Yesterday (2008-11-22), I began having problems with Google redirects after conducting searches. Websites would open in new windows that related to my search queries. I tried to run Adaware and that would crash. Norton AV picked up nothing. I noticed the following strange startup options that had been added:

Startup Item: bepepono
Command: Rundll32.exe "C:\WINDOWS\system32\bepepono.dll",s
Location: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Startup Item: dayevino
Command: Rundll32.exe "c:\windows\system32\ dayevino.dll",a
Location: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Startup Item: huholapu
Command: Rundll32.exe "C:\WINDOWS\system32\ huholapu.dll",b
Location: SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Startup Item: dayevino
Command: Rundll32.exe "c:\windows\system32\ dayevino.dll",a
Location: SOFTWARE\Microsoft\Windows\CurrentVersion\Run

So I googled these terms and found absolutely nothing. I found it to be very strange that none of these words turned up a single solitary Google entry (bepepono, dayevino, huholapu). As soon as I would uncheck these items in startup, leave, then come back, they would be automatically rechecked. I tried deleting the actual dll files and it wouldn't let me.

So I found Spybot and that helped immensely! It found the following problems:

MS.WindowsSecurityCenter.FirewallBypass
Virtumonde.prx
Virtumonde

I ran Spybot a few more times, a couple times while not connected to the internet (per recommendation on one of the items). Yet the Google redirecting would still occur.

I then ran the Atribune ATF Cleaner. The Google redirecting stopped occurring. The strange startup items now allow me to uncheck them - all except for one:

Startup Item: dayevino
Command: Rundll32.exe "c:\windows\system32\ dayevino.dll",a
Location: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

This startup items always stays checked. So I am concerned that my computer is still infected. Here is my HJT Log. You will notice all of the references to the above-named startup items:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:55:02 PM, on 11/23/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\CTSvcCDA.exe
C:\Program Files\Matrox Graphics Inc\PowerDesk\Services\Matrox.PowerDesk.Services.exe
C:\Program Files\Matrox Graphics Inc\PowerDesk SE\Matrox.Pdesk.ServicesHost.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\WINDOWS\system32\sessmgr.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\System32\tlntsvr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {ae3b64a3-732c-4b09-bc6a-45f4c916ecd2} - C:\WINDOWS\system32\subalavi.dll
O2 - BHO: Browser Helper Object - {AFD4AD01-58C1-47DB-A404-FBE00A6C5486} - C:\Program Files\Common\_helper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [zowafeduve] Rundll32.exe "C:\WINDOWS\system32\bepepono.dll",s
O4 - HKUS\S-1-5-19\..\Run: [zowafeduve] Rundll32.exe "C:\WINDOWS\system32\bepepono.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [zowafeduve] Rundll32.exe "C:\WINDOWS\system32\bepepono.dll",s (User 'NETWORK SERVICE')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.baisidirect.com
O15 - Trusted Zone: http://www.surfcam.net
O15 - Trusted Zone: http://www.surfguru.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1192966664312
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1222114178859
O18 - Filter hijack: text/html - {ae65d5e4-bcad-467e-b7ec-1aa065a492fe} - C:\WINDOWS\system32\mst120.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\pukovubu.dll c:\windows\system32\dayevino.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\dayevino.dll (file missing)
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\dayevino.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Matrox Centering Service - Matrox Graphics Inc. - C:\Program Files\Matrox Graphics Inc\PowerDesk\Services\Matrox.PowerDesk.Services.exe
O23 - Service: Matrox.Pdesk.ServicesHost - Matrox Graphics Inc - C:\Program Files\Matrox Graphics Inc\PowerDesk SE\Matrox.Pdesk.ServicesHost.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O24 - Desktop Component 0: (no name) - http://assets.espn.go.com/i/espnradio/07/player/skin_livestream2.gif
O24 - Desktop Component 2: (no name) - http://espnradio.espn.go.com/espnradio/radiovideo?play=live

--
End of file - 7890 bytes

Any help would be very greatly appreciated. I'm almost there!

Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Make sure you read and follow the directions, anything else will slow the process and waste both of our time. I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
The junk can be tough to remove, so do not expect fast or easy.

Not quite sure what this is, please be patient while we find out and remove it.

1) Post an uninstall list: Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
Image: http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg


2) http://siri.geekstogo.com/SmitfraudFix.php <<< download Smitfraudfix from here and follow ONLY these directions.

Search:
Double-click SmitfraudFix.exe
Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt

Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/processutil/processutil.htm

Post the C:\rapport.txt and the uninstall list.

Thanks

pskelly, thanks so much for the help! Yeah, this is getting worse. The startup files seem to be random. It's like what I read, the files are random eight-letter names. Every now and then, it adds a new one. It's getting much harder to use the internet now. I haven't changed anything since I posted the first time. But it's going to be hard to not use the internet for troubleshooting.

I ran the HJT list, but Smitfraud didn't do much. It opened to a dos window, but just sat there blinking. I left it for about 10 mins, but nothing. Searched the hdd for "rapport" and nothing. No new txt files at the c drive. I did get a new folder on my desktop called "SmitfraudFix". It contains 25 executables. Do I need to use one of these?

Here's the HJT Unistall List:

Ad-Aware
Adobe Flash Player ActiveX
Adobe Photoshop CS
Adobe Reader 8.1.1
APC PowerChute Personal Edition
Audio MP3 Sound Recorder
Canon EOS Kiss REBEL 300D WIA Driver
Canon Utilities File Viewer Utility 1.3
Canon Utilities RemoteCapture 2.7
CC_ccStart
ccCommon
Compaq Monitor Driver (INF) Software 3.00
DAZzle
DeMoirize
DivX
DivX Player
DivX User Guide
Easy CD Creator 5 Basic
eDualHead
Eraser
FLV Player 2.0, build 24
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
HP PrecisionScan Pro 3.0
Intel(R) PRO Network Adapters and Drivers
Internet Explorer Q903235
IrfanView (remove only)
Java 2 Runtime Environment, SE v1.4.2_01
Java(TM) 6 Update 2
LiveReg (Symantec Corporation)
LiveUpdate 3.0 (Symantec Corporation)
Logitech MouseWare 9.78
Macromedia Dreamweaver MX 2004
Macromedia Extension Manager
Macromedia HomeSite+
Matrox Driver
Matrox PowerDesk-SE
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Premium
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
ML-1450 Series
ML-1450 Series PS
MonacoOPTIX 2.0
Mozilla Firefox (3.0.3)
MSRedist
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MultipleIEs
Norton AntiVirus
Norton AntiVirus Parent MSI
Norton CleanSweep
Norton SystemWorks 2004
Norton SystemWorks 2004 (Symantec Corporation)
Norton Utilities
Norton WMI Update
NSW_DRM_COLLECTION
Opera 9.62
PDFCreator
QBFC2
QBImport
QuickBooks Pro 2002
QuickTime
RealPlayer
Road Runner Safe Storage
RoadRunner
Safari
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Sound Blaster PCI
Spybot - Search & Destroy
Symantec Script Blocking Installer
SymNet
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Wacom Tablet Driver
WD Diagnostics
Windows Genuine Advantage v1.3.0254.0
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Media Player 9 Hotfix [See KB885492 for more information]
Windows Messenger 5.0
Windows XP Service Pack 3
WinRAR archiver

We need to get Smitfraudfix to run, I need the information it will provide. Read the instructions carefully. Turn off Norton/Symantec for the time you are downloding the program. That is what the disclaimer is for, to let you know your AV program may block a needed file.

Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/processutil/processutil.htm


1) Remove any Smitfraudfix you have now, right click and delete it.

2) Exit Norton just for the time needed to download the program.

3) Download from here: http://siri.urz.free.fr/Fix/SmitfraudFix.exe

4) "Save this file now" and save it to your Desktop.

5) http://siri.urz.free.fr/Fix/SmitfraudFix.exe <<< look carefully at this information. Look at the screenshot so you will know what you will see when when you Doubleclick on the Smitfraudfix.exe.

Search:
Double-click SmitfraudFix.exe
Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt

That is as far as you go this time, the program will search for the infection, post the C:\rapport.txt

You can see another members report here, Post number 3 is what the report will look like.
http://forums.spybot.info/showthread.php?t=37078

Thanks

Thanks for the help, I'm just not having any luck with this. I already had Norton disabled in the taskbar and in startup. So this time, I disabled all the Norton services I could find - thru Computer Management. Shut down. (It wouldn't let me delete the Smitfraud folder until I shut down first.) Turned back on. Deleted the Smitfraud items. Emptied Recycle Bin. Shut down again. Turned back on. Made sure the Norton services I disabled were still disabled and not running. Went back to this page and downloaded Smitfraud file from this page to desktop. Double-clicked and left it alone. Still just a blinking cursor. Then I went back and did it all again, but ran it while offline. Still just the blinking cursor. I can't think of any other ways to turn off Norton. Do I need to uninstall it? Well, it looks like I'm hitting a wall. There were three malignant dll file references checked in startup. I can't shut them off. Could the malware be preventing the software from running?

