Several problems

[Pitbull_1973]

Hi,

I'm having a couple of different issues with my laptop. About a month ago I had the Google search redirect issue that several threads here have addressed. At the time, I just followed the instructions listed in an existing thread instead of posting a new thread (not the smartest idea, I know), but the problem appeared to go away with a free trial to AVG.

The trial period expired several days ago and I didn't want to pay for the full version, so I just left it.

Yesterday my wife tells me that the laptop is acting up and I find the background has changed to the "Warning Dangerous Spyware" graphic which (according to other threads) seems related to the bogus Antivirus XP. This is also causing several popups, some for Antivirus XP, but also others.

Also, the Google search redirect issue has returned as well as several errors on startup that are related to missing .dll files.

I have done very little in the way of attempting to fix these issues other than running Spybot Search & Destroy and allowing it to fix the errors it found. I also found what turned out to be an ad for Spyware Doctor while searching for a solution to the new problems. I downloaded and installed SD (which also installed Registry Mechanic). It allowed me to scan my computer, but would not fix anything without paying for the program. I mention that only to show that Registry Mechanic was not on my system when the problems started. I noticed in another thread that Registry Mechanic was the culprit of their problems.

There may be (and probably are) other issues/viruses on this laptop that I have not noticed. I followed the instructions in the "NEW INSTRUCTIONS - Read This Before Posting" thread and uninstalled all of my antivirus software (I know it said all but one, but I dumped it all since its obviously not working)

Anyway, here are the required logs.


DDS (Ver_09-03-16.01) - NTFSx86
Run by Brad Blanton at 0:07:31.43 on Tue 03/24/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.5.0_12
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1500 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Registry Mechanic\RegMech.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Brad Blanton\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.rr.com/flash/index.cfm
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = about:blank
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-inc&channel=us
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: {02478d38-c3f9-4efb-9b51-7695eca05670} - Yahoo! Toolbar Helper
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {203c2c6b-2728-4354-afee-ecc637265e53} - No File
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {aa1124b8-d1c9-2eeb-ba64-d28578669ac7}: {7ca96687-582d-46ab-bee2-9c1d8b4211aa} - c:\windows\system32\hvvopz.dll
BHO: {8f5f8292-6039-4d40-ab16-8e796a9c164c} - No File
BHO: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: {b3b82ecf-c03c-4e54-bdaf-40f909526325} - c:\windows\system32\luyusowa.dll
BHO: {b5e3556a-e9d6-4fd7-82d7-945356e19e37} - No File
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Microsoft Web Test Recorder 9.0 Helper: {e31ce47f-c268-41ba-897b-b415e613947d} - c:\program files\microsoft visual studio 9.0\common7\ide\privateassemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO90.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
EB: Web Test Recorder 9.0: {3c7adade-d1e8-45d2-bdcd-7f8d8b99b2a2} - mscoree.dll
EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\progra~1\yahoo!\common\yhexbmesus.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ModemOnHold] c:\program files\netwaiting\netWaiting.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Dkthutvx] c:\windows\w?nsxs\w?nword.exe
uRun: [igndlm.exe] c:\program files\download manager\DLM.exe /windowsstart /startifwork
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [ShowLOMControl] 1 (0x1)
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [Corel Photo Downloader] c:\program files\corel\corel photo album 6\MediaDetect.exe
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Iwupepinukone] rundll32.exe "c:\windows\Hpilox.dll",e
mRun: [Bkufubadero] rundll32.exe "c:\windows\ipucuguvekanuga.dll",e
mRun: [0cd284d5] rundll32.exe "c:\windows\system32\puvutabo.dll",b
mRun: [CPM0fe1b749] Rundll32.exe "c:\windows\system32\tapibugi.dll",a
mRun: [ropitozufo] Rundll32.exe "c:\windows\system32\jajulaze.dll",s
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRunOnce: [Spybot - Search & Destroy] "c:\program files\spybot - search & destroy\SpybotSD.exe" /autocheck
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html
IE: &Search - ?p=ZJxdm025YYUS
IE: &Translate English Word - c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html
IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\windows\temp\ntdll64.dll
DPF: {00140000-B1BA-11CE-ABC6-F5B2E79D9E3F} - hxxp://www.cabarrusncrod.org/controls/LTOCX14N.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos.walmart.com/WalmartActivia.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1194468951625
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1194468899593
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {9841D1AE-9C0B-11D3-9452-00105A098C21} - hxxp://www.cabarrusncrod.org/controls/prntpro2.CAB
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CBD8B1CB-2F5F-415F-93E8-A297B33DCBB2} - hxxp://entriq.vo.llnwd.net/o1/NBCUniversal/cabs/cpucheck_1_0_0_5.cab
DPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} - hxxp://entriq.vo.llnwd.net/o1/NBCUniversal/cabs/Entriq_3_5_2_2_Silent.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {DE0FB644-C59B-46D1-B650-88BA945BC98F} - hxxp://entriq.vo.llnwd.net/o1/NBCUniversal/cabs/NBCUniversal_1_0_0_7.cab
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://24.172.119.98/activex/AMC.cab
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\windows\system32\mopazazi.dll welijf.dll c:\windows\system32\detukimi.dll c:\windows\system32\tapibugi.dll hvvopz.dll c:\windows\system32\sunimuju.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\sunimuju.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\sunimuju.dll
LSA: Notification Packages = scecli c:\windows\system32\mopazazi.dll

============= SERVICES / DRIVERS ===============

R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S3 oUltraf;oUltraf;\??\c:\docume~1\bradbl~1\locals~1\temp\oultraf.sys --> c:\docume~1\bradbl~1\locals~1\temp\oUltraf.sys [?]
S3 VSPerfDrv90;Performance Tools Driver 9.0;c:\program files\microsoft visual studio 9.0\team tools\performance tools\VSPerfDrv90.sys [2007-9-4 55664]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2006-12-2 2805000]

