Need malware removal help

[rsmith6789]

Hello,

For about the last week I have been getting a lot of pop-ups, sometimes several per minute. Spy-bot and Spy Sweeper both identified and removed virtumonde several times, but the pop-ups continued. For the last two days they have not found virtumonde or anything other than cookies - but the popups continue. I also frequently receive warnings from SpyBot about system changes being attempted (even when I'm not downloading anything), and once I got a warning from Symantec that the page I was on (which was my main Yahoo page) had characteristics of a phishing page.

I followed the requested five-step process except I was unable to download Panda ActiveScan (I did not receive registration instructions even though I tried it twice with two different e-mail addresses), and I have left Norton, Spy Sweeper, and SpyBot enabled.

I have pasted the Deckard's main text below and attached the extra text.

Thank you for your help.

Rod Smith

Deckard's System Scanner v20071014.68
Run by Roderick Smith on 2008-07-05 17:21:46
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
87: 2008-07-06 00:22:01 UTC - RP1188 - Deckard's System Scanner Restore Point
86: 2008-07-05 23:54:41 UTC - RP1187 - Software Distribution Service 3.0
85: 2008-07-04 22:44:33 UTC - RP1186 - System Checkpoint
84: 2008-07-03 22:11:39 UTC - RP1185 - System Checkpoint
83: 2008-07-02 22:05:09 UTC - RP1184 - System Checkpoint


-- First Restore Point --
1: 2008-04-17 19:14:40 UTC - RP1102 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Roderick Smith.exe) --------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-07-05 17:24:23
Platform: Windows XP Service Pack 3 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\SYSTEM32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\SYSTEM32\services.exe
C:\WINDOWS\SYSTEM32\lsass.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\SYSTEM32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\SYSTEM32\rundll32.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\SBC Self Support Tool\SmartBridge\MotiveSB.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\SYSTEM32\CTSVCCDA.EXE
C:\WINDOWS\SYSTEM32\WDBtnMgr.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\SYSTEM32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Yahoo!\browser\ycommon.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\TrueAssistant\TrueAssistant.exe
C:\Program Files\Retrospect\Retrospect 7.5\retrorun.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\SYSTEM32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\Documents and Settings\Roderick Smith\Local Settings\Temporary Internet Files\Content.IE5\QSNNQWO5\dss[1].exe
C:\Program Files\Roderick Smith.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: (no name) - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBHO.dll
O2 - BHO: (no name) - {341653CD-F150-45C8-963B-1F4C064B07E3} - C:\WINDOWS\system32\urqPgGYo.dll (file missing)
O2 - BHO: (no name) - {3D2A12AB-A54D-4AA9-B84B-E473FCB464D9} - (no file)
O2 - BHO: (no name) - {52043E63-F814-41BB-A8B8-A35474C6C1BD} - C:\WINDOWS\system32\ljJBrOGx.dll (file missing)
O2 - BHO: (no name) - {53296708-022D-480C-9654-F67C22A48338} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5A263CF7-56A6-4D68-A8CF-345BE45BC911} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\SYSTEM32\dla\tfswshx.dll
O2 - BHO: {ac10bfc5-c60f-6818-5fb4-1a7a250d1dba} - {abd1d052-a7a1-4bf5-8186-f06c5cfb01ca} - C:\WINDOWS\SYSTEM32\zkbaqz.dll
O2 - BHO: (no name) - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\UIBHO.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe"
O4 - HKLM\..\Run: [CTSysVol] "C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [BJCFD] "C:\Program Files\BroadJump\Client Foundation\CFD.exe"
O4 - HKLM\..\Run: [YBrowser] "C:\Program Files\Yahoo!\browser\ybrwicon.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - Startup: TrueAssistant.lnk = C:\Program Files\TrueAssistant\TrueAssistant.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: NkbMonitor.exe.lnk = ?
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\msjava.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2871FC9B-5E34-4AAE-9E9C-EBD1652D5C92} (RhapsodyPlayerEngineCtrl Class) - http://forms.real.com/real/player/do...e_Inst_Win.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeup...ntent/opuc.cab
O16 - DPF: {4AEF8AEE-3DE8-4B69-8B6E-6353B6C59B50} (Utility Class) - http://onesite.realpage.com/coreglob...b/Realpage.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {924C1588-90C3-4910-B6CA-D57A1C0418FE} (YbUploadFavsCtl Class) - http://us.bookmarks.yahoo.com/YbConvFav.CAB
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://download.yahoo.com/dl/installs/yab_af.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} () - http://www.trueswitch.com/sbc/TrueInstallSBC.exe
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: ljJBrOGx - C:\WINDOWS\system32\
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\SYSTEM32\CTSVCCDA.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_2.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - EMC Corporation - C:\Program Files\Retrospect\Retrospect 7.5\retrorun.exe
O23 - Service: Retrospect Helper - EMC Corporation - C:\Program Files\Retrospect\Retrospect 7.5\rthlpsvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - Unknown owner - C:\Program Files\Dell
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe


--
End of file - 15930 bytes

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R3 DSproct - c:\program files\dellsupport\gtaction\triggers\dsproct.sys <Not Verified; Gteko Ltd.; processt>
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell>

S3 MREMPR5 (MREMPR5 NDIS Protocol Driver) - c:\program files\common files\motive\mrempr5.sys <Not Verified; Motive, Inc.; Motive Rawether for Windows>
S3 MRENDIS5 (MRENDIS5 NDIS Protocol Driver) - c:\program files\common files\motive\mrendis5.sys <Not Verified; Motive, Inc.; Motive Rawether for Windows>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 sprtsvc_dellsupportcenter (SupportSoft Sprocket Service (dellsupportcenter)) - c:\program files\dell support center\bin\sprtsvc.exe /service /p dellsupportcenter


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-07-05 17:07:49 1666 --a------ C:\WINDOWS\Tasks\wrSpySweeper_LB0B9027BD2334799B7FB8D4112995BE3.job


-- Files created between 2008-06-05 and 2008-07-05 -----------------------------

2008-07-05 17:23:20 218112 --a------ C:\Program Files\Roderick Smith.exe <Not Verified; Soeperman Enterprises Ltd.; HijackThis>
2008-07-05 09:22:03 0 d-------- C:\ie-spyad_zo
2008-07-05 08:57:40 0 d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-05 08:57:19 0 d-------- C:\Program Files\SpywareBlaster
2008-07-02 16:51:17 0 d-------- C:\Documents and Settings\Arnel Polintan\Application Data\Webroot
2008-07-02 11:03:48 0 d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2008-07-02 11:03:17 0 d-------- C:\Program Files\Webroot
2008-07-02 11:03:17 0 d-------- C:\Documents and Settings\Roderick Smith\Application Data\Webroot
2008-07-02 11:03:17 0 d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2008-07-01 23:53:20 106240 --a------ C:\WINDOWS\system32\zkbaqz.dll
2008-07-01 23:53:18 106240 --a------ C:\WINDOWS\system32\rupudmvn.dll
2008-07-01 23:50:20 85296 --a------ C:\WINDOWS\system32\xiwrsxfe.dll
2008-07-01 23:50:19 90960 --a------ C:\WINDOWS\system32\wsywoone.dll
2008-07-01 21:38:50 0 d-------- C:\Program Files\Panda Security
2008-07-01 14:40:53 0 d-------- C:\VundoFix Backups
2008-06-30 18:04:31 691545 --a------ C:\WINDOWS\unins001.exe
2008-06-30 18:04:31 2551 --a------ C:\WINDOWS\unins001.dat
2008-06-25 22:41:45 452850 --ahs---- C:\WINDOWS\system32\oYGgPqru.ini2


-- Find3M Report ---------------------------------------------------------------

2008-07-05 17:26:01 15567 --a------ C:\Program Files\hijackthis.log
2008-07-02 11:02:39 164 --a------ C:\install.dat
2008-07-01 17:28:17 0 d-------- C:\Program Files\Norton 360
2008-06-30 18:05:44 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-06-07 14:40:54 0 d-------- C:\Program Files\DivX
2008-06-01 00:15:51 0 d-------- C:\Program Files\Messenger
2008-05-31 23:09:46 0 d-------- C:\Program Files\Movie Maker
2008-05-31 22:57:36 0 d-------- C:\Program Files\Windows NT
2008-05-31 11:22:15 0 d-------- C:\Program Files\Yahoo!
2008-05-30 16:22:48 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-05-30 16:22:48 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 16:22:48 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 16:22:46 815104 --a------ C:\WINDOWS\system32\divx_xx0a.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 16:22:46 683520 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 15:50:18 0 d-------- C:\Program Files\Symantec
2008-05-22 15:22:18 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-05-22 15:19:46 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-05-22 15:19:46 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-05-22 15:18:54 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2008-05-18 23:44:47 0 d-------- C:\Documents and Settings\Roderick Smith\Application Data\DivX


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{341653CD-F150-45C8-963B-1F4C064B07E3}]
C:\WINDOWS\system32\urqPgGYo.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3D2A12AB-A54D-4AA9-B84B-E473FCB464D9}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{52043E63-F814-41BB-A8B8-A35474C6C1BD}]
C:\WINDOWS\system32\ljJBrOGx.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53296708-022D-480C-9654-F67C22A48338}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{abd1d052-a7a1-4bf5-8186-f06c5cfb01ca}]
07/01/2008 11:53 PM 106240 --a------ C:\WINDOWS\system32\zkbaqz.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL [11/25/2007 01:44 PM 267592]