Thanks for the feedback, and it is very possible malware is blocking Smitfraudfix. It is happening all over and I have never seen these files before.

Uninstall list: I look for malware and security issues and will not know all of your programs, but you should.

Hackers are using out of date programs to infect folks more and more,
Here is a small free tool that lets you know when something needs an update if you are interested:
http://secunia.com/vulnerability_scanning/personal/ While PSI runs in the System Tray for realtime notifications, I personally prefer to turn it off in MSConfig and run it from All Programs when I want to do a check.

Adobe Reader 8.1.1 <<< out of date, see this:
http://news.cnet.com/8301-1009_3-10081618-83.html?tag=nl.e433
http://www.filehippo.com/download_adobe_reader/
(if you want a smaller program, look at this one)
Foxit Reader 2.3 for Windows
http://www.foxitsoftware.com/pdf/rd_intro.php

Java 2 Runtime Environment, SE v1.4.2_01 <<< very old very
Java(TM) 6 Update 2
See this information:
http://forums.spybot.info/showpost.php?p=12880&postcount=2
Be aware of this information so you can opt out of anything you do not want.
Microsoft Does MSN Toolbar Distribution Deal With Java:
http://searchengineland.com/microsoft-does-msn-toolbar-distribution-deal-with-java-15413.php
Very old version can be difficult to uninstall,if you have a problem, this tool will help:
http://www.majorgeeks.com/JavaRa_d5967.html


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use

Download ComboFix from one of these locations:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.


Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


http://i24.photobucket.com/albums/c30/ken545/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://i24.photobucket.com/albums/c30/ken545/whatnext.jpg

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

Tutorial if needed
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Thanks

Well, this is getting interesting. This post is real long, but here goes. It seems that Combofix will only run if I'm offline. I tried it a couple times with no luck. It would start to open, showing a bar that suggests it's starting. But then nothing. If I opened Task Manager, no programs were open. The next time, as soon as the combofix.exe downloaded from your site, I disconnected my internet connection real fast. Ran Combofix and that time, it worked. But I didn't continue because I was worried about not having the Windows Recovery Console. So I ran a backup to be safe. Here's some things I noticed:

After trying to run Combofix, its desktop icon moves from last of the icons to its proper spot in alphabetical order.

When I shut down, cmd.execf was still running in Task Manager. So I shut that off manually.

I tried renaming the Combofix file to fool the malware. That didn't work.

I have a new file on my root c: called "Bug.txt". Here are the contents:

PUSHD "C:\32788R22FWJFW\"

IF NOT EXIST C:\WINDOWS\system32\cmd.exe GOTO Not_NT

VER 1>OsVer

"C:\WINDOWS\system32\Find.exe" "5.2." OsVer

---------- OSVER

IF 1 == 0 GOTO Not_NT

"C:\WINDOWS\system32\Find.exe" "5.1.2" OsVer

---------- OSVER
Microsoft Windows XP [Version 5.1.2600]

IF 0 == 0 GOTO NT

=============================================

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\user01\Application Data
CFLDR=32788R22FWJFW
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=COMP01
ComSpec=C:\WINDOWS\system32\cmd.execf
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\user01
KMD=CF20764.exe
LOGONSERVER=\\COMP01
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\32788R22FWJFW;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\Adaptec Shared\System
PATHEXT=.CFEXE;.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0209
ProgramFiles=C:\Program Files
PROMPT=$
RKEY_=hklm\software\microsoft\windows nt\currentversion\windows
SESSIONNAME=Console
sfxcmd="C:\Documents and Settings\user01\Desktop\ComboFix.exe"
sfxname=C:\Documents and Settings\user01\Desktop\ComboFix.exe
SYSTEM=C:\WINDOWS\system32
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\user01\LOCALS~1\Temp
TMP=C:\DOCUME~1\user01\LOCALS~1\Temp
USERDOMAIN=COMP01
USERNAME=user01
USERPROFILE=C:\Documents and Settings\user01
windir=C:\WINDOWS

=============================================


IF NOT DEFINED sfxname GOTO END

-----------------------------------------------------End (not part of file)


Here are some other observations:

My system tray clock is now in military time and the font is different.

In the past week, Norton has stopped something from downloading a few times. I was on a website the first time it happened: http://www.cflsurf.com/. I've noticed that banner ads are getting really aggressive lately. They have audio, telling you that you've won something. Well I'm convinced that one of these ads triggered the first incident. Here's the Norton info on it: http://securityresponse.symantec.com/security_response/writeup.jsp?docid=2008-080702-2357-99&tabid=2.%20I. At the time, I did some poking around and concluded that it was nothing to worry about, mainly based on this thread where the same thing was happening on a forum website: http://www.tdpri.com/forum/forum-problems-issues/127157-trojan-horse-virus-amp-forum-2.html. It looks like the ad is trying to access Flash and Norton doesn't like it.

Any time I click on a link in IE, another window opens. Here are some of the links that open:

http://gallimp.com/r_cmtp?u=http%3A%2F%2Furl.adtrgt.com%2Fcpv.jsp%3Fp%3D110380%26aid%3D411%26ip%3D65.33.169.238%26url%3Dhttp%253A%252F%252Fforums.spybot.info%252Fshowpost.php%253Fp%253D12880%2526postcount%253D2%26selectedKeyword%3Dshow%26selectedListingId%3D7388306%26default%3Dhttp%253A%252F%252Fgallimp.com%252Fsoft_fail%253Fc%253Dmg_ron2%2526b%253D4.4%2526affid%253D169011%2526cuid%253D5adf81c4b91411ddba2600304890471a%2526rid%253D606207&c=mg_ron2&b=1.584&o=4.4&cuid=7e31339542b7ed42878dd120cd8061c5&suid=5adf81c4b91411ddba2600304890471a&affid=169011&tid=red65z&rid=606207

http://zustaus.com/r_cmtp?u=http%3A%2F%2Furl.adtrgt.com%2Fcpv.jsp%3Fp%3D110380%26aid%3D411%26ip%3D65.33.169.238%26url%3Dhttp%253A%252F%252Fjava.sun.com%252Fjavase%252Fdownloads%252Findex.jsp%26selectedKeyword%3Ddownloads%26selectedListingId%3D7388302%26default%3Dhttp%253A%252F%252Fgallimp.com%252Fsoft_fail%253Fc%253Dmg_ron2%2526b%253D4.4%2526affid%253D169011%2526cuid%253D5adf81c4b91411ddba2600304890471a%2526rid%253D321683&c=mg_ron2&b=1.584&o=4.4&cuid=7e31339542b7ed42878dd120cd8061c5&suid=5adf81c4b91411ddba2600304890471a&affid=169011&tid=red65z&rid=321683

http://cowresti.com/r_cmtp?u=http%3A%2F%2Furl.adtrgt.com%2Fcpv.jsp%3Fp%3D110380%26aid%3D411%26ip%3D65.33.169.238%26url%3Dhttp%253A%252F%252Fforums.spybot.info%252Fshowthread.php%253Ft%253D37113%26selectedKeyword%3Dspybot%26selectedListingId%3D7388304%26default%3Dhttp%253A%252F%252Fgallimp.com%252Fsoft_fail%253Fc%253Dmg_ron2%2526b%253D4.4%2526affid%253D169011%2526cuid%253D5adf81c4b91411ddba2600304890471a%2526rid%253D502859&c=mg_ron2&b=1.584&o=4.4&cuid=7e31339542b7ed42878dd120cd8061c5&suid=5adf81c4b91411ddba2600304890471a&affid=169011&tid=red65z&rid=502859

One link references live scan 2009.

The power in the house flashed off for a split second. I use a UPS unit, so my computer stayed on. Could be coincidence, but the instant that happened, a new IE window opened like above. Normally, I have to click a link for that to happen.

Okay. So I haven't done anything else. I'm wondering how risky it would be to run Combofix without the Windows Recovery Console. Maybe I can start it with the internet disconnected. Then when it gets to the Windows Recovery Console part, I can plug it in and the malware won't be able to interfere at that point? I'll wait to see what you say. Thanks for your patience with this!

Yes...you can run combofix without installing Recovery Console. If that does not work, try running it in safe mode. You can even try renaming it in case the malware is blocking it.

http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif
Double click on Combo-Fix.exe & follow the prompts.

Wow, this was pulling teeth. But I finally managed to run ComboFix. I had to turn services off, logoff. Try again. I tried so many things, I was about to give up. So I lost track of what exact combination made this work.

Another thing: When ComboFix was trying to make its log, Norton popped up saying I had a virus. This suggests that the malware has control of my Norton. I know I had all signs of Norton off. I even had stopped all Norton related services in Computer Management. (Do I need to always do this?). Well the only option for this virus window was to stop it. It didn't allow me to select Allow. Sneaky. Well I knew this virus was actually Combofix trying to work because it had the same name as the ComboFix exe file that I renamed. So my only option was to enter Task Manager and turn off Norton that way. I did and eventually everything finished.