=============== Created Last 30 ================

2009-03-23 23:53 54 a------- c:\windows\winpoint.ini
2009-03-23 21:27 1,400,742 ---sh--- c:\windows\system32\obatuvup.ini
2009-03-23 21:27 124,928 a--sh--- c:\windows\system32\hvvopz.dll
2009-03-23 10:29 104,960 a------- c:\windows\system32\ntdll64.exe
2009-03-23 10:29 29,696 a------- c:\windows\system32\1000.exe
2009-03-23 10:14 4,785 a------- c:\windows\system32\warning.gif
2009-03-23 10:14 1,394 a------- c:\windows\system32\ahtn.htm
2009-03-23 10:14 440 a------- c:\windows\system32\win32hlp.cnf
2009-03-23 10:14 104,960 a------- c:\windows\system32\dllcache\userinit.exe
2009-03-23 10:14 29,696 a------- c:\windows\system32\frmwrk32.exe
2009-03-23 10:13 29,696 a------- c:\windows\system32\998.exe
2009-03-23 09:26 124,928 a--sh--- c:\windows\system32\yhstsd.dll
2009-03-22 21:26 124,928 a--sh--- c:\windows\system32\bpdbcm.dll
2009-03-22 13:21 35,840 a------- c:\windows\system32\gldx.exe
2009-03-21 19:48 132,096 a------- c:\windows\ipucuguvekanuga.dll
2009-03-21 19:36 40,448 a------- c:\windows\system32\KuzSmall.exe
2009-03-21 19:30 42,496 a------- c:\windows\Hpilox.dll
2009-03-21 19:30 42,496 a------- c:\windows\system32\kuzSniper.exe
2009-03-21 18:45 124,928 a--sh--- c:\windows\system32\welijf.dll
2009-03-21 18:40 59,801 a------- c:\windows\system32\prunnet.exe
2009-03-17 00:31 <DIR> --d----- c:\docume~1\bradbl~1\applic~1\Microsoft Games
2009-03-17 00:22 <DIR> --d----- c:\program files\GameSpy Arcade
2009-03-17 00:18 <DIR> --d----- c:\program files\Microsoft Games
2009-03-07 17:12 <DIR> --d----- c:\docume~1\alluse~1\applic~1\CrucialSoft Ltd

==================== Find3M ====================

2009-03-23 21:27 124,928 a--sh--- c:\windows\system32\zoroviro.dll
2009-03-23 10:14 104,960 a------- c:\windows\system32\userinit.exe
2009-03-23 09:26 124,928 a--sh--- c:\windows\system32\diwevari.dll
2009-03-22 21:26 124,928 a--sh--- c:\windows\system32\jebufijo.dll
2009-03-22 07:33 84,992 a--sh--- c:\windows\system32\suluyeba.dll
2009-03-21 18:45 124,928 a--sh--- c:\windows\system32\delahiru.dll
2009-03-21 18:45 79,872 a--sh--- c:\windows\system32\todolaze.dll
2009-03-01 11:39 6,580 a--sh--- c:\windows\system32\KGyGaAvL.sys
2009-01-23 21:30 410,984 a------- c:\windows\system32\deploytk.dll
2007-07-28 18:25 905 a------- c:\program files\uninstal.log
2007-08-06 18:29 1,730,588 ---sh--- c:\windows\system32\ijllm.bak2
0000-00-00 00:00 47,616 a--sh--- c:\windows\system32\mopazazi.dll
0000-00-00 00:00 79,872 a--sh--- c:\windows\system32\tigogitu.dll
0000-00-00 00:00 124,928 a--sh--- c:\windows\system32\ziperame.dll

============= FINISH: 0:08:35.40 ===============

[Ried]

Hello Pitbull_1973,

Quote:

and uninstalled all of my antivirus software (I know it said all but one, but I dumped it all since its obviously not working)

Reinstall it after the first round of ComboFix. If you take a look around, you'll see that no matter what AV product is on a system, nasty infections and rootkits will still get through. It's the nature of the beast- malware guys come out with new ways of infecting systems and AV companies cannot possibly anticipate and prepare for every contingency. (which is why we're here. )

It will require more than one round to properly clean your system. Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.


***************************************************

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3





--------------------------------------------------------------------

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
  
• Double click on combofix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:





Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.

[Pitbull_1973]

Thanks for taking the case Ried.

Just a quick note on a new development since my last post. Internet Explorer has stopped working. Whenever I try to load up a webpage, I get the generic "You are not connected to the Internet" message. I checked my internet connection and confirmed that I am indeed connected. I downloaded ComboFix on my desktop and transferred the .exe file over via a USB flash drive and ran it on my laptop. It was able to download and install the Microsoft Windows Recovery Console, so I know I am connected. mNot sure what changed, but I thought you might need to know this new wrinkle.


Here is my CombiFix log:

ComboFix 09-03-23.01 - Brad Blanton 2009-03-24 10:58:10.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1643 [GMT -4:00]
Running from: c:\documents and settings\Brad Blanton\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\BRADBL~1\LOCALS~1\Temp\mousehook.dll
c:\docume~1\BRADBL~1\LOCALS~1\Temp\ntdll64.dll
c:\documents and settings\All Users\Application Data\CrucialSoft Ltd
c:\documents and settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\msas2009.exe
c:\documents and settings\Brad Blanton\Application Data\FunWebProducts
c:\documents and settings\Brad Blanton\Application Data\FunWebProducts\Data\Brad Blanton\avatar.dat
c:\documents and settings\Brad Blanton\Application Data\FunWebProducts\Data\Brad Blanton\outfit.dat
c:\documents and settings\Brad Blanton\Application Data\FunWebProducts\Data\Brad Blanton\zbucks.dat
c:\program files\ystem3~1
c:\windows\adaway.lic
c:\windows\cookies.ini
c:\windows\Hpilox.dll
c:\windows\smante~1
c:\windows\smante~1\S?mantec\
c:\windows\system32\1000.exe
c:\windows\system32\998.exe
c:\windows\system32\abidimuz.ini
c:\windows\system32\ahtn.htm
c:\windows\system32\asembl~1
c:\windows\system32\bpdbcm.dll
c:\windows\system32\Cache
c:\windows\system32\configs
c:\windows\system32\delahiru.dll
c:\windows\system32\depopuho.dll
c:\windows\system32\diwevari.dll
c:\windows\system32\drivers\seneka.sys
c:\windows\system32\drivers\senekaudppxymi.sys
c:\windows\system32\f02WtR
c:\windows\system32\frmwrk32.exe
c:\windows\system32\hvvopz.dll
c:\windows\system32\ijllm.bak2
c:\windows\system32\jebufijo.dll
c:\windows\system32\jhqxkwqq.ini
c:\windows\system32\ltulzc.dll
c:\windows\system32\mopazazi.dll
c:\windows\system32\ntdll64.exe
c:\windows\system32\obatuvup.ini
c:\windows\system32\prunnet.exe
c:\windows\system32\senekabpfmbqpx.dll
c:\windows\system32\senekahtiqxbwp.dll
c:\windows\system32\senekamotqqveu.dll
c:\windows\system32\senekatvmvmety.dat
c:\windows\system32\senekawuigwrrj.dat
c:\windows\system32\warning.gif
c:\windows\system32\welijf.dll
c:\windows\system32\win32hlp.cnf
c:\windows\system32\yhstsd.dll
c:\windows\system32\ziperame.dll
c:\windows\system32\zoroviro.dll
c:\windows\wnsxs~1

Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\i386\userinit.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SENEKA
-------\Legacy_OULTRAF
-------\Service_oUltraf


((((((((((((((((((((((((( Files Created from 2009-02-24 to 2009-03-24 )))))))))))))))))))))))))))))))
.

2009-03-23 23:53 . 2009-03-23 23:53 54 --a------ c:\windows\winpoint.ini
2009-03-22 13:21 . 2009-03-22 13:21 35,840 --a------ c:\windows\system32\gldx.exe
2009-03-21 19:48 . 2009-03-21 19:48 132,096 --a------ c:\windows\ipucuguvekanuga.dll
2009-03-21 19:36 . 2009-03-21 19:36 40,448 --a------ c:\windows\system32\KuzSmall.exe
2009-03-21 19:30 . 2009-03-21 19:30 42,496 --a------ c:\windows\system32\kuzSniper.exe
2009-03-17 00:31 . 2009-03-17 00:31 <DIR> d-------- c:\documents and settings\Brad Blanton\Application Data\Microsoft Games
2009-03-17 00:22 . 2009-03-17 00:22 <DIR> d-------- c:\program files\GameSpy Arcade
2009-03-17 00:18 . 2009-03-17 00:18 <DIR> d-------- c:\program files\Microsoft Games

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-24 03:56 --------- d-----w c:\program files\SUPERAntiSpyware
2009-03-24 03:56 --------- d-----w c:\documents and settings\Brad Blanton\Application Data\SUPERAntiSpyware.com
2009-03-24 03:55 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-24 03:48 --------- d-----w c:\documents and settings\All Users\Application Data\~0
2009-03-24 03:47 --------- d-----w c:\program files\Axis Communications
2009-03-13 02:56 --------- d-----w c:\documents and settings\Brad Blanton\Application Data\Move Networks
2009-02-06 04:19 --------- d-----w c:\program files\Panda Security
2009-02-06 02:52 --------- d-----w c:\program files\CleanUp!
2009-01-28 15:56 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-28 15:50 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-28 15:27 --------- d-----w c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-01-28 15:27 --------- d-----w c:\program files\SDHelper (Spybot - Search & Destroy)
2009-01-28 15:27 --------- d-----w c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-01-28 15:27 --------- d-----w c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-01-24 02:01 --------- d-----w c:\program files\QuickTime
2009-01-24 02:00 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2009-01-24 01:30 --------- d-----w c:\program files\Java
2007-07-28 22:25 905 ----a-w c:\program files\uninstal.log
1601-01-01 00:12 79,872 --sha-w c:\windows\system32\tigogitu.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dkthutvx"="c:\windows\W?nSxS\w?nword.exe" [?]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2005-08-18 307200]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]
"igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2007-03-05 1103480]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShowLOMControl"="1 (0x1)" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-14 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-14 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-14 118784]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-23 136600]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-12-06 839680]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 761947]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 49152]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-03-19 26112]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"Corel Photo Downloader"="c:\program files\Corel\Corel Photo Album 6\MediaDetect.exe" [2005-08-31 106496]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"Bkufubadero"="c:\windows\ipucuguvekanuga.dll" [2009-03-21 132096]
"0cd284d5"="c:\windows\system32\zumidiba.dll" [2009-03-24 79872]
"CPM0fe1b749"="c:\windows\system32\kosuyapu.dll" [2009-03-24 84992]
"SigmatelSysTrayApp"="stsystra.exe" [2005-11-16 c:\windows\stsystra.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Spybot - Search & Destroy"="c:\program files\Spybot - Search & Destroy\SpybotSD.exe" [2008-07-30 4891984]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2007-03-07 5181440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-03-19 24576]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= c:\program files\Online Services\vilogove.html
FriendlyName=

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}"= "c:\windows\system32\kosuyapu.dll" [2009-03-24 84992]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"SSODL"= {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\kosuyapu.dll [2009-03-24 84992]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= wdmaud.sys

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\WINDOWS\\system32\\msiexec.exe"=
"c:\\Program Files\\Microsoft Games\\Rise of Nations\\rise.exe"=
"c:\\WINDOWS\\system32\\wbem\\wmiprvse.exe"=
"c:\\Program Files\\Dell\\NicConfigSvc\\NicConfigSvc.exe"=
"c:\\WINDOWS\\system32\\dllhost.exe"=
"c:\\WINDOWS\\system32\\inetsrv\\inetinfo.exe"=

S3 VSPerfDrv90;Performance Tools Driver 9.0;c:\program files\Microsoft Visual Studio 9.0\Team Tools\Performance Tools\VSPerfDrv90.sys [2007-09-04 55664]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2006-12-02 2805000]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1c5812e0-a44e-11db-8d02-0015c504e539}]
\Shell\AutoRun\command - E:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-03-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
- - - - ORPHANS REMOVED - - - -