[-HKEY_CLASSES_ROOT\CLSID\{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [11/19/2003 04:48 PM]
"CTSysVol"="C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [09/17/2003 09:43 AM]
"P17Helper"="P17.dll" [06/10/2004 10:51 AM C:\WINDOWS\SYSTEM32\P17.dll]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [05/11/2000 12:00 AM]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [10/12/2004 03:54 PM]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [01/07/2004 12:01 AM]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [08/13/2004 12:05 AM]
"MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [01/17/2006 02:03 PM]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [09/10/2002 10:26 PM]
"YBrowser"="C:\Program Files\Yahoo!\browser\ybrwicon.exe" [07/11/2003 02:51 PM]
"Motive SmartBridge"="C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [08/26/2006 10:41 AM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [03/03/2006 09:03 AM]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [08/19/2007 07:46 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [02/16/2007 10:54 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/14/2007 07:05 PM]
"WD Button Manager"="WDBtnMgr.exe" [09/22/2007 10:10 AM C:\WINDOWS\SYSTEM32\WDBtnMgr.exe]
"mmtask"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [01/17/2006 02:03 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [07/17/2007 06:54 PM]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [01/29/2008 06:38 PM]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [11/15/2007 10:24 AM]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [11/15/2007 10:23 AM]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [01/04/2008 08:56 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [03/15/2007 11:09 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/13/2008 05:12 PM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [04/13/2008 05:12 PM]
"Yahoo! Pager"="1" []
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [11/15/2007 10:23 AM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43 AM]

C:\Documents and Settings\Roderick Smith\Start Menu\Programs\Startup\
DESKTOP.INI [8/10/2004 12:04:12 PM]
TrueAssistant.lnk - C:\Program Files\TrueAssistant\TrueAssistant.exe [4/2/2005 7:08:48 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [12/14/2004 4:44:06 AM]
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [12/31/2004 1:35:34 AM]
DESKTOP.INI [8/10/2004 12:04:12 PM]
NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [2/5/2005 12:44:11 PM]
SBC Self Support Tool.lnk - C:\Program Files\SBC Self Support Tool\bin\matcli.exe [12/17/2005 5:33:44 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLowDiskSpaceChecks"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{52043E63-F814-41BB-A8B8-A35474C6C1BD}"= C:\WINDOWS\system32\ljJBrOGx.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljJBrOGx]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\urqPgGYo

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\svcWRSSSDK]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{34f185a5-791b-11dc-90e4-00038a000015}]
AutoRun\command- F:\setupSNK.exe

*Newly Created Service* - COMHOST



-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8772 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-07-05 17:29:22 ------------

[Glaswegian]

Hi and welcome to TSF.

My name is Iain and I will be helping you clean your system.

You may wish to Subscribe to this thread (Thread Tools > Subscribe to this thread) so that you are notified when you receive a reply.

Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers or live internet connections when you are following the procedures below.

Note that the fix may take several posts. Please continue to respond to my instructions until I confirm that your logs are clean. Remember that although your symptoms may vanish, this does NOT mean that your system is clean.

If there is anything you don't understand, please ask BEFORE proceeding with the fixes.

Please ensure that you follow the instructions in the order I have them listed.



Combofix
We'll begin with ComboFix. Please visit this webpage for download links, and instructions for running the tool: http://www.bleepingcomputer.com/comb...o-use-combofix

**Note: It is important that ComboFix is saved directly to your desktop**

Please ensure you read this guide carefully and install the Recovery Console. This will help us restore your system in the event of a serious crash. It's very simple to complete and will only take a few moments. A quick guide is detailed below.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
See here for a guide to disabling AV, Firewall and Anti-malware programmes.

Once you've downloaded the appropriate RC setup package for your system to the desktop, follow these instructions:

• Drag the setup package onto ComboFix.exe and drop it.
  
  
• Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
  
  
• At the next prompt, click 'Yes' to run the full ComboFix scan.
  
  
  
  
  
• When the tool is finished, it will produce a report for you.

Please post the log C:\ComboFix.txt along with a fresh HijackThis log for further review.

NOTE: Combofix prevents autorun of all CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you - please let me know.

[rsmith6789]

Hi Iain. Thanks very much for your help.

I have read the instructions and everything seems clear. Before I start the Combofix, I just have these questions about disabling antimalware and antivirus programs:

1. I have Norton 360. If I go to Tasks and Settings, and choose Advanced Settings and then Virus and Spyware Protection Setup, I can uncheck "turn on autoprotect" and "turn on e-mail check". If I choose Firewall Protetion Setup, I can turn the firewall off. If I do all this, will I have completely disabled Norton 360?

2. I have Spyware Blaster, which isn't on the list of programs, but I do find a "disable all protections" function. If I click that, is that sufficient?