So here's combofix.txt:

ComboFix 08-11-26.03 - user01 2008-11-26 12:28:02.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1688 [GMT -5:00]
Running from: c:\documents and settings\user01\Desktop\asdfasfa.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Start Menu\Programs\Internet Explorer.lnk
c:\program files\Common\helper.dll
c:\program files\Common\helper.sig
c:\windows\system32\bepepono.dll
c:\windows\system32\bihofiye.dll
c:\windows\system32\butugagu.dll
c:\windows\system32\Cache
c:\windows\system32\ejemavun.ini
c:\windows\system32\ewedefav.ini
c:\windows\system32\hatutiza.dll
c:\windows\system32\huholapu.dll
c:\windows\system32\jayoriji.dll
c:\windows\system32\jijuwajo.dll
c:\windows\system32\lehelojo.dll
c:\windows\system32\nuvameje.dll
c:\windows\system32\ojawujij.ini
c:\windows\system32\osurehiz.ini
c:\windows\system32\pukovubu.dll
c:\windows\system32\subalavi.dll
c:\windows\system32\tudofeju.dll
c:\windows\system32\ugagutub.ini
c:\windows\system32\vafedewe.dll
c:\windows\system32\wayolelu.dll
c:\windows\system32\yofamemo.dll
c:\windows\system32\ziheruso.dll

.
((((((((((((((((((((((((( Files Created from 2008-10-26 to 2008-11-26 )))))))))))))))))))))))))))))))
.

2008-11-26 09:38 . 2008-11-26 12:27 <DIR> d-------- C:\ComboFix
2008-11-26 08:43 . 2008-11-26 08:43 410,976 --a------ c:\windows\system32\deploytk.dll
2008-11-26 08:43 . 2008-11-26 08:43 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-11-23 21:17 . 2008-11-23 21:17 <DIR> d-------- c:\program files\Trend Micro
2008-11-23 15:26 . 2008-11-23 15:26 95 --a------ c:\windows\wininit.ini
2008-11-23 13:54 . 2008-11-23 14:14 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-23 13:54 . 2008-11-23 14:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-23 11:13 . 2008-11-23 11:13 <DIR> d-------- C:\ccd066084f53d0438d065ff286
2008-11-23 11:03 . 2008-11-23 11:03 <DIR> d-------- C:\725ff6cd28be1104e3bc64
2008-11-23 11:03 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-23 11:02 . 2008-09-04 12:15 1,106,944 --a------ c:\windows\system32\SET4C.tmp
2008-11-23 11:02 . 2008-09-04 12:15 1,106,944 --------- c:\windows\system32\SET13.tmp
2008-11-23 11:02 . 2008-09-04 12:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-23 11:00 . 2008-07-18 22:07 270,880 --a------ c:\windows\system32\mucltui.dll
2008-11-23 11:00 . 2008-07-18 22:07 29,728 --a------ c:\windows\system32\mucltui.dll.mui
2008-11-21 09:06 . 2008-11-22 23:04 54,156 --ah----- c:\windows\QTFont.qfn
2008-11-21 09:06 . 2008-11-21 09:06 1,409 --a------ c:\windows\QTFont.for
2008-11-10 18:14 . 2008-11-26 12:28 <DIR> d-------- c:\program files\Common
2008-11-03 19:30 . 2008-11-03 19:30 <DIR> d-------- c:\program files\MultipleIEs

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-26 13:42 --------- d-----w c:\program files\Java
2008-11-25 20:09 --------- d-----w c:\program files\QBImport
2008-11-23 06:27 --------- d-----w c:\program files\Bradbury
2008-10-31 03:07 --------- d-----w c:\program files\Opera
2008-10-25 00:41 --------- d-----w c:\program files\MSXML 4.0
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-14 18:44 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-01 19:37 --------- d-----w c:\program files\Safe Storage
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL Companion.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AOL Companion.lnk
backup=c:\windows\pss\AOL Companion.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^APC UPS Status.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\APC UPS Status.lnk
backup=c:\windows\pss\APC UPS Status.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Coloreal Visual.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Coloreal Visual.lnk
backup=c:\windows\pss\Coloreal Visual.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eDualHead Toolbar.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\eDualHead Toolbar.lnk
backup=c:\windows\pss\eDualHead Toolbar.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Instant Update Reminder.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Instant Update Reminder.lnk
backup=c:\windows\pss\Instant Update Reminder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MonacoGamma.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\MonacoGamma.lnk
backup=c:\windows\pss\MonacoGamma.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MonacoReminder.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\MonacoReminder.lnk
backup=c:\windows\pss\MonacoReminder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks 2002 Delivery Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks 2002 Delivery Agent.lnk
backup=c:\windows\pss\QuickBooks 2002 Delivery Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Road Runner Safe Storage.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Road Runner Safe Storage.lnk
backup=c:\windows\pss\Road Runner Safe Storage.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TabUserW.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\TabUserW.exe.lnk
backup=c:\windows\pss\TabUserW.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^U.S. Robotics Internet Call Notification.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\U.S. Robotics Internet Call Notification.lnk
backup=c:\windows\pss\U.S. Robotics Internet Call Notification.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^user01^Start Menu^Programs^Startup^RoadRunner Setup Wizard.lnk]
path=c:\documents and settings\user01\Start Menu\Programs\Startup\RoadRunner Setup Wizard.lnk
backup=c:\windows\pss\RoadRunner Setup Wizard.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
--------- 2003-03-26 10:15 684032 c:\program files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--------- 2006-03-09 11:47 71328 c:\program files\Common Files\Symantec Shared\CCAPP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CreativeMixer]
--------- 1999-11-18 05:01 20480 c:\program files\Creative\Audio\Program\Ctmix32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 19:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Matrox MultiDesktop]
--------- 2003-07-10 16:35 417792 c:\windows\system32\PowerDesk8\MultiDesk\pdmmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Matrox PowerDesk 8]
--------- 2003-09-10 11:16 77824 c:\windows\system32\PowerDesk8\PowerDesk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Matrox PowerDesk SE]
--------- 2008-06-11 15:33 2630664 c:\program files\Matrox Graphics Inc\PowerDesk SE\Matrox.PowerDesk SE.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--------- 2007-05-06 13:16 98304 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--------- 2007-05-06 13:05 214560 c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-11-26 08:43 136600 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
--------- 2005-04-27 17:42 100056 c:\progra~1\SYMNET~1\SNDMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--------- 2007-05-06 13:05 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
--------- 2003-06-30 09:50 19968 c:\windows\LOGI_MWX.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"zowafeduve"=Rundll32.exe "c:\windows\system32\bepepono.dll",s
"CPM27936735"=Rundll32.exe "c:\windows\system32\dayevino.dll",a
"MSConfig"=c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Macromedia\\Dreamweaver MX 2004\\Dreamweaver.exe"=
"c:\\Program Files\\Lavasoft\\Ad-Aware\\aawservice.exe"=
"c:\\Program Files\\Common Files\\Symantec Shared\\CCPD-LC\\symlcsvc.exe"=
"c:\\WINDOWS\\system32\\Tablet.exe"=
"c:\\WINDOWS\\system32\\wuauclt.exe"=
"c:\\Program Files\\Matrox Graphics Inc\\PowerDesk SE\\Matrox.Pdesk.ServicesHost.exe"=
"c:\\WINDOWS\\system32\\services.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\jqs.exe"=

[HKLM\~\Services\\Matrox.PowerDesk.Services.exe"=]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R1 Mtxparmx;Mtxparmx;c:\windows\system32\DRIVERS\Mtxparmx.sys [2008-09-22 5504]
R2 Matrox Centering Service;Matrox Centering Service;"c:\program files\Matrox Graphics Inc\PowerDesk\Services\Matrox.PowerDesk.Services.exe" [2008-06-11 586760]
R2 Matrox.Pdesk.ServicesHost;Matrox.Pdesk.ServicesHost;"c:\program files\Matrox Graphics Inc\PowerDesk SE\Matrox.Pdesk.ServicesHost.exe" [2008-06-11 189448]
R3 MTXPAR;MTXPAR;c:\windows\system32\DRIVERS\MTXPARM.sys [2008-09-22 1485568]
S2 P1C1394;Phase One 1394 Camera Driver;c:\windows\system32\Drivers\p1c1394.sys []
S3 Ccevdmrc_cr;Ccevdmrc_cr; []
S3 Gamrddss;Gamrddss; []
S3 Hiemrt;Hiemrt; []
S3 MTXPARH;MTXPARH;c:\windows\system32\DRIVERS\MTXPARHM.sys [2003-11-20 452736]
S3 Netdwssrrw;Netdwssrrw; []
S3 Nmlnkfkahta;Nmlnkfkahta; []
S3 Rassosadcswf;Rassosadcswf; []
S3 Sfl78pospt;Sfl78pospt; []
S3 Winacusb;Winacusb;c:\windows\system32\DRIVERS\winacusb.sys []
S3 X-Rite;X-Rite USB Service;c:\windows\system32\DRIVERS\XrUsb.sys [2004-03-09 14936]
S4 .nmspsr;.nmspsr; []
.
Contents of the 'Scheduled Tasks' folder