BHO-{203c2c6b-2728-4354-afee-ecc637265e53} - (no file)
BHO-{7ca96687-582d-46ab-bee2-9c1d8b4211aa} - (no file)
BHO-{8f5f8292-6039-4d40-ab16-8e796a9c164c} - (no file)
BHO-{b3b82ecf-c03c-4e54-bdaf-40f909526325} - c:\windows\system32\luyusowa.dll
BHO-{b5e3556a-e9d6-4fd7-82d7-945356e19e37} - (no file)
BHO-{e498d2ea-5a09-4290-90dd-f82f7db74159} - c:\windows\system32\ltulzc.dll
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKCU-Run-ModemOnHold - c:\program files\NetWaiting\netWaiting.exe
HKCU-Run-SUPERAntiSpyware - c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
HKLM-Run-ropitozufo - c:\windows\system32\jajulaze.dll
HKLM-Run-AVG8_TRAY - c:\progra~1\AVG\AVG8\avgtray.exe
HKLM-Run-Iwupepinukone - c:\windows\Hpilox.dll
Notify-!SASWinLogon - (no file)
Notify-avgrsstarter - (no file)
Notify-__c00D95B0 - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.rr.com/flash/index.cfm
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = about:blank
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-inc&channel=us
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html
IE: &Search - ?p=ZJxdm025YYUS
IE: &Translate English Word - c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html
IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
LSP: c:\windows\TEMP\ntdll64.dll
DPF: {00140000-B1BA-11CE-ABC6-F5B2E79D9E3F} - hxxp://www.cabarrusncrod.org/controls/LTOCX14N.cab
DPF: {9841D1AE-9C0B-11D3-9452-00105A098C21} - hxxp://www.cabarrusncrod.org/controls/prntpro2.CAB
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://24.172.119.98/activex/AMC.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-24 11:08:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(888)
c:\windows\System32\BCMLogon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\windows\system32\rundll32.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Dell\NicConfigSvc\NicConfigSvc.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\wscript.exe
.
**************************************************************************
.
Completion time: 2009-03-24 11:16:49 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-24 15:16:46
ComboFix2.txt 2007-08-07 23:51:32

Pre-Run: 4,641,730,560 bytes free
Post-Run: 4,690,911,232 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

266

[Ried]

Patience, we're getting there.

I need to send you in to delete a folder first. Purityscan is still alive and well on your system from back in 2007 when you didn't finish with your Helper at another forum. It's important to stick with me until given the 'all clear', even if symptoms seem to abate.

This round is a bit more involved. Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.


***************************************************

It's IMPORTANT to carry out the instructions in the sequence listed below.


***************************************************

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

---------------------------------------------------------------------

Using 'My Computer', navigate to and delete the following Folder (Right click and select 'Delete'):

c:\windows\W?nSxS <--The ? can be any character. To be sure you have the correct folder, look inside the folder. It will contain this file -->w?nword.exe. Again, the ? can be any character.

================================

Open notepad and copy/paste the text in the code box below into it:

Quote:

http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/359403-several-problems-post2041060.html#post2041060

Collect::
c:\windows\system32\kosuyapu.dll
c:\windows\system32\gldx.exe
c:\windows\ipucuguvekanuga.dll
c:\windows\system32\KuzSmall.exe
c:\windows\system32\kuzSniper.exe
c:\windows\system32\tigogitu.dll
c:\windows\ipucuguvekanuga.dll
c:\windows\system32\zumidiba.dll

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"="wdmaud.drv"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\dllhost.exe"=-
"c:\\WINDOWS\\system32\\inetsrv\\inetinfo.exe"=-

DDS::
IE: &Search - ?p=ZJxdm025YYUS
LSP: c:\windows\TEMP\ntdll64.dll

Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe





Refering to the picture above, drag CFScript into ComboFix.exe


When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

• Ensure you are connected to the internet and click OK on the message box.

---------------------------------------------------------------------

If IE still will not open pages for you, download LSPFix.exe

1. Double click on LSPFix.exe to run it.
2. Once running, you will be required to tick the disclaimer - "I know what I'm doing".
3. You'll find a window with 2 panes. If you see ntdll64.dll, make sure the entry is in the right pane labeled Remove
4. Click the Finish button to complete the fix.

If you are unsure about removing certain files, please come back and post the filenames here and I will advise you how to proceed.

======================================

Please return with the C:\ComboFix.txt for further review, and an update on system behavior.

[Pitbull_1973]

I'm still with you. I work nights and sleep during the day so I won't have time to try this next step until I get off work in the morning. And I plan on sticking with this until I get the all clear, so no worries there.

[Ried]

That will be fine. I'll remain subscribed.

[Pitbull_1973]

Ok, I was finally able to sit down and attempt the next step.

Here is what I found...

1) Removing Purityscan - I looked for the c:\windows\W?nSxS folder and found a WinSxS folder. As you suggested, I looked inside for the w?nword.exe file but could not find it. There are a ton of subfolders inside W?nSxS, but no files, let alone anything close to w?nword.exe. Not sure what to do here, so I skipped it. I did not delete the WinSxS folder. Here is a screenshot of its contents:



2) Ran ComboFix with your new CFScript.txt file. Results posted below

3) Ran LSPfix. It did not find the ntdll64.dll file, but did seem to fix the IE issue.

Here is the new ComboFix log:

ComboFix 09-03-23.01 - Brad Blanton 2009-03-25 2030.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1565 [GMT -4:00]
Running from: c:\documents and settings\Brad Blanton\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Brad Blanton\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\ipucuguvekanuga.dll
c:\windows\system32\abidimuz.ini
c:\windows\system32\gldx.exe
c:\windows\system32\kosuyapu.dll
c:\windows\system32\KuzSmall.exe
c:\windows\system32\kuzSniper.exe
c:\windows\system32\tigogitu.dll
c:\windows\system32\win32hlp.cnf
c:\windows\system32\zumidiba.dll
c:\windows\TEMP\ntdll64.dll

.
((((((((((((((((((((((((( Files Created from 2009-02-26 to 2009-03-26 )))))))))))))))))))))))))))))))
.

