jimrward Posted October 30, 2010 Hi, I'm running Windows XP Media Center Edition and run SAS Pro on startup. My computer has been hijacked and now SAS won't run on startup and won't run if I start it manually. I found an alternate way to run SAS and did a scan which removed a bunch of adware stuff and asked me to reboot my computer. I rebooted but SAS did not run on startup as I would have expected. Also, my Chrome browser no longer can find anything. My Internet Explorer is able to connect to the network but sometimes when I go to a web site something takes me to another website. I went to do a system restore but this has been shut off in my OS and there is no way to restart it. I also have internet based games, like COD2 that no longer work. STEAM is a program associated with COD2 that is not running either on startup. It can't see the net. I also tried to run Malwarebytes and it won't run either. Something is seriously messing with my computer and SAS did not find it. Any suggestions would be greatly appreciated. Thanks Best -jim Share this post Link to post Share on other sites
siliconman01 Posted October 30, 2010 Please post the scan log from the SAS scan that removed infections. Also do another scan using the SAS Portable. Have your computer booted into SAFE MODE when you do the SAS Portable scan. https://www.superantispyware.com/portablescanner.html?tag=SAS_PORTABLEFOLDER Share this post Link to post Share on other sites
jimrward Posted October 31, 2010 Please post the scan log from the SAS scan that removed infections. Also do another scan using the SAS Portable. Have your computer booted into SAFE MODE when you do the SAS Portable scan. https://www.superantispyware.com/portablescanner.html?tag=SAS_PORTABLEFOLDER'>https://www.superantispyware.com/portablescanner.html?tag=SAS_PORTABLEFOLDER OK, Here is the content of the log file: SUPERAntiSpyware Scan Log https://www.superantispyware.com Generated 10/31/2010 at 02:19 AM Application Version : 4.44.1000 Core Rules Database Version : 5610 Trace Rules Database Version: 3422 Scan type : Complete Scan Total Scan Time : 04:04:00 Memory items scanned : 226 Memory threats detected : 0 Registry items scanned : 9596 Registry threats detected : 2 File items scanned : 28090 File threats detected : 55 Adware.Tracking Cookie C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@content.yieldmanager[2].txt C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@advertising[1].txt C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@imrworldwide[4].txt C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@oasn04.247realmedia[1].txt C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@liveperson[3].txt C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@adecn[1].txt C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@247realmedia[1].txt C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@bs.serving-sys[1].txt C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@ad.wsod[2].txt C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@kontera[1].txt C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@ads.undertone[2].txt C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@questionmarket[2].txt C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@advertise[1].txt C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@media6degrees[1].txt C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@atdmt[6].txt C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@adserving.autotrader[1].txt C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@sales.liveperson[1].txt C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@stopzilla[2].txt C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@tribalfusion[1].txt C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@clickbank[1].txt C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@2o7[1].txt C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@partypoker[1].txt C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@zedo[1].txt C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@apmebf[1].txt C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@dc.tremormedia[2].txt C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@fastclick[2].txt C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@clickmax.co[1].txt C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@adserver.adtechus[1].txt C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@interclick[2].txt C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@a1.interclick[2].txt C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@revsci[4].txt C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@collective-media[4].txt C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@yieldmanager[1].txt C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@pointroll[2].txt C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@content.yieldmanager[3].txt C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@adbrite[2].txt C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@adinterax[2].txt C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@ads.pointroll[1].txt C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@casalemedia[1].txt C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@doubleclick[1].txt C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@ad.yieldmanager[2].txt C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@invitemedia[1].txt C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@atdmt[1].txt C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@liveperson[1].txt C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@serving-sys[2].txt .specificmedia.com [ C:\Documents and Settings\Owner.YOUR-780C524461\Application Data\Mozilla\Firefox\Profiles\shbnf906.default\cookies.sqlite ] .adopt.specificclick.net [ C:\Documents and Settings\Owner.YOUR-780C524461\Application Data\Mozilla\Firefox\Profiles\shbnf906.default\cookies.sqlite ] .adopt.specificclick.net [ C:\Documents and Settings\Owner.YOUR-780C524461\Application Data\Mozilla\Firefox\Profiles\shbnf906.default\cookies.sqlite ] .adopt.specificclick.net [ C:\Documents and Settings\Owner.YOUR-780C524461\Application Data\Mozilla\Firefox\Profiles\shbnf906.default\cookies.sqlite ] .adopt.specificclick.net [ C:\Documents and Settings\Owner.YOUR-780C524461\Application Data\Mozilla\Firefox\Profiles\shbnf906.default\cookies.sqlite ] .adopt.specificclick.net [ C:\Documents and Settings\Owner.YOUR-780C524461\Application Data\Mozilla\Firefox\Profiles\shbnf906.default\cookies.sqlite ] .content.yieldmanager.edgesuite.net [ C:\Documents and Settings\Owner.YOUR-780C524461\Application Data\Mozilla\Firefox\Profiles\shbnf906.default\cookies.sqlite ] .content.yieldmanager.com [ C:\Documents and Settings\Owner.YOUR-780C524461\Application Data\Mozilla\Firefox\Profiles\shbnf906.default\cookies.sqlite ] .zedo.com [ C:\Documents and Settings\Owner.YOUR-780C524461\Application Data\Mozilla\Firefox\Profiles\shbnf906.default\cookies.sqlite ] .dynamic.media.adrevolver.com [ C:\Documents and Settings\Owner.YOUR-780C524461\Application Data\Mozilla\Firefox\Profiles\shbnf906.default\cookies.sqlite ] Disabled.TaskManager HKU\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM#DISABLETASKMGR HKU\S-1-5-18\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM#DISABLETASKMGR After I ran the scan, and let SAS clear up the found problems, it still does not work. THanks -jim Share this post