2003-12-01 c:\windows\Tasks\Norton AntiVirus - Scan my computer.job
- c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2003-12-04 18:22]

2003-12-01 c:\windows\Tasks\Symantec Drmc.job
- c:\program files\Common Files\Symantec Shared\SymDrmc.exe [2003-09-10 04:48]
.
- - - - ORPHANS REMOVED - - - -

BHO-{ae3b64a3-732c-4b09-bc6a-45f4c916ecd2} - c:\windows\system32\subalavi.dll
MSConfigStartUp-24a054a9 - c:\windows\system32\nuvameje.dll
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe
MSConfigStartUp-CPM27936735 - c:\windows\system32\hatutiza.dll
MSConfigStartUp-zowafeduve - c:\windows\system32\bepepono.dll


.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\user01\Application Data\Mozilla\Firefox\Profiles\8rye090x.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - file:///C:/Documents%20and%20Settings/user01/My%20Documents/Practice/Practice%20-%2015%20-%20SIS/sis-05-xhtml.htm
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-26 12:32:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\APC\APC PowerChute Personal Edition\mainserv.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Common Files\Symantec Shared\CCSETMGR.EXE
c:\windows\system32\Ctsvccda.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
c:\windows\system32\sessmgr.exe
c:\windows\system32\locator.exe
c:\program files\Norton SystemWorks\Norton Antivirus\SAVSCAN.EXE
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\windows\system32\Tablet.exe
c:\windows\system32\tlntsvr.exe
c:\program files\Common Files\Symantec Shared\CCEVTMGR.EXE
c:\program files\Common Files\Symantec Shared\Security Center\symwsc.exe
.
**************************************************************************
.
Completion time: 2008-11-26 12:36:23 - machine was rebooted [user01]
ComboFix-quarantined-files.txt 2008-11-26 17:36:20

Pre-Run: 90,437,300,224 bytes free
Post-Run: 90,360,676,352 bytes free

243


And here's HJT log:

Ad-Aware
Adobe Flash Player ActiveX
Adobe Photoshop CS
APC PowerChute Personal Edition
Audio MP3 Sound Recorder
Canon EOS Kiss REBEL 300D WIA Driver
Canon Utilities File Viewer Utility 1.3
Canon Utilities RemoteCapture 2.7
CC_ccStart
ccCommon
Compaq Monitor Driver (INF) Software 3.00
DAZzle
DeMoirize
DivX
DivX Player
DivX User Guide
Easy CD Creator 5 Basic
eDualHead
Eraser
FLV Player 2.0, build 24
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
HP PrecisionScan Pro 3.0
Intel(R) PRO Network Adapters and Drivers
Internet Explorer Q903235
IrfanView (remove only)
Java(TM) 6 Update 10
LiveReg (Symantec Corporation)
LiveUpdate 3.0 (Symantec Corporation)
Logitech MouseWare 9.78
Macromedia Dreamweaver MX 2004
Macromedia Extension Manager
Macromedia HomeSite+
Matrox Driver
Matrox PowerDesk-SE
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Premium
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
ML-1450 Series
ML-1450 Series PS
MonacoOPTIX 2.0
Mozilla Firefox (3.0.3)
MSRedist
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MultipleIEs
Norton AntiVirus
Norton AntiVirus Parent MSI
Norton CleanSweep
Norton SystemWorks 2004
Norton SystemWorks 2004 (Symantec Corporation)
Norton Utilities
Norton WMI Update
NSW_DRM_COLLECTION
Opera 9.62
PDFCreator
QBFC2
QBImport
QuickBooks Pro 2002
QuickTime
RealPlayer
Road Runner Safe Storage
RoadRunner
Safari
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Sound Blaster PCI
Spybot - Search & Destroy
Symantec Script Blocking Installer
SymNet
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Wacom Tablet Driver
WD Diagnostics
Windows Genuine Advantage v1.3.0254.0
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Media Player 9 Hotfix [See KB885492 for more information]
Windows Messenger 5.0
Windows XP Service Pack 3
WinRAR archiver


I should also mention that Windows Security turned itself back on and there is a yellow shield in my tray that says I have updates. Should I install them? This came up when the computer rebooted at the same time that Norton was trying to kill the ComboFix process.

Thanks for posting the combofix log, you said:

When ComboFix was trying to make its log, Norton popped up saying I had a virus.
That is the reason the instructions said this:

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Please wait until you are clean before you install those Windows Updates if at all possible.

Please read the directions carefully, I can not proceed without that HJT log.:sad:

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

I will be away from the computer for the next several hours.

That is the reason the instructions said this:

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link for programs that need to be disabled and instruction on how to disable them.


pskelley, you didn't read my post. I had Norton off in more ways than one. I think the malware had control of Norton. That's also why I don't trust the MS update it's offering! Read my post again. I think some of these things could be important.



Please read the directions carefully, I can not proceed without that HJT log.


I included the HJT log. Look again. :rolleyes: We're doing good! My speed is back. Emails come in quickly again. I don't see any strange startup files. I'm not convinced though. My systray is still showing military time.

That is NOT a HijackThis log, that is the uninstall list, please post a new HJT log.

That is NOT a HijackThis log, that is the uninstall list, please post a new HJT log.

Do I feel like a heel! I even added the funny face. Sorry about that. Here's the HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:49:09, on 11/26/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\CTSvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Matrox Graphics Inc\PowerDesk\Services\Matrox.PowerDesk.Services.exe
C:\Program Files\Matrox Graphics Inc\PowerDesk SE\Matrox.Pdesk.ServicesHost.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\WINDOWS\system32\sessmgr.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\System32\tlntsvr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.540wfla.com
O15 - Trusted Zone: http://*.540wfla.com
O15 - Trusted Zone: http://www.azcardinals.com
O15 - Trusted Zone: http://www.baisidirect.com
O15 - Trusted Zone: *.espn.go.com
O15 - Trusted Zone: http://sports.espn.go.com
O15 - Trusted Zone: *.go.com
O15 - Trusted Zone: http://*.ktar.com
O15 - Trusted Zone: http://www.mapquest.com
O15 - Trusted Zone: http://*.mapquest.com
O15 - Trusted Zone: http://www.nasdaq.com
O15 - Trusted Zone: http://*.nasdaq.com
O15 - Trusted Zone: http://www.realradio.fm
O15 - Trusted Zone: http://*.stockcharts.com
O15 - Trusted Zone: http://www.surfcam.net
O15 - Trusted Zone: http://www.surfguru.com
O15 - Trusted Zone: http://wwwapps.ups.com
O15 - Trusted Zone: http://*.wmmbam.com
O15 - Trusted Zone: http://www.xtra910.com
O15 - Trusted Zone: http://*.xtra910.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1192966664312
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1222114178859
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Ccevdmrc_cr - Unknown owner - (no file)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Matrox Centering Service - Matrox Graphics Inc. - C:\Program Files\Matrox Graphics Inc\PowerDesk\Services\Matrox.PowerDesk.Services.exe
O23 - Service: Matrox.Pdesk.ServicesHost - Matrox Graphics Inc - C:\Program Files\Matrox Graphics Inc\PowerDesk SE\Matrox.Pdesk.ServicesHost.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O24 - Desktop Component 0: (no name) - http://assets.espn.go.com/i/espnradio/07/player/skin_livestream2.gif
O24 - Desktop Component 2: (no name) - http://espnradio.espn.go.com/espnradio/radiovideo?play=live

--
End of file - 7686 bytes

I don't think anything will be holding me back from running Smitfraud now. So let me know if I should. Thanks for all the help!

Thanks for the HJT log, what about all of those 015 - Trusted Zone items? Did you create those for a reason? Unless you have a reason, you can remove those, here is information:
http://www.bleepingcomputer.com/tutorials/tutorial42.html#O15Diag


Let's do some cleaning and have MBAM take a look, proceed like this.

1) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

2) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

(leave this if you set it to about:blank)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

015 Trusted Zone <<< you may check and remove any of those items you don't know or need.

Close all programs but HJT and all browser windows, then click on "Fix Checked"

3) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

*Cleaning Prefetch may result in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html

4) Download Malwarebytes' Anti-Malware to your Desktop
http://www.besttechie.net/tools/mbam-setup.exe

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post contents of that file & a new HJT log in your next reply.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Tutorial if needed:
http://www.techsupportteam.org/forum/tutorials/2282-malwarebytes-anti-malware-mbam.html

How is the computer running now.