2009-03-24 11:38 . 2009-03-24 11:38 <DIR> d-------- c:\program files\Symantec
2009-03-24 11:38 . 2009-03-24 11:42 <DIR> d-------- c:\program files\Norton AntiVirus
2009-03-24 11:38 . 2009-03-24 11:38 <DIR> d-------- c:\program files\Common Files\Symantec Shared
2009-03-24 11:38 . 2009-03-24 11:38 <DIR> d-------- c:\documents and settings\Brad Blanton\Application Data\Symantec
2009-03-24 11:38 . 2009-03-24 11:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Symantec
2009-03-24 11:38 . 2001-08-15 15:20 120,379 --a------ c:\windows\system32\SYMEVNT.386
2009-03-24 11:38 . 2001-08-15 15:20 57,696 --a------ c:\windows\system32\drivers\SYMEVENT.SYS
2009-03-24 11:38 . 2001-08-15 15:20 36,864 --a------ c:\windows\system32\S32EVNT1.DLL
2009-03-24 11:38 . 2001-08-15 15:20 4,032 --a------ c:\windows\system32\SYMEVNT1.DLL
2009-03-23 23:53 . 2009-03-23 23:53 54 --a------ c:\windows\winpoint.ini
2009-03-17 00:31 . 2009-03-17 00:31 <DIR> d-------- c:\documents and settings\Brad Blanton\Application Data\Microsoft Games
2009-03-17 00:22 . 2009-03-17 00:22 <DIR> d-------- c:\program files\GameSpy Arcade
2009-03-17 00:18 . 2009-03-17 00:18 <DIR> d-------- c:\program files\Microsoft Games

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-24 03:56 --------- d-----w c:\program files\SUPERAntiSpyware
2009-03-24 03:56 --------- d-----w c:\documents and settings\Brad Blanton\Application Data\SUPERAntiSpyware.com
2009-03-24 03:55 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-24 03:48 --------- d-----w c:\documents and settings\All Users\Application Data\~0
2009-03-24 03:47 --------- d-----w c:\program files\Axis Communications
2009-03-13 02:56 --------- d-----w c:\documents and settings\Brad Blanton\Application Data\Move Networks
2009-02-06 04:19 --------- d-----w c:\program files\Panda Security
2009-02-06 02:52 --------- d-----w c:\program files\CleanUp!
2009-01-28 15:56 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-28 15:50 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-28 15:27 --------- d-----w c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-01-28 15:27 --------- d-----w c:\program files\SDHelper (Spybot - Search & Destroy)
2009-01-28 15:27 --------- d-----w c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-01-28 15:27 --------- d-----w c:\program files\File Scanner Library (Spybot - Search & Destroy)
2007-07-28 22:25 905 ----a-w c:\program files\uninstal.log
.

((((((((((((((((((((((((((((( SnapShot@2009-03-24_11.15.49.17 )))))))))))))))))))))))))))))))))))))))))
.
+ 2001-08-03 23:22:00 182,896 ----a-w c:\windows\system32\drivers\NAVAP.SYS
+ 2001-08-06 16:09:54 10,592 ----a-w c:\windows\system32\drivers\symdns.sys
+ 2001-08-06 16:10:00 56,064 ----a-w c:\windows\system32\drivers\symfw.sys
+ 2001-08-06 16:10:04 26,304 ----a-w c:\windows\system32\drivers\symndis.sys
+ 2001-08-06 16:10:20 14,120 ----a-w c:\windows\system32\drivers\symredrv.sys
+ 2001-08-06 16:10:24 131,040 ----a-w c:\windows\system32\drivers\symtdi.sys
- 2009-03-24 15:08:02 226,899 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
+ 2009-03-26 00:12:41 226,889 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
+ 2001-08-06 16:10:14 29,808 ----a-w c:\windows\system32\SymRedir.dll
+ 2009-03-26 00:12:40 16,384 ----atw c:\windows\temp\Perflib_Perfdata_64c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dkthutvx"="c:\windows\W?nSxS\w?nword.exe" [?]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2005-08-18 307200]
"igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2007-03-05 1103480]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShowLOMControl"="1 (0x1)" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-14 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-14 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-14 118784]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-23 136600]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-12-06 839680]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 761947]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 49152]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-03-19 26112]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"Corel Photo Downloader"="c:\program files\Corel\Corel Photo Album 6\MediaDetect.exe" [2005-08-31 106496]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"NAV Agent"="c:\progra~1\NORTON~1\navapw32.exe" [2001-08-16 74832]
"SigmatelSysTrayApp"="stsystra.exe" [2005-11-16 c:\windows\stsystra.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2007-03-07 5181440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-03-19 24576]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= c:\program files\Online Services\vilogove.html
FriendlyName=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00D95B0]
[BU]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\WINDOWS\\system32\\msiexec.exe"=
"c:\\Program Files\\Microsoft Games\\Rise of Nations\\rise.exe"=
"c:\\WINDOWS\\system32\\wbem\\wmiprvse.exe"=
"c:\\Program Files\\Dell\\NicConfigSvc\\NicConfigSvc.exe"=

S3 VSPerfDrv90;Performance Tools Driver 9.0;c:\program files\Microsoft Visual Studio 9.0\Team Tools\Performance Tools\VSPerfDrv90.sys [2007-09-04 55664]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2006-12-02 2805000]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1c5812e0-a44e-11db-8d02-0015c504e539}]
\Shell\AutoRun\command - E:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-03-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-03-26 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2001-07-26 12:23]
.
- - - - ORPHANS REMOVED - - - -

BHO-{203c2c6b-2728-4354-afee-ecc637265e53} - (no file)
BHO-{7ca96687-582d-46ab-bee2-9c1d8b4211aa} - (no file)
BHO-{8f5f8292-6039-4d40-ab16-8e796a9c164c} - (no file)
BHO-{b3b82ecf-c03c-4e54-bdaf-40f909526325} - (no file)
BHO-{b5e3556a-e9d6-4fd7-82d7-945356e19e37} - (no file)
BHO-{e498d2ea-5a09-4290-90dd-f82f7db74159} - (no file)
HKLM-Run-Bkufubadero - c:\windows\ipucuguvekanuga.dll
HKLM-Run-0cd284d5 - c:\windows\system32\zumidiba.dll
HKLM-Run-CPM0fe1b749 - c:\windows\system32\kosuyapu.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.rr.com/flash/index.cfm
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = about:blank
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-inc&channel=us
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html
IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
DPF: {00140000-B1BA-11CE-ABC6-F5B2E79D9E3F} - hxxp://www.cabarrusncrod.org/controls/LTOCX14N.cab
DPF: {9841D1AE-9C0B-11D3-9452-00105A098C21} - hxxp://www.cabarrusncrod.org/controls/prntpro2.CAB
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://24.172.119.98/activex/AMC.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-25 20:13:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(672)
c:\windows\System32\BCMLogon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Norton AntiVirus\Navapsvc.exe
c:\program files\Dell\NicConfigSvc\NicConfigSvc.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-03-25 20:19:57 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-26 00:19:53
ComboFix2.txt 2009-03-24 15:16:50
ComboFix3.txt 2007-08-07 23:51:32

Pre-Run: 4,568,956,928 bytes free
Post-Run: 4,554,121,216 bytes free

218

[Pitbull_1973]

Also, I took your advice to reinstall an antivirus software. I have an old trial for Norton AV, but I can't get it to update the virus definitions, so I'm essentially without AV protection. Are there any free AV packages that you would recommend?

