I'll be honest. I've posted this to 2 other forums, the first last Tuesday, got some help that night and haven't heard from them since. I tried the Malwarebytes forum 3 days ago with no response. Since SpyBot is the only program to find DeepDive I found this forum and figured I would give it a try before either returning the laptop to the owner or reformatting and reloading.

I've been trying to clean a laptop for a friend for over a week. I've removed everything except DeepDive. ONLY SpyBot shows it is infected with DeepDive. Malwarebytes and MS Security Essentials show it to be clean. I have run SpyBot at startup, as suggested, a few times and it is unable to remove DeepDive. As a last reort (before reformatting) I may try the manual removal methods in this forum, but I doubt it will work since SpyBot is unable to remove it.

Today the laptop is unable to connect to the wireless network, it only says acquiring network address. I've tried using the Dell utility and Windows to manage the connection, a reboot, and it still will not connect. It would not connect when I got the laptop but that was because I had to add my newtork to the Dell wireless utility, since then it has worked fine.

All browser Toolbars and Limewire have been removed using Windows Add/Remove programs.

I ran ERUNT.

The DDS log follows, the attach log is zipped and attached, and the spybot log will be at the end of the post.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Mom at 9:01:05 on 2012-06-17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.467 [GMT -4:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
FW: McAfee Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\System32\spoolsv.exe
svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
c:\program files\microsoft lifecam\mscams32.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Security Client\msseces.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1071023
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1071023
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\2.0.301.7164\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {61539ECD-CC67-4437-A03C-9AACCBD14326} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [%PROVIDERID%] "bin\sprtcmd.exe" /P %PROVIDERID%
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\mom\start menu\programs\imvu\Run IMVU.lnk
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
TCP: DhcpNameServer = 192.168.2.1 192.168.2.1
TCP: Interfaces\{4A93408F-F870-4EFB-9DC8-613E53DF98C5} : DhcpNameServer = 192.168.2.1 192.168.2.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.


Top of SPYBOT LOG:

DeepDive: [SBI $92803A56] User settings (Registry key, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2}

DeepDive: [SBI $92803A56] User settings (Registry key, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2}

Hi CTGull, welcome to the forum.

To make cleaning this machine easier
Please do not uninstall/install any programs unless asked to
It is more difficult when files/programs are appearing in/disappearing from the logs.
Please do not run any scans other than those requested
Please follow all instructions in the order posted
All logs/reports, etc.. must be posted in Notepad. Please ensure that word wrap is unchecked. In notepad click format, uncheck word wrap if it is checked.
Do not attach any logs/reports, etc.. unless specifically requested to do so.
If you have problems with or do not understand the instructions, Please ask before continuing.
Please stay with this thread until given the All Clear. A absence of symptoms does not mean a clean machine.


First

Please close any other threads you may have open in regards to this problem. It not only wastes valuable helper time/resources but makes it much more difficult if you are acting upon advice from multiple sources.

Next

I see thre aren't any System Restore points on this machine. Please create a new system Restore point. An infected on is better than none at all. System Restore will not reinfect the computer unless it is restored to that point.

Make sure system Restore is enabled
click start
right click My Computer
click properties
click the System Restore tab
make sure "Turn off system Restore on all drives" or "Turn off system Restore" is unchecked


Note: If the box had been checked you can skip this next part as a new restore point will be created when the check mark is removed and the apply button clicked.

* Create a new restore point

You must be logged on to an administrator account
Go to Start - All Programs - Accessories - System Tools - System Restore.
Click Create a restore point, and then click Next.
In the text box labeled Restore Point Description, type a name for this restore point
click create


First we'll see what's going on with the connection.

Please download Farbar Service Scanner (http://www.bleepingcomputer.com/download/farbar-service-scanner/dl/62/) and transfer it to the computer with the issue. (Desktop is a good location)
Check the boxes beside these items
Internet Services
System Restore
Windows Firewall

Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Please copy and paste the log to your reply.


Please post back with the
FSS log

Thank you for your quick response.

The probable reason there are to restore points is I ran the Avira AntiVir Rescue System CD a couple of days ago and it found quite a few trojans in the system restore points. I'm not sure what it did (I think I have a log file though), it may just have deleted all the points.

The guy at TechSpot got back to me minutes after I posted this thread, after a 5 day delay. I thought he had given up. I will continue to work with him and see if he can resolve it. If not I will come back here and start over. He wrote a custom script for ComboFix, which I ran and posted the log back to the thread. I'll wait and see what he finds. I'm sorry to have wasted your time. I should have waited a little longer but I promised I would get this laptop cleaned in a week or less and its been 9 days now.

Hi CTGull,

Thanks for letting know. :bigthumb:

I'll close this topic tomorrow. If you need to come back please start a new topic with fresh logs as the fixes you will be running will change the information in the current log.

Will do. Thanks again.

Since this issue appears to be resolved ... this Topic has been closed.