Thanks...Phil:santa:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:07:33, on 11/26/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\CTSvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Matrox Graphics Inc\PowerDesk\Services\Matrox.PowerDesk.Services.exe
C:\Program Files\Matrox Graphics Inc\PowerDesk SE\Matrox.Pdesk.ServicesHost.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\WINDOWS\system32\sessmgr.exe
C:\WINDOWS\System32\rsvp.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\System32\tlntsvr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.540wfla.com
O15 - Trusted Zone: http://*.540wfla.com
O15 - Trusted Zone: http://www.azcardinals.com
O15 - Trusted Zone: http://www.baisidirect.com
O15 - Trusted Zone: *.espn.go.com
O15 - Trusted Zone: http://sports.espn.go.com
O15 - Trusted Zone: *.go.com
O15 - Trusted Zone: http://*.ktar.com
O15 - Trusted Zone: http://www.mapquest.com
O15 - Trusted Zone: http://*.mapquest.com
O15 - Trusted Zone: http://www.nasdaq.com
O15 - Trusted Zone: http://*.nasdaq.com
O15 - Trusted Zone: http://www.realradio.fm
O15 - Trusted Zone: http://*.stockcharts.com
O15 - Trusted Zone: http://www.surfcam.net
O15 - Trusted Zone: http://www.surfguru.com
O15 - Trusted Zone: http://wwwapps.ups.com
O15 - Trusted Zone: http://*.wmmbam.com
O15 - Trusted Zone: http://www.xtra910.com
O15 - Trusted Zone: http://*.xtra910.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1192966664312
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1222114178859
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Ccevdmrc_cr - Unknown owner - (no file)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Matrox Centering Service - Matrox Graphics Inc. - C:\Program Files\Matrox Graphics Inc\PowerDesk\Services\Matrox.PowerDesk.Services.exe
O23 - Service: Matrox.Pdesk.ServicesHost - Matrox Graphics Inc - C:\Program Files\Matrox Graphics Inc\PowerDesk SE\Matrox.Pdesk.ServicesHost.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O24 - Desktop Component 0: (no name) - http://assets.espn.go.com/i/espnradio/07/player/skin_livestream2.gif
O24 - Desktop Component 2: (no name) - http://espnradio.espn.go.com/espnradio/radiovideo?play=live

--
End of file - 7733 bytes


Malwarebytes' Anti-Malware 1.30
Database version: 1427
Windows 5.1.2600 Service Pack 3

11/26/2008 8:46:45 PM
mbam-log-2008-11-26 (20-46-45).txt

Scan type: Full Scan (C:\|)
Objects scanned: 138571
Time elapsed: 43 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 28

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\main.bho.1 (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\bepepono.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\butugagu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\hatutiza.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\huholapu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\jayoriji.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\lehelojo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\nuvameje.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\pukovubu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\subalavi.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\tudofeju.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\vafedewe.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\wayolelu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\yofamemo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\ziheruso.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A6A28C8B-4CA9-44E3-B942-5F32F5DDE444}\RP3\A0000201.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A6A28C8B-4CA9-44E3-B942-5F32F5DDE444}\RP3\A0000203.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A6A28C8B-4CA9-44E3-B942-5F32F5DDE444}\RP3\A0000206.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A6A28C8B-4CA9-44E3-B942-5F32F5DDE444}\RP3\A0000207.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A6A28C8B-4CA9-44E3-B942-5F32F5DDE444}\RP3\A0000208.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A6A28C8B-4CA9-44E3-B942-5F32F5DDE444}\RP3\A0000210.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A6A28C8B-4CA9-44E3-B942-5F32F5DDE444}\RP3\A0000214.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A6A28C8B-4CA9-44E3-B942-5F32F5DDE444}\RP3\A0000215.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A6A28C8B-4CA9-44E3-B942-5F32F5DDE444}\RP3\A0000216.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A6A28C8B-4CA9-44E3-B942-5F32F5DDE444}\RP3\A0000218.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A6A28C8B-4CA9-44E3-B942-5F32F5DDE444}\RP3\A0000219.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A6A28C8B-4CA9-44E3-B942-5F32F5DDE444}\RP3\A0000220.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A6A28C8B-4CA9-44E3-B942-5F32F5DDE444}\RP3\A0000221.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A6A28C8B-4CA9-44E3-B942-5F32F5DDE444}\RP3\A0000211.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

Nice! I don't see anything foul. I googled a couple services I didn't recognize. But they look to be legit. I don't know if the Telnet service being open is a problem: C:\WINDOWS\System32\tlntsvr.exe.

The 015's are my Trusted Sites. Since I had this infection, I went back to using the Trusted Sites system. That's what got me in this trouble - not using Trusted Sites in IE. I used to browse the web with scripting and ActiveX off. Sites that I trusted were added to Trusted Sites, where that stuff was turned on. That kept me virus free for six or seven years at least. But when I upgraded from IE6 to IE7, I stopped doing that - probably because IE7 deleted them all and I would have had to start from scratch. Plus, nobody else does it I thought. Well that was my undoing! So I went back to using the Trusted Sites system. But I will probably just switch to Firefox. The only thing that's kept me from doing that is the fact that Firefox doesn't have an option to turn off ActiveX. I hear that it's more secure than IE. But if ActiveX is always running? I don't know. I was going to ask about that. So for now, I want to keep the 015's there.

So the computer is running fast now. I'm really surprised. I thought there would be residual effects. But I'm not seeing it. Everything is responsive.

Do you have any suggestions for how to protect myself going forward? I'm not married to any av software or browser right now. My Norton is expiring in a couple days. So now would be the time to switch. I don't mind paying for something if it can be more proactive about stopping this Virtumonde infection before it starts. I think my problem was probably more about my browser security though. So that leads me back to the Firefox question.

Thanks. You've been a great help! I'll be donating to the cause for sure when were done. Are we there yet? Or are there more scans to run?

Thanks for returning your information and the feedback, looks like this service is no longer used?
O23 - Service: Ccevdmrc_cr - Unknown owner - (no file)
Google does not know it, do you? Delete it if you wish:
Open a command prompt (start run type cmd press enter) type
sc delete "Ccevdmrc_cr"
press enter, type in
sc delete "cmdService"
press enter, type exit and press enter to exit the command prompt

I don't know if the Telnet service being open is a problem
http://www.theeldergeek.com/telnet.htm

If this service is disabled, any services that explicitly depend on it will fail to start.
If you do not use this service, disable it or delete it.

Firefox/Internet Explorer...understand that the reason hackers go after IE is numbers, that's where they make their $$$. I have both but run IE most of the time. Firefox is seeing more and more attacks as more and more folks use it.
http://itmanagement.earthweb.com/secu/article.php/3698606
http://www.google.com/search?hl=en&q=Firefox+vs+IE&btnG=Search

Let's wrap up like this, after you had read the information from experts I post, if you still have question, please post them and I will do my best to give you answers.

Remove combofix from the computer like this:

Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.

http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png

Clean the System Restore files like this:

Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Update MBAM and scan to be sure we missed none of the junk, there is no need to post a clean scan result.

Update Norton Antivirus and scan the system, to be sure it is running right and scanning clean. If you have problems with the program, contact tech support for instructions.
http://www.symantec.com/enterprise/support/index.jsp
If all is well at this point, let me know and I will close the topic.

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

http://users.telenet.be/bluepatchy/miekiemoes/Links.html

What are you doing, it's Thanksgiving! Well, I'll be quick. I ran MBAM and it found nothing. I was about to post on here that everything was okay. I figured running Norton would be trivial, because it picked up nothing before. Well what do you know. It did pick up:

Source: C:\Qoobox\Quarantine\C\Program Files\Common\helper.dll.vir
Description: The file C:\Qoobox\Quarantine\C\Program Files\Common\helper.dll.vir is infected with the Trojan Horse virus.

Norton's linky: http://securityresponse.symantec.com/security_response/writeup.jsp?docid=2004-021914-2822-99

So I quarantied that. Man, now Norton doesn't seem so bad. Funny how different software picks up different things.

Also for what it's worth, deleting cmdService failed. It said it didn't exist. I don't see it on the list either.

Other than that, I'll check out the links you added. If you want to close this, let's go ahead. Trust me, you don't want to wait around for me to come up with questions.

Thanks for all the help. You did great. Enjoy the holiday!

Source: C:\Qoobox\Quarantine\C\Program Files\Common\helper.dll.vir
Description: The file C:\Qoobox\Quarantine\C\Program Files\Common\helper.dll.vir is infected with the Trojan Horse virus
Those are the combofix quarantine files, if the directions I posted to remove combofix were followed, that should have been removed? The instructions have to be done in the order I post them. You can take a look here:
C:\Qoobox <<< just to be sure that folder is gone if you wish.

Thanks

When I tried to delete Combofix per your instructions, it said "Windows can't find Combofix". I just searched the hdd and it can't find the executable. I must have deleted it off the desktop last night. I don't remember doing that though. But it wasn't there. So I figured it was all gone, must have deleted it off the desktop last night. But I know better than that. Usually, I'll look for the uninstall. I guess not though. The Recycle Bin is empty too. Should I just delete the folders? It's not under Add/Remove. Thanks!

sUBs writes the uninstaller into the program to be used via the command function, if that would not work then something had to happen somehow.

c:\documents and settings\user01\Desktop\asdfasfa.exe <<< here is where you installed it, delete that file

c:\ComboFix <<< look here and delete the folder and contents

c:\Qoobox <<< look here and delete folder and contents

Thanks

Doh! I forgot, I renamed it. Now that I think about it, each time I deleted Combofix to reinstall, I only deleted the executable on the desktop. I was not doing a real uninstall. That might have been my problem making it run - not to mention the malware biting at it. Okay, just deleted the two folders.

