, a-squared, trend micro housecall, panda, etc. System slow, many popups, and I don't recognize anything in task manager. I'm a Unix guy and plead total Windows ignorance - sorry. Installed Sysinternals' process explorer. See the following suspect dlls under system32: nebozege, vulozohu, banijaze, and gizujewo. I uncheck them, reboot, and they're repropegated.

Could sure use some help.

Many thanks.

DDS (Version 1.0) - NTFSx86 NETWORK
Run by HP_Administrator at 22:54:03.68 on Mon 12/01/2008
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.608 [GMT -7:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\HP_Administrator\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://hsremove.com/done.htm
uSearch Page =
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uSearch Bar = hxxp://safesearch.cyberdefender.com/smallsearch.html
mDefault_Page_URL =
mDefault_Search_URL =
mSearch Page =
mStart Page = hxxp://hsremove.com/done.htm
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {6e5df8d5-c813-4b1c-aa7a-0db7bd18c847} - c:\windows\system32\banijaze.dll
BHO: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\progra~1\micros~4\office12\GRA8E1~1.DLL
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre1.5.0_09\bin\ssv.dll
BHO: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\2.0.301.7164\swg.dll
TB: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
TB: {A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - c:\documents and settings\hp_administrator\local settings\application data\cyberdefender\cdmyidd.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [nwiz] nwiz.exe /install
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [nwfkslifngfc] c:\windows\system32\regsvr32.exe /s "c:\windows\system32\enyeggxqipffgu.dll"
mRun: [CPM2ace27f6] Rundll32.exe "c:\windows\system32\nebozege.dll",a
mRun: [vapumoluji] Rundll32.exe "c:\windows\system32\vulozohu.dll",s
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodaks~1.lnk - c:\program files\kodak\kodak software updater\7288971\program\Kodak Software Updater.exe
uPolicies-system: DisableTaskMgr = 0 (0x0)
uPolicies-system: DisableRegedit = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_09\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~4\office12\GR99D3~1.DLL
Notify: NavLogon - c:\windows\system32\NavLogon.dll
AppInit_DLLs: c:\windows\system32\gisujewo.dll c:\windows\system32\nebozege.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\nebozege.dll
STS: {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\nebozege.dll
SEH: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\progra~1\micros~4\office12\GRA8E1~1.DLL
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, msansspc.dll
LSA: Notification Packages = scecli s t m \ s u w o . d c:\windows\system32\gisujewo.dll

============= SERVICES / DRIVERS ===============

R2 aawservice;Lavasoft Ad-Aware Service;"c:\program files\lavasoft\ad-aware\aawservice.exe" [2008-9-10 611664]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-12-1 28544]
S1 SAVRT;SAVRT;\??\c:\program files\symantec antivirus\savrt.sys [2005-8-26 334984]
S1 SAVRTPEL;SAVRTPEL;\??\c:\program files\symantec antivirus\Savrtpel.sys [2005-8-26 53896]
S2 a2free;a-squared Free Service;"c:\program files\a-squared free\a2service.exe" [2008-11-30 419448]
S2 ccEvtMgr;Symantec Event Manager;"c:\program files\common files\symantec shared\ccEvtMgr.exe" [2005-10-4 185968]
S2 ccSetMgr;Symantec Settings Manager;"c:\program files\common files\symantec shared\ccSetMgr.exe" [2005-10-4 177776]
S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S2 Symantec AntiVirus;Symantec AntiVirus;"c:\program files\symantec antivirus\Rtvscan.exe" [2005-11-15 1756912]
S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\ViewpointService.exe" [2008-11-20 24652]
S3 ccPwdSvc;Symantec Password Validation;"c:\program files\common files\symantec shared\ccPwdSvc.exe" [2005-10-4 83568]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-9-2 99376]
S3 NAVENG;NAVENG;\??\c:\progra~1\common~1\symant~1\virusd~1\20081201.006\naveng.sys [2008-12-1 89104]
S3 NAVEX15;NAVEX15;\??\c:\progra~1\common~1\symant~1\virusd~1\20081201.006\navex15.sys [2008-12-1 876112]
S3 SavRoam;SAVRoam;"c:\program files\symantec antivirus\SavRoam.exe" [2005-11-15 169200]