[Ried]

Hi Pitbull_1973,

You did good leaving that WinSxS alone as that one is the legit one. The other must be gone and only the registry key remaining.

Spybot's TeaTimer is putting reg entries back in, that we're trying to take out. Please disable it until we're through here.

Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)

• If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
• If you have Version 1.4, Click on Exit Spybot S&D Resident

Next, launch Spybot S&D

• Click Mode, choose Advanced Mode
• Go To the bottom of the Vertical Panel on the Left, Click Tools
• then, also in left panel, click Resident shows a red/white shield.
• If your firewall raises a question, say OK
• In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
• OK any prompts.
• Use File, Exit to terminate Spybot
• Reboot your machine for the changes to take effect.

==================================


Disable Norton. Right click the icon in the system tray and exit or disable.


==================================


Open notepad and copy/paste the text in the code box below into it:

Quote:

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dkthutvx"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00D95B0]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe





Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt


--------------------------------------------------------------------

Did you or your wife intentionally set this webpage for your desktop background? c:\program files\Online Services\ vilogove.html

If not, go to Control Panel click Display>Desktop>Customize Desktop>Web> Now, Uncheck everything and delete everything except 'My Current Home Page'

Also make sure the 'Lock desktop items' box is unticked. Click OK, and then Click Apply, then OK.

--------------------------------------------------------------------

Avira AntiVir is an excellent free AV. Download the Avira AntiVir PersonalEdition Classic edition, but do not install it yet as it's never a good idea to have more than 1 AV installed at a given time.

• Uninstall Norton via the Add or Remove programs panel and reboot.
  
• Now you may proceed with installing Avira AntiVir. Be sure to allow it to update.

[Pitbull_1973]

Ok, I disabled Spybot's Tea Timer and Norton. Norton actually had a Script blocker running also, so I disabled that as well. I ran ComboFix, deleted the vilogove.html reference as you instructed, reset the correct image for my desktop background, and downloaded the personal version of Avira AV (I couldn't find a personal classic version, but I'm assuming the one I got is what you meant.). I have uninstalled Norton and am installing Avira as I post this.

Oh, one thing, tho. After dropping the CFScript.txt into ComboFix.exe and the scan began, I got a message saying that a newer version of ComboFix was available, did I want to download it. I answered yes, but am wondering if I should have done that, as it may have replaced the CFScript.txt that I had supplied with a default CFScript. If this is the case, just let me know and I can re-run ComboFix with the correct Script.


Here is my ComboFix log:

ComboFix 09-03-25.03 - Brad Blanton 2009-03-26 10:20:46.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1608 [GMT -4:00]
Running from: c:\documents and settings\Brad Blanton\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Brad Blanton\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-02-26 to 2009-03-26 )))))))))))))))))))))))))))))))
.

2009-03-24 11:38 . 2009-03-24 11:38 <DIR> d-------- c:\program files\Symantec
2009-03-24 11:38 . 2009-03-24 11:42 <DIR> d-------- c:\program files\Norton AntiVirus
2009-03-24 11:38 . 2009-03-24 11:38 <DIR> d-------- c:\program files\Common Files\Symantec Shared
2009-03-24 11:38 . 2009-03-24 11:38 <DIR> d-------- c:\documents and settings\Brad Blanton\Application Data\Symantec
2009-03-24 11:38 . 2009-03-24 11:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Symantec
2009-03-24 11:38 . 2001-08-15 15:20 120,379 --a------ c:\windows\system32\SYMEVNT.386
2009-03-24 11:38 . 2001-08-15 15:20 57,696 --a------ c:\windows\system32\drivers\SYMEVENT.SYS
2009-03-24 11:38 . 2001-08-15 15:20 36,864 --a------ c:\windows\system32\S32EVNT1.DLL
2009-03-24 11:38 . 2001-08-15 15:20 4,032 --a------ c:\windows\system32\SYMEVNT1.DLL
2009-03-23 23:53 . 2009-03-23 23:53 54 --a------ c:\windows\winpoint.ini
2009-03-17 00:31 . 2009-03-17 00:31 <DIR> d-------- c:\documents and settings\Brad Blanton\Application Data\Microsoft Games
2009-03-17 00:22 . 2009-03-17 00:22 <DIR> d-------- c:\program files\GameSpy Arcade
2009-03-17 00:18 . 2009-03-17 00:18 <DIR> d-------- c:\program files\Microsoft Games

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-24 03:56 --------- d-----w c:\program files\SUPERAntiSpyware
2009-03-24 03:56 --------- d-----w c:\documents and settings\Brad Blanton\Application Data\SUPERAntiSpyware.com
2009-03-24 03:55 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-24 03:48 --------- d-----w c:\documents and settings\All Users\Application Data\~0
2009-03-24 03:47 --------- d-----w c:\program files\Axis Communications
2009-03-22 11:33 84,992 --sha-w c:\windows\system32\suluyeba.dll
2009-03-21 22:45 79,872 --sha-w c:\windows\system32\todolaze.dll
2009-03-13 02:56 --------- d-----w c:\documents and settings\Brad Blanton\Application Data\Move Networks
2009-03-01 15:39 6,580 --sha-w c:\windows\system32\KGyGaAvL.sys
2009-02-06 04:19 --------- d-----w c:\program files\Panda Security
2009-02-06 02:52 --------- d-----w c:\program files\CleanUp!
2009-01-28 15:56 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-28 15:50 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-28 15:27 --------- d-----w c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-01-28 15:27 --------- d-----w c:\program files\SDHelper (Spybot - Search & Destroy)
2009-01-28 15:27 --------- d-----w c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-01-28 15:27 --------- d-----w c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-01-24 01:30 410,984 ----a-w c:\windows\system32\deploytk.dll
2007-07-28 22:25 905 ----a-w c:\program files\uninstal.log
.