Just one question. I heard Norton is tough to remove. I would like to instead use a free av for now. I heard that Antivir free version is good enough. I just wonder if my system is too "infiltrated" with Norton to use something else. Maybe I should just pay the $40 and keep using it until the day I reformat my hdd? Actually, I did hear good things about the new Norton suite.

Thanks again!

I heard that Antivir free version is good enough.
I understand it is a good free program, see this link:
http://users.telenet.be/bluepatchy/miekiemoes/Links.html

I personally use AVG 8 free, if you use it, this tutorial will help:
How to Install Free version AVG 8.0 without LinkScanner feature
http://russelltexas.com/tutorials/avg8install.htm
and this information:
FAQ: http://www.avg.com/faq
AVG Free Forum: http://freeforum.avg.com/

All programs should be uninstalled via Add Remove programs if possible. Having said that, even though I have never used a Symantec product, I know they are hard to remove, dealing with it all of the time. These links will help if the uninstaller does not do it:
http://basconotw.mvps.org/SymRem.htm or
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039?Open&src=&docid=2001092114452606&nsf=nav.nsf&view=docid&dtype=&prod=&ver=&osv=&osv_lvl=

Hope that helps

Okay, thanks for the info. You've done more than enough here. Happy Thanksgiving!

Wow, I thought I was done. Just for kicks, I thought I would go back and run another Spybot scan. What do you know. Virtumonde is back! Plus Right Media - tracking cookie: ad.yieldmanager.com.

I'm not going to trouble you guys with this. I already know what to do now. I'll let you know if I can't get rid of it.

I'm not going to trouble you guys with this. I already know what to do now. I'll let you know if I can't get rid of it.

Oops. :red: I hope I didn't lose you. I think I made some important progress. I remembered what I read here about Virtumonde: http://www.articlesbase.com/security-articles/trojan-virtumonde-free-removal-peculiarities-570642.html:


First, it is necessary to unload malware services from system memory.
Second, registry entries and keys related to Trojan virtumonde should be deleted at once.
Third, malicious files should be permanently erased from the system.

All this has to be done in one Windows session, without restarting, or the Trojan will be able to restore itself to previous state.

I think this makes alot of sense. I think if you leave the internet connected and don't kill everything at once, it will come back. So I decided to start from scratch. I did only the tasks that you had me do before - in the same order. But this time, I wanted to be offline and do it all in one session, without rebooting. Here's what I did:


Uninstalled all av products except for Norton.
Deleted temp stuff and Recycle Bin by using ATF Cleaner.
Removed ATF Cleaner.
Made sure Norton was on highest setting while going back online.
Downloaded and installed new versions of ATF Cleaner, Spybot, HJT, SmitFraud, ComboFix, and MBAM. Updated each with newest definitions while I was online.
Unpglugged internet while Norton was still protecting.
Turned off Norton and everything else in Startup.
Reboot.
Run Spybot.
Run HJT.
Run SmitfraudFix.
Run ComboFix.
Run MBAM.
Run Norton.
Run Spybot again.
Run HJT again.
Turned Norton back on with full protect. Set IE to High security.
Reboot.
Reconnect internet.
Reboot.
Went back online here to post.

I have all of these logs if you think I should post them. From what I can see there is nothing unusual, except for the Combofix log. I actually have two of these logs as I did run Combofix once before doing everything above. It was this log that inspired me to do the above. In the "Reg Loading Points" section, there is an entry:

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"zowafeduve"=Rundll32.exe "c:\windows\system32\bepepono.dll",s
"CPM27936735"=Rundll32.exe "c:\windows\system32\dayevino.dll",a
"MSConfig"=c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

These dll entries are the same files that appeared in my Startup when I first had the infection. So I don't know if this is a problem. These lines are identical in both Combofix reports I have.

Some things to note:


All along, my systray clock has been on military time. I read that's a symptom of Virtumonde. Well at some point after when we thought we had everything fixed, I set the clock back to normal thru Regional and Language Options. But at some point again, it had changed back to military. Also, the font looked a different size. I don't know. Should I consider that a sign of still being infected? I just recently changed the clock format thru Regional and Language Options, and it seems to be sticking now.

The Virtumonde reference that Spybot caught at first that sent me into this tizzy: "User settings: HKEY_USERS\S-1-5-21-117609710-2000478354-1801674531-1003\Software\Microsoft\fias4013". If you google "fias4013", you may or may not find something interesting.

I always set my Taskbar to "Display Favorites". Well something keeps turning that off. I think it may be one of the av programs though.

Previously I was turning off Norton by using Startup and Services. This time, I opened the software and turned off all forms of scanning there as well. This took care of Norton popping up to interfere with other scans. But after doing this, I noticed a funny item in my Startup. It was only a square, followed by a dot, followed by a cross with a circle on top (forgot what that's called.) Anyway, now it's the same thing - except instead of a square, it's a Chinese character. (You'll see these in my above log(s) actually.)

So. What do you think? Is there anything else I should run? Here's my last Combofix, HJT Log, and Uninstall List:

ComboFix 08-11-27.03 - user01 2008-11-28 3:06:43.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1672 [GMT -5:00]
Running from: c:\documents and settings\user01\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-10-28 to 2008-11-28 )))))))))))))))))))))))))))))))
.

2008-11-28 01:49 . 2008-11-28 02:11 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-28 01:42 . 2008-11-28 01:42 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-28 01:42 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-28 01:42 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-28 01:14 . 2008-11-28 01:14 <DIR> d-------- c:\program files\Windows Installer Clean Up
2008-11-28 01:13 . 2008-11-28 01:13 <DIR> d-------- c:\program files\MSECACHE
2008-11-27 23:45 . 2008-11-28 03:00 214 --a------ c:\windows\system32\tmp.reg
2008-11-26 19:50 . 2008-11-26 19:50 <DIR> d-------- c:\documents and settings\user01\Application Data\Malwarebytes
2008-11-26 19:50 . 2008-11-26 19:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-26 08:43 . 2008-11-26 08:43 410,976 --a------ c:\windows\system32\deploytk.dll
2008-11-26 08:43 . 2008-11-26 08:43 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-11-23 21:17 . 2008-11-23 21:17 <DIR> d-------- c:\program files\Trend Micro
2008-11-23 15:26 . 2008-11-23 15:26 95 --a------ c:\windows\wininit.ini
2008-11-23 13:54 . 2008-11-28 01:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-23 11:13 . 2008-11-23 11:13 <DIR> d-------- C:\ccd066084f53d0438d065ff286
2008-11-23 11:03 . 2008-11-23 11:03 <DIR> d-------- C:\725ff6cd28be1104e3bc64
2008-11-23 11:03 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-23 11:02 . 2008-09-04 12:15 1,106,944 --a------ c:\windows\system32\SET4C.tmp
2008-11-23 11:02 . 2008-09-04 12:15 1,106,944 --------- c:\windows\system32\SET13.tmp
2008-11-23 11:02 . 2008-09-04 12:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-23 11:00 . 2008-07-18 22:07 270,880 --a------ c:\windows\system32\mucltui.dll
2008-11-23 11:00 . 2008-07-18 22:07 29,728 --a------ c:\windows\system32\mucltui.dll.mui
2008-11-21 09:06 . 2008-11-22 23:04 54,156 --ah----- c:\windows\QTFont.qfn
2008-11-21 09:06 . 2008-11-21 09:06 1,409 --a------ c:\windows\QTFont.for
2008-11-10 18:14 . 2008-11-26 12:28 <DIR> d-------- c:\program files\Common
2008-11-03 19:30 . 2008-11-03 19:30 <DIR> d-------- c:\program files\MultipleIEs