=============== Created Last 30 ================

2008-12-01 22:41 250 a------- c:\windows\gmer.ini
2008-12-01 21:38 7,168 a------- c:\windows\system32\dllcache\OLD49.tmp
2008-12-01 21:38 66,048 a------- c:\windows\system32\dllcache\s3legacy.dll
2008-12-01 21:37 2,145,280 a------- c:\windows\system32\dllcache\OLD3F.tmp
2008-12-01 21:37 19,968 a------- c:\windows\system32\dllcache\OLD39.tmp
2008-12-01 21:37 7,680 a------- c:\windows\system32\dllcache\OLD36.tmp
2008-12-01 21:37 169,984 a------- c:\windows\system32\dllcache\OLD31.tmp
2008-12-01 21:37 14,336 a------- c:\windows\system32\dllcache\OLD29.tmp
2008-12-01 21:37 5,632 a------- c:\windows\system32\dllcache\OLD2C.tmp
2008-12-01 21:37 6,144 a------- c:\windows\system32\dllcache\OLD24.tmp
2008-12-01 21:37 94,720 a------- c:\windows\system32\dllcache\OLDD.tmp
2008-12-01 20:05 120 ---sh--- c:\windows\system32\isewizis.ini
2008-12-01 18:25 28,544 a------- c:\windows\system32\drivers\pavboot.sys
2008-12-01 18:25 <DIR> --d----- c:\program files\Panda Security
2008-12-01 08:04 120 ---sh--- c:\windows\system32\ewenewop.ini
2008-12-01 03:25 <DIR> --d----- c:\program files\Lavasoft
2008-12-01 03:25 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Lavasoft
2008-12-01 02:53 <DIR> --d----- C:\Autoruns
2008-12-01 02:49 <DIR> --d-h--- c:\windows\PIF
2008-12-01 02:23 75 a------- c:\windows\st_affiliate.ini
2008-12-01 01:55 <DIR> --d----- C:\ProcessExplorerNt
2008-11-30 22:01 <DIR> --d----- c:\documents and settings\hp_administrator\.housecall6.6
2008-11-30 20:26 <DIR> --d----- c:\program files\a-squared Free
2008-11-30 20:07 <DIR> --d----- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2008-11-30 20:07 <DIR> --d----- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2008-11-30 20:07 <DIR> --d----- c:\program files\TeaTimer (Spybot - Search & Destroy)
2008-11-30 20:07 <DIR> --d----- c:\program files\SDHelper (Spybot - Search & Destroy)
2008-11-30 20:05 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2008-11-30 20:04 1,296,222 a--sh--- c:\windows\system32\ejevevos.ini
2008-11-30 19:05 <DIR> --d----- c:\program files\CCleaner
2008-11-27 09:20 54,156 a---h--- c:\windows\QTFont.qfn
2008-11-27 09:20 1,409 a------- c:\windows\QTFont.for
2008-11-26 23:04 84,310 a------- c:\windows\system32\euqugsjryckwl.dll-uninst.exe
2008-11-13 15:56 <DIR> --d----- c:\windows\system32\scripting
2008-11-13 15:56 <DIR> --d----- c:\windows\l2schemas
2008-11-13 15:56 <DIR> --d----- c:\windows\system32\en
2008-11-13 15:56 <DIR> --d----- c:\windows\system32\bits
2008-11-13 15:53 <DIR> --d----- c:\windows\ServicePackFiles
2008-11-13 15:51 <DIR> --d----- c:\windows\network diagnostic
2008-11-13 15:46 96,640 a------- c:\windows\system32\drivers\b57xp32.sys
2008-11-13 15:46 96,640 a------- c:\windows\system32\dllcache\b57xp32.sys
2008-11-11 13:31 455,296 a------- c:\windows\system32\dllcache\mrxsmb.sys