((((((((((((((((((((((((((((( SnapShot@2009-03-24_11.15.49.17 )))))))))))))))))))))))))))))))))))))))))
.
+ 2001-08-03 23:22:00 182,896 ----a-w c:\windows\system32\drivers\NAVAP.SYS
+ 2001-08-06 16:09:54 10,592 ----a-w c:\windows\system32\drivers\symdns.sys
+ 2001-08-06 16:10:00 56,064 ----a-w c:\windows\system32\drivers\symfw.sys
+ 2001-08-06 16:10:04 26,304 ----a-w c:\windows\system32\drivers\symndis.sys
+ 2001-08-06 16:10:20 14,120 ----a-w c:\windows\system32\drivers\symredrv.sys
+ 2001-08-06 16:10:24 131,040 ----a-w c:\windows\system32\drivers\symtdi.sys
- 2009-03-24 15:08:02 226,899 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
+ 2009-03-26 13:58:16 226,889 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
+ 2001-08-06 16:10:14 29,808 ----a-w c:\windows\system32\SymRedir.dll
+ 2009-03-26 13:58:09 16,384 ----atw c:\windows\temp\Perflib_Perfdata_21c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2005-08-18 307200]
"igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2007-03-05 1103480]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShowLOMControl"="1 (0x1)" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-14 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-14 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-14 118784]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-23 136600]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-12-06 839680]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 761947]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 49152]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-03-19 26112]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"Corel Photo Downloader"="c:\program files\Corel\Corel Photo Album 6\MediaDetect.exe" [2005-08-31 106496]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"NAV Agent"="c:\progra~1\NORTON~1\navapw32.exe" [2001-08-16 74832]
"SigmatelSysTrayApp"="stsystra.exe" [2005-11-16 c:\windows\stsystra.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2007-03-07 5181440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-03-19 24576]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\WINDOWS\\system32\\msiexec.exe"=
"c:\\Program Files\\Microsoft Games\\Rise of Nations\\rise.exe"=
"c:\\WINDOWS\\system32\\wbem\\wmiprvse.exe"=
"c:\\Program Files\\Dell\\NicConfigSvc\\NicConfigSvc.exe"=

S3 VSPerfDrv90;Performance Tools Driver 9.0;c:\program files\Microsoft Visual Studio 9.0\Team Tools\Performance Tools\VSPerfDrv90.sys [2007-09-04 55664]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2006-12-02 2805000]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-03-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-03-26 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2001-07-26 12:23]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.rr.com/flash/index.cfm
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = about:blank
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-inc&channel=us
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html
IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
DPF: {00140000-B1BA-11CE-ABC6-F5B2E79D9E3F} - hxxp://www.cabarrusncrod.org/controls/LTOCX14N.cab
DPF: {9841D1AE-9C0B-11D3-9452-00105A098C21} - hxxp://www.cabarrusncrod.org/controls/prntpro2.CAB
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://24.172.119.98/activex/AMC.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-26 10:25:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(884)
c:\windows\System32\BCMLogon.dll
.
Completion time: 2009-03-26 10:29:31
ComboFix-quarantined-files.txt 2009-03-26 14:29:23
ComboFix2.txt 2009-03-26 00:19:58
ComboFix3.txt 2009-03-24 15:16:50
ComboFix4.txt 2007-08-07 23:51:32

Pre-Run: 4,491,362,304 bytes free
Post-Run: 4,477,497,344 bytes free

166

[Ried]

Good work, Pittbull_1973.

I missed 2 files in my last script, sorry about that:

Using 'My Computer', navigate to and delete the following Files: (Right click and select 'Delete'):

c:\windows\system32\suluyeba.dll
c:\windows\system32\todolaze.dll



**If any of the above resist deletion, boot into Safe Mode to delete

======================================

Lastly, it's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Using Internet Explorer or Firefox, visit http://www.kaspersky.com/kos/eng/par...avwebscan.html

1. Click Accept, when prompted to download and install the program files and database of malware definitions.


2. To optimize scanning time and produce a more sensible report for review:

• Close any open programs
  
• Turn off the real time scanner of any existing antivirus program while performing the online scan

3. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes.

• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
  
  
  
  
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

---------------------------------------------------------------

Please include the following in your next reply:

Kaspersky results
Update on system behavior

[Pitbull_1973]

Ok, I have completed your last instructions.

When I fired up my laptop to delete the 2 .dll files you mentioned, Avira AV caught them and I told it to delete them.

I also ran the Kaspersky scan. Here is the log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, March 27, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, March 27, 2009 03:31:58
Records in database: 1975013
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 129884
Threat name: 14
Infected objects: 16
Suspicious objects: 0
Duration of the scan: 02:01:40


File name / Threat name / Threats count
C:\164.tmp Infected: Trojan-Downloader.Win32.PurityScan.eg 1
C:\QooBox\Quarantine\C\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\msas2009.exe.vir Infected: Trojan-Downloader.Win32.FraudLoad.dsq 1
C:\QooBox\Quarantine\C\DOCUME~1\BRADBL~1\LOCALS~1\Temp\mousehook.dll.vir Infected: Trojan-Downloader.Win32.Agent.bneb 1
C:\QooBox\Quarantine\C\DOCUME~1\BRADBL~1\LOCALS~1\Temp\ntdll64.dll.vir Infected: Trojan.Win32.Agent.bwns 1
C:\QooBox\Quarantine\C\WINDOWS\Hpilox.dll.vir Infected: Trojan-Downloader.Win32.Agent.boaj 1
C:\QooBox\Quarantine\C\WINDOWS\system32\1000.exe.vir Infected: Trojan-Downloader.Win32.Tibs.ajc 1
C:\QooBox\Quarantine\C\WINDOWS\system32\ntdll64.exe.vir Infected: Trojan-Dropper.Win32.Agent.akbk 1
C:\QooBox\Quarantine\C\WINDOWS\system32\prunnet.exe.vir Infected: Trojan.Win32.Agent.bwvn 1
C:\QooBox\Quarantine\C\WINDOWS\system32\senekabpfmbqpx.dll.vir Infected: Trojan.Win32.Tdss.vcg 1
C:\QooBox\Quarantine\C\WINDOWS\system32\senekahtiqxbwp.dll.vir Infected: Trojan.Win32.Tdss.sbm 1
C:\QooBox\Quarantine\C\WINDOWS\system32\senekamotqqveu.dll.vir Infected: Trojan.Win32.Tdss.sbq 1
C:\QooBox\Quarantine\C\WINDOWS\system32\userinit.exe.vir Infected: Trojan-Dropper.Win32.Agent.akbk 1
C:\QooBox\Quarantine\C\WINDOWS\temp\ntdll64.dll.vir Infected: Trojan.Win32.Agent.bwns 1
C:\QooBox\Quarantine\[4]-Submit_2009-03-25@20.05.zip Infected: Trojan.Win32.Agent2.gbf 1
C:\QooBox\Quarantine\[4]-Submit_2009-03-25@20.05.zip Infected: Trojan-Downloader.Win32.Agent.bmhl 1
C:\QooBox\Quarantine\[4]-Submit_2009-03-25@20.05.zip Infected: Trojan-Downloader.Win32.Agent.boai 1