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-26 20:28 --------- d-----w c:\program files\QBImport
2008-11-26 13:42 --------- d-----w c:\program files\Java
2008-11-23 06:27 --------- d-----w c:\program files\Bradbury
2008-10-31 03:07 --------- d-----w c:\program files\Opera
2008-10-25 00:41 --------- d-----w c:\program files\MSXML 4.0
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-14 18:44 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-01 19:37 --------- d-----w c:\program files\Safe Storage
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\SET54.tmp
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\SET17.tmp
2008-09-06 04:30 241,704 ------w c:\windows\system32\SETB.tmp
2008-09-06 04:30 1,480,232 ------w c:\windows\system32\SETA.tmp
2008-09-06 04:30 1,480,232 ------w c:\windows\system32\SET45.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL Companion.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AOL Companion.lnk
backup=c:\windows\pss\AOL Companion.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^APC UPS Status.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\APC UPS Status.lnk
backup=c:\windows\pss\APC UPS Status.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Coloreal Visual.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Coloreal Visual.lnk
backup=c:\windows\pss\Coloreal Visual.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eDualHead Toolbar.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\eDualHead Toolbar.lnk
backup=c:\windows\pss\eDualHead Toolbar.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Instant Update Reminder.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Instant Update Reminder.lnk
backup=c:\windows\pss\Instant Update Reminder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MonacoGamma.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\MonacoGamma.lnk
backup=c:\windows\pss\MonacoGamma.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MonacoReminder.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\MonacoReminder.lnk
backup=c:\windows\pss\MonacoReminder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks 2002 Delivery Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks 2002 Delivery Agent.lnk
backup=c:\windows\pss\QuickBooks 2002 Delivery Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Road Runner Safe Storage.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Road Runner Safe Storage.lnk
backup=c:\windows\pss\Road Runner Safe Storage.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TabUserW.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\TabUserW.exe.lnk
backup=c:\windows\pss\TabUserW.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^U.S. Robotics Internet Call Notification.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\U.S. Robotics Internet Call Notification.lnk
backup=c:\windows\pss\U.S. Robotics Internet Call Notification.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^user01^Start Menu^Programs^Startup^RoadRunner Setup Wizard.lnk]
path=c:\documents and settings\user01\Start Menu\Programs\Startup\RoadRunner Setup Wizard.lnk
backup=c:\windows\pss\RoadRunner Setup Wizard.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QD FastAndSafe]
? [?]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
--------- 2003-03-26 10:15 684032 c:\program files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--------- 2006-03-09 11:47 71328 c:\program files\Common Files\Symantec Shared\CCAPP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CreativeMixer]
--------- 1999-11-18 05:01 20480 c:\program files\Creative\Audio\Program\Ctmix32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 19:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Matrox MultiDesktop]
--------- 2003-07-10 16:35 417792 c:\windows\system32\PowerDesk8\MultiDesk\pdmmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Matrox PowerDesk 8]
--------- 2003-09-10 11:16 77824 c:\windows\system32\PowerDesk8\PowerDesk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Matrox PowerDesk SE]
--------- 2008-06-11 15:33 2630664 c:\program files\Matrox Graphics Inc\PowerDesk SE\Matrox.PowerDesk SE.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--------- 2007-05-06 13:16 98304 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--------- 2007-05-06 13:05 214560 c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-11-26 08:43 136600 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
--------- 2005-04-27 17:42 100056 c:\progra~1\SYMNET~1\SNDMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--------- 2007-05-06 13:05 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
--------- 2003-06-30 09:50 19968 c:\windows\LOGI_MWX.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"zowafeduve"=Rundll32.exe "c:\windows\system32\bepepono.dll",s
"CPM27936735"=Rundll32.exe "c:\windows\system32\dayevino.dll",a
"MSConfig"=c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Macromedia\\Dreamweaver MX 2004\\Dreamweaver.exe"=
"c:\\Program Files\\Lavasoft\\Ad-Aware\\aawservice.exe"=
"c:\\Program Files\\Common Files\\Symantec Shared\\CCPD-LC\\symlcsvc.exe"=
"c:\\WINDOWS\\system32\\Tablet.exe"=
"c:\\WINDOWS\\system32\\wuauclt.exe"=
"c:\\Program Files\\Matrox Graphics Inc\\PowerDesk SE\\Matrox.Pdesk.ServicesHost.exe"=
"c:\\WINDOWS\\system32\\services.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\jqs.exe"=

[HKLM\~\Services\\Matrox.PowerDesk.Services.exe"=]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R1 Mtxparmx;Mtxparmx;c:\windows\system32\DRIVERS\Mtxparmx.sys [2008-09-22 5504]
R2 Matrox Centering Service;Matrox Centering Service;"c:\program files\Matrox Graphics Inc\PowerDesk\Services\Matrox.PowerDesk.Services.exe" [2008-06-11 586760]
R2 Matrox.Pdesk.ServicesHost;Matrox.Pdesk.ServicesHost;"c:\program files\Matrox Graphics Inc\PowerDesk SE\Matrox.Pdesk.ServicesHost.exe" [2008-06-11 189448]
R3 MTXPAR;MTXPAR;c:\windows\system32\DRIVERS\MTXPARM.sys [2008-09-22 1485568]
S2 P1C1394;Phase One 1394 Camera Driver;c:\windows\system32\Drivers\p1c1394.sys []
S3 Gamrddss;Gamrddss; []
S3 Hiemrt;Hiemrt; []
S3 MTXPARH;MTXPARH;c:\windows\system32\DRIVERS\MTXPARHM.sys [2003-11-20 452736]
S3 Netdwssrrw;Netdwssrrw; []
S3 Nmlnkfkahta;Nmlnkfkahta; []
S3 Rassosadcswf;Rassosadcswf; []
S3 Sfl78pospt;Sfl78pospt; []
S3 Winacusb;Winacusb;c:\windows\system32\DRIVERS\winacusb.sys []
S3 X-Rite;X-Rite USB Service;c:\windows\system32\DRIVERS\XrUsb.sys [2004-03-09 14936]
S4 .nmspsr;.nmspsr; []
.
Contents of the 'Scheduled Tasks' folder

2003-12-01 c:\windows\Tasks\Norton AntiVirus - Scan my computer.job
- c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2003-12-04 18:22]

2003-12-01 c:\windows\Tasks\Symantec Drmc.job
- c:\program files\Common Files\Symantec Shared\SymDrmc.exe [2003-09-10 04:48]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\user01\Application Data\Mozilla\Firefox\Profiles\8rye090x.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - file:///C:/Documents%20and%20Settings/user01/My%20Documents/Practice/Practice%20-%2015%20-%20SIS/sis-05-xhtml.htm
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npjp2.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npdeploytk.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-28 03:08:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-28 3:09:49
ComboFix-quarantined-files.txt 2008-11-28 08:09:17

Pre-Run: 93,186,830,336 bytes free
Post-Run: 93,173,379,072 bytes free

206


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:19:51, on 11/28/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\CTSvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Matrox Graphics Inc\PowerDesk\Services\Matrox.PowerDesk.Services.exe
C:\Program Files\Matrox Graphics Inc\PowerDesk SE\Matrox.Pdesk.ServicesHost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\Tablet.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\user01\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.540wfla.com
O15 - Trusted Zone: http://*.540wfla.com
O15 - Trusted Zone: http://www.azcardinals.com
O15 - Trusted Zone: http://www.baisidirect.com
O15 - Trusted Zone: *.espn.go.com
O15 - Trusted Zone: http://sports.espn.go.com
O15 - Trusted Zone: *.go.com
O15 - Trusted Zone: http://*.ktar.com
O15 - Trusted Zone: http://www.mapquest.com
O15 - Trusted Zone: http://*.mapquest.com
O15 - Trusted Zone: http://www.nasdaq.com
O15 - Trusted Zone: http://*.nasdaq.com
O15 - Trusted Zone: http://www.realradio.fm
O15 - Trusted Zone: http://*.stockcharts.com
O15 - Trusted Zone: http://www.surfcam.net
O15 - Trusted Zone: http://www.surfguru.com
O15 - Trusted Zone: http://wwwapps.ups.com
O15 - Trusted Zone: http://*.wmmbam.com
O15 - Trusted Zone: http://www.xtra910.com
O15 - Trusted Zone: http://*.xtra910.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1192966664312
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1222114178859
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Matrox Centering Service - Matrox Graphics Inc. - C:\Program Files\Matrox Graphics Inc\PowerDesk\Services\Matrox.PowerDesk.Services.exe
O23 - Service: Matrox.Pdesk.ServicesHost - Matrox Graphics Inc - C:\Program Files\Matrox Graphics Inc\PowerDesk SE\Matrox.Pdesk.ServicesHost.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O24 - Desktop Component 0: (no name) - http://assets.espn.go.com/i/espnradio/07/player/skin_livestream2.gif
O24 - Desktop Component 2: (no name) - http://espnradio.espn.go.com/espnradio/radiovideo?play=live