3. I have installed IE-Spyed and Zoned Out as requested. Do I need to do anything about these?

Also, FYI I do now have instructions for setting up a Panda ActiveScan account, so I can run that anytime if you want me to.

Thanks again!

Best wishes,

Rod

[Glaswegian]

Hi Rod

I'm not overly familiar with Norton but all that you've said sounds fine.

You don't need to disable Spywareblaster as it just sits in the background. Same with IE-SPYAD - Zoned Out is just the installer.

What happens is that Combofix checks your system for malware. When it scans a file any active AV will think that something has happened to that file so it will want to have a look as well. By turning off the active protection you will allow CF to complete it's work without interruption - and quickly.

[rsmith6789]

Iain,

I ran into a few snags trying to install the recovery console:

I inserted the Windows XP Reinstallation CD that came with the computer (it includes service pack 2) and got through step 4 on the bleeping computer instructions "How to install the Recovery Console to your hard drive". However, I did not get the setup window shown in step 5. Instead I got a message saying the file could not be installed because my computer has a later version. (My computer has service pack 3.) So I removed the CD and instead followed the instructions for installing the recovery program when you don't have a CD, and downloaded the file from the Microsoft website - even though this file also has service pack 2.

I then dropped the Microsoft file onto Combofix.exe, but I immediatly got the security warning that the publisher could not be verified. This threw me off because I was trying to follow the order of the bleeping computer instructions on how to use combo-fix. According to those instructions, I should have gotten that warning not at this point, but rather several steps later, after double-clicking on the combofix icon. I wasn't ready to run combofix yet because I hadn't disabled my antivirus programs (again following the order that "how to use combofix" specified). So I clicked cancel. I thought that maybe I had improperly dropped the microsoft file so I dropped it again, but the same thing happened and I clicked cancel again. Then I decided to close all the windows and disable the antivirus programs before proceeding. I started by switching to the computer's other user's account to make sure there were no open windows there. When I then tried to switch back to my account, the screen went black. After a few minutes, the blue screen came back but only the other user's name was on the screen, not mine, and the screen was frozen. This had never happened to me before. I waited an hour and finally turned the computer off. When I turned it back on everything was fine.

This leaves me with these questions:

1. I assume the lesson from this is that I should follow the order that you specify and not the order that bleeping computer specifies, i.e. I should close all my windows and disable my antivirus and anti-malware programs first, then drop the microsoft file onto the combofix icon. Then when the security warning appears "the publisher could not be verified" I should click run. Is that correct?

2. But what about the service pack 2 vs service pack 3 issue? Isn't the file that I downloaded from Microsoft (with service pack 2) the same as the file I have on the CD, which Microsoft wouldn't install since my computer is more advanced (which I'm assuming refers to the fact I have service pack 3)? And if so, is it really OK to have Combofix install it?

3. Once I drop the microsoft file onto the combofix icon, can you estimate approximately how long it will take for the recovery console to install?

Iain, I hope I'm not asking too many questions here. I'm trying really hard not to make a big mistake. I really appreciate your help, and the fact it's volunteer.

Best wishes,

Rod

[Glaswegian]

Hi Rod

Far better that you ask questions first, rather than later.

Bear in mind that you are not installing a Service Pack - you are installing the Recovery Console - a small utility that will allow us to recover your system in the event of a serious crash.

You don't need to use the CD. All you need to do is this:

1. Download the relevant RC file package to your desktop.
2. Disable any security programmes as we discussed.
3. Drag the RC package and drop it onto Combofix.

CF will do the RC install for you - just say Yes to any prompts. The RC install will be very quick - a minute at the most. The CF will run its scan.
Any further queries please let me know.

[rsmith6789]

Hi Iain,

Well now another small hitch, on disabling spy sweeper. No problem on steps 1 and 2 on the bleeping computer instructions: I unchecked all the shields on the shields page. But although I've looked all over that page and all the other pages, and consulted spysweeper help, I cannot find where to do the following:

- Uncheck "home page shield".
- Uncheck "automatically restore default without notification".

Thanks,
Rod

[Glaswegian]

Hmmm....

Try this way

To disable Webroot SpySweeper:

• Go to the Options > Program Options
• Uncheck Load at Windows Startup
• Click Shields & uncheck all items there
• Uncheck Home page shield.
• Automatically restore default without notification
• Exit the program.

[rsmith6789]

Iain,

These instructions are the same as the bleeping computer instructions that I was trying to follow. I can do the first three steps, but I can't find a place to uncheck the "home page shield", nor a place to uncheck "automatically restore default without notification". Can you tell me where to take these actions?

Thanks,

Rod

[Glaswegian]

Hi Rod

Let's move forward here - ignore Spysweeper for now and see if CF will run - I'm not familiar with SS.

Just do the drag and drop as I described in post #6.