The selected area was scanned.

--------------------------------------------------------------------------
--------------------------------------------------------------------------

As for system performance, everything appears to be working the way it should. The only difference that I have noticed is that I am missing a couple of icons in my taskbar tray. I'm missing the icon that monitors the status of my wireless network connection, the icon that monitors my wired connection and my volume control icon. Not sure what we turned off that got rid of them, but they are no longer there. Not a big issue, just a difference. Other than that, everything looks good so far.

[Ried]

Hi Pitbull_1973

Delete this file:

C:\164.tmp

===============

Quote:

I'm missing the icon that monitors the status of my wireless network connection, the icon that monitors my wired connection and my volume control icon. Not sure what we turned off that got rid of them, but they are no longer there.

How long have they been missing? If it just happened, it may have something to do with the Online Services webpage in your Desktop.

Is the vilogove.html file still in your Recycle Bin? If so, restore it and see if that brings back those icons.

[Pitbull_1973]

164.tmp is deleted.

I did notice several other .tmp files that I don't believe were there before, however. I have 170.tmp, 171.tmp, 177.tmp & 178.tmp files all in the same location as 164.tmp.

And as for the missing icons...
I'm really not sure when they disappeared. I want to say after the first or second round of ComboFix, but I can't be certain about that. My Recycle bin is empty, so I can't restore the vilogove.html file.

I was able to get the icons back temporarily, though. I went to Control Panel -> Sounds and Audio Devices and noticed that "Place volume icon in taskbar" was unchecked. I checked it and my Volume Control, Battery Meter (which I hadn't realized was missing also), Local Area Connection monitor & Wireless Network Connection monitor icons all appeared in the tray as they should. However, when I reboot, they are gone again.

[Ried]

Open Notepad and copy/paste the contents in the quotebox below, into Notepad.

Quote:

regedit /a peek.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32"
start notepad peek.txt

Save this as look.bat Choose to "Save type as - All Files"
It should look like this:

Double click on look.bat & allow it to run. Then post the log which it produces

[Pitbull_1973]

Here is the look.bat log:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
"midimapper"="midimap.dll"
"msacm.imaadpcm"="imaadp32.acm"
"msacm.msadpcm"="msadp32.acm"
"msacm.msg711"="msg711.acm"
"msacm.msgsm610"="msgsm32.acm"
"msacm.trspch"="tssoft32.acm"
"vidc.cvid"="iccvid.dll"
"vidc.I420"="msh263.drv"
"vidc.iv31"="ir32_32.dll"
"vidc.iv32"="ir32_32.dll"
"vidc.iv41"="ir41_32.ax"
"vidc.iyuv"="iyuv_32.dll"
"vidc.mrle"="msrle32.dll"
"vidc.msvc"="msvidc32.dll"
"vidc.uyvy"="msyuv.dll"
"vidc.yuy2"="msyuv.dll"
"vidc.yvu9"="tsbyuv.dll"
"vidc.yvyu"="msyuv.dll"
"wavemapper"="msacm32.drv"
"msacm.msg723"="msg723.acm"
"vidc.M263"="msh263.drv"
"vidc.M261"="msh261.drv"
"msacm.msaudio1"="msaud32.acm"
"msacm.sl_anet"="sl_anet.acm"
"msacm.iac2"="C:\\WINDOWS\\system32\\iac25_32.ax"
"vidc.iv50"="ir50_32.dll"
"msacm.l3acm"="C:\\WINDOWS\\system32\\l3codeca.acm"
"wave"="wdmaud.drv"
"midi"="wdmaud.drv"
"mixer"="wdmaud.drv"
"msacm.voxacm160"="vct3216.acm"
"msacm.scg726"="scg726.acm"
"msacm.alf2cd"="alf2cd.acm"
"msacm.ac3acm"="AC3ACM.acm"
"vidc.dvsd"="mcdvd_32.dll"
"vidc.xvid"="xvidvfw.dll"
"vidc.DIVX"="DivX.dll"
"vidc.mpg4"="mpg4c32.dll"
"vidc.mp42"="mpg4c32.dll"
"vidc.mp43"="mpg4c32.dll"
"aux"="wdmaud.drv"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\Terminal Server]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\Terminal Server\RDP]
"wave"="rdpsnd.dll"
"mixer"="rdpsnd.dll"
"MaxBandwidth"=dword:000056b9
"wavemapper"="msacm32.drv"
"EnableMP3Codec"=dword:00000001
"midimapper"="midimap.dll"

[Ried]

Those seem to be in order. Let's have a look at another key

Open Notepad and copy/paste the contents in the quote box below, into Notepad.

Quote:

regedit /a peek.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad"
start notepad peek.txt

Save this as systraylook.bat Choose to "Save type as - All Files"
It should look like this:

Double click on the .bat & allow it to run. Then post the log which it produces

[Pitbull_1973]

Here is the systraylook.bat log:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"

[Ried]

Set your icons to be displayed in the Control Panel as you did before (if they haven't already been checked.

Download the attached Pitbull.zip file to your desktop.

Double click on the zip folder, then double click on the .reg file within. Click yes to allow it to merge into your registry.

Reboot.

Did the icons load in the tray this time after reboot?

[Pitbull_1973]

That took care of it. They are all loading on boot now.