--
End of file - 7366 bytes


Ad-Aware
Adobe Flash Player ActiveX
Adobe Photoshop CS
APC PowerChute Personal Edition
Audio MP3 Sound Recorder
Canon EOS Kiss REBEL 300D WIA Driver
Canon Utilities File Viewer Utility 1.3
Canon Utilities RemoteCapture 2.7
CC_ccStart
ccCommon
Compaq Monitor Driver (INF) Software 3.00
DAZzle
DeMoirize
DivX
DivX Player
DivX User Guide
Easy CD Creator 5 Basic
eDualHead
Eraser
FLV Player 2.0, build 24
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
HP PrecisionScan Pro 3.0
Intel(R) PRO Network Adapters and Drivers
Internet Explorer Q903235
IrfanView (remove only)
Java(TM) 6 Update 10
LiveReg (Symantec Corporation)
LiveUpdate 3.0 (Symantec Corporation)
Logitech MouseWare 9.78
Macromedia Dreamweaver MX 2004
Macromedia Extension Manager
Macromedia HomeSite+
Malwarebytes' Anti-Malware
Matrox Driver
Matrox PowerDesk-SE
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Premium
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
ML-1450 Series
ML-1450 Series PS
MonacoOPTIX 2.0
Mozilla Firefox (3.0.3)
MSRedist
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MultipleIEs
Norton AntiVirus
Norton AntiVirus Parent MSI
Norton CleanSweep
Norton SystemWorks 2004
Norton SystemWorks 2004 (Symantec Corporation)
Norton Utilities
Norton WMI Update
NSW_DRM_COLLECTION
Opera 9.62
PDFCreator
QBFC2
QBImport
QuickBooks Pro 2002
QuickTime
RealPlayer
Road Runner Safe Storage
RoadRunner
Safari
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Sound Blaster PCI
Spybot - Search & Destroy
Symantec Script Blocking Installer
SymNet
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Wacom Tablet Driver
WD Diagnostics
Windows Genuine Advantage v1.3.0254.0
Windows Installer Clean Up
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Media Player 9 Hotfix [See KB885492 for more information]
Windows Messenger 5.0
Windows XP Service Pack 3
WinRAR archiver

I wish you would just post what your problem is instead of a lot of information I have not asked for. How about you tell me exactly what symptoms you are having. If you receive any error messages, post those word for word.

Run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner

Next Click on Launch Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.

Then post it here along with a new HJT log and NOTHING else but comments you think will help.

Thanks

I wish you would just post what your problem is instead of a lot of information I have not asked for. How about you tell me exactly what symptoms you are having. If you receive any error messages, post those word for word.

Sorry about that, I just thought you would want as much information as possible. When other people are having similiar symptoms, there might be a correlation. I thought I was doing us all a favor. I guess my mistake was posting the logs you didn't ask for. If you just ignore the logs and look at everything above them, it's all possibly relevant. But I'll summarize my symptoms:

Post 24: I thought we were all done, but ran another Spybot scan. It came up with a new Virtumonnde reference:

Virtumonde:
User settings:
HKEY_USERS\S-1-5-21-117609710-2000478354-1801674531-1003\Software\Microsoft\fias4013

ComboFix scan yielded in the "Reg Loading Points" section:

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"zowafeduve"=Rundll32.exe "c:\windows\system32\bepepono.dll",s
"CPM27936735"=Rundll32.exe "c:\windows\system32\dayevino.dll",a
"MSConfig"=c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

These dll entries are the same files that appeared in my Startup when I first had the infection.

Systray clock was stuck on military time. Though I might have regained control of that now.

Well, I can't get the Kaspersky online scanner to work. It says I need Java 1.5 or higher. I have the latest version. Reinstalled anyway. Set IE to loosest java and activex specs possible. I hate doing that. But did anyway. Still tells me I need Java 1.5. Norton is completely off. I noticed that their page gives my a general yellow triangle java error message at the bottom (only if I go straight to the free download page. If I click a link and go back, no error.)

If the instructions I posted in Post #16 were followed, you would not have combofix on the computer. If we use it again I will want a new copy because it does not update. If you removed combofix, the clock should have returned to normal. If not, here are directions:
http://www.ehow.com/how_4483170_time-regular-time-windows-xp.html

What I need now, since you can not seem to run Kaspersky Online Scan, is a fresh HJT log.

Then post it here along with a new HJT log
Thanks

If the instructions I posted in Post #16 were followed, you would not have combofix on the computer. If we use it again I will want a new copy because it does not update. If you removed combofix, the clock should have returned to normal.

Actually, I did uninstall Combofix before I ran it again. (I also searched my hdd for combofix just to make sure there were no remnants. Then emptied Recylce Bin and cleared with ATF Cleaner.) The Combofix log results that I gave you that referenced those rogue dll files, they came from a fresh install of Combofix.

When I double-clicked HJT on my desktop, I got an error "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item." So I uinstalled it, then came back and reinstalled from the link on your site. Here's the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:49:57 PM, on 11/28/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\CTSvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Matrox Graphics Inc\PowerDesk\Services\Matrox.PowerDesk.Services.exe
C:\Program Files\Matrox Graphics Inc\PowerDesk SE\Matrox.Pdesk.ServicesHost.exe
C:\WINDOWS\system32\sessmgr.exe
C:\WINDOWS\System32\rsvp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\Tablet.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Documents and Settings\user01\Desktop\HiJackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.540wfla.com
O15 - Trusted Zone: http://*.540wfla.com
O15 - Trusted Zone: http://www.azcardinals.com
O15 - Trusted Zone: http://www.baisidirect.com
O15 - Trusted Zone: *.espn.go.com
O15 - Trusted Zone: http://sports.espn.go.com
O15 - Trusted Zone: *.go.com
O15 - Trusted Zone: http://*.ktar.com
O15 - Trusted Zone: http://www.mapquest.com
O15 - Trusted Zone: http://*.mapquest.com
O15 - Trusted Zone: http://www.nasdaq.com
O15 - Trusted Zone: http://*.nasdaq.com
O15 - Trusted Zone: http://www.realradio.fm
O15 - Trusted Zone: http://*.stockcharts.com
O15 - Trusted Zone: http://www.surfcam.net
O15 - Trusted Zone: http://www.surfguru.com
O15 - Trusted Zone: http://wwwapps.ups.com
O15 - Trusted Zone: http://*.wmmbam.com
O15 - Trusted Zone: http://www.xtra910.com
O15 - Trusted Zone: http://*.xtra910.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1192966664312
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1222114178859
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Matrox Centering Service - Matrox Graphics Inc. - C:\Program Files\Matrox Graphics Inc\PowerDesk\Services\Matrox.PowerDesk.Services.exe
O23 - Service: Matrox.Pdesk.ServicesHost - Matrox Graphics Inc - C:\Program Files\Matrox Graphics Inc\PowerDesk SE\Matrox.Pdesk.ServicesHost.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O24 - Desktop Component 0: (no name) - http://assets.espn.go.com/i/espnradio/07/player/skin_livestream2.gif
O24 - Desktop Component 2: (no name) - http://espnradio.espn.go.com/espnradio/radiovideo?play=live

--
End of file - 7464 bytes

Thanks!

Thanks for the HJT log, one step at a time. This HJT log:
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 2:49:57 PM, on 11/28/2008 with the exception of the 015 Trusted Zone items which you assure me are valid, appears to be clean.

What I want from you is a description of any malware symptoms that are occuring on the computer. I am interested only in actual physical symptoms, like popups, redirections, etc.

Please do not quote my instructions, it is a waste of space, I know what I said and you can scroll back if you need to read the instructions.

Thanks

Everything is still running fast. No popups or redirects. Only a couple of things I noticed that are probably nothing:

After rebooting, when it's coming back up - the part where the screen says something like "Please select an operating system..." I think you have the choice of selecting operating system options. It's too quick to really see. But anyway, it seems to hold for an extra full second at this screen - where it was quicker before all of this.

This probably doesn't qualify, but the startup item I mentioned earlier is kind of strange. Now I don't see it. But earlier for this particular line item, both the Startup Item and Command were a face - followed by a dot, followed by a question mark. This face was kind of like a smiley icon ;<) I forgot what you call these. But it was more complex, looked kind of like a cat face - obviously mand-made. Before that, the cat face was a cross with a circle at the top - kind of like the Blue Oyster Cult cross. Yeah, that's a stretch. But it's all I can come up with!

Update your antivirus program and scan the complete system, post the results.

Okay, I ran a full Norton scan and that was clean. Thanks.

I suggest you ask the other question here...post only at one.
http://www.techsupportforum.com/microsoft-support/windows-xp-support/
http://www.geekstogo.com/forum/Windows-XP-2000-2003-NT-f5.html

I am thinking that is a Windows issue and not a malware issue.

Thanks:santa:

Well I'm not worried about those issues if you're not (from #31). But thanks for the links. All of this has me in computer maintain mode. I have other issues to handle. So they look like good places to start.

pskelley, what do you think? Are we done? Before we wrap this up, can you tell me what these lines mean from the Combofix report from post #25?

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"zowafeduve"=Rundll32.exe "c:\windows\system32\bepepono.dll",s
"CPM27936735"=Rundll32.exe "c:\windows\system32\dayevino.dll",a
"MSConfig"=c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

These were under the "Reg Loading Points" section. I don't understand what that means. Is this a current threat? Or just harmless remnants of the past threat?

Thanks alot for the help! Everything really feels like it's back to normal. I can even get into Windows Update now. I haven't updated yet though. I wanted to make sure we were done first.

Those are old registry entries, the executables have been deleted so they can not harm you. I could probably come up with a CFScript to remove the information from the registry, but I don't see a reason for installing combofix again just to do that.


I believe I have done about all I can do, safe surfing:bigthumb:

Thanks! You saved me alot of work. I left a deposit on the way out. See ya!