==================== Find3M ====================

2008-12-01 22:08 <DIR> --d----- c:\program files\Symantec AntiVirus
2008-12-01 20:05 63,540 a--sh--- c:\windows\system32\sirofiru.dll
2008-12-01 20:05 93,236 a--sh--- c:\windows\system32\nebozege.dll
2008-12-01 20:05 86,580 a--sh--- c:\windows\system32\siziwesi.dll
2008-12-01 08:04 97,332 a--sh--- c:\windows\system32\ruvoziyi.dll
2008-12-01 08:04 91,188 -------- c:\windows\system32\powenewe.dll
2008-12-01 03:24 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2008-12-01 02:44 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2008-11-30 21:52 <DIR> --d----- c:\program files\PC-Doctor 5 for Windows
2008-11-20 15:09 <DIR> --d----- c:\program files\Viewpoint
2008-11-20 15:09 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Viewpoint
2008-11-15 11:01 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\LimeWire
2008-11-15 11:01 <DIR> --d----- c:\program files\LimeWire
2008-11-13 16:02 <DIR> --d----- c:\program files\Messenger
2008-11-13 16:00 92,947 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-11-13 15:59 45,056 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\uninstallui\eHelpSetup.exe
2008-11-13 15:59 341,048 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\HPBasicDetection3.dll
2008-11-13 15:59 217,088 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\WebHelper.dll
2008-11-13 15:59 163,840 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\modemcheck.dll
2008-11-13 15:59 61,440 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\modemutil.dll
2008-11-13 15:59 44,032 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\scripts\devcon.exe
2008-11-13 15:59 40,960 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\ScDmi.dll
2008-11-13 15:59 32,768 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\uploadHSC.dll
2008-11-13 15:59 32,768 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\Scom.dll
2008-11-13 15:52 <DIR> --d----- c:\program files\Windows NT
2008-10-15 09:34 337,408 a------- c:\windows\system32\dllcache\netapi32.dll
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-09-15 05:12 1,846,400 a------- c:\windows\system32\win32k.sys
2008-09-15 05:12 1,846,400 a------- c:\windows\system32\dllcache\win32k.sys
2008-09-09 18:14 1,307,648 a------- c:\windows\system32\msxml6.dll
2008-09-09 18:14 1,307,648 a------- c:\windows\system32\dllcache\msxml6.dll
2008-09-08 03:41 333,824 a------- c:\windows\system32\dllcache\srv.sys
2008-09-04 10:15 1,106,944 a------- c:\windows\system32\msxml3.dll
2008-09-04 10:15 1,106,944 a------- c:\windows\system32\dllcache\msxml3.dll
2008-07-29 03:51 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\MSNInstaller
2008-07-27 03:10 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\Viewpoint
2008-04-13 15:15 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Napster
2007-10-09 19:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kodak
2007-08-10 16:31 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\AOL
2007-08-10 16:31 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\You've Got Pictures Screensaver
2007-08-10 16:30 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Pure Networks
2007-07-31 11:36 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\Walgreens
2007-06-14 14:52 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\MySpace
2006-07-11 21:44 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\HPQ
2006-06-20 18:56 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Symantec
2006-02-16 22:38 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\Intuit
2006-02-16 22:38 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Intuit
2006-02-16 22:23 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Digital Interactive Systems Corporation
2006-02-16 22:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SBSI
2008-09-01 20:06 63,540 a--sh--- c:\windows\system32\banijaze.dll
2008-09-01 20:06 63,540 a--sh--- c:\windows\system32\gisujewo.dll
2008-09-01 20:06 63,540 a--sh--- c:\windows\system32\vulozohu.dll

============= FINISH: 22:54:30.20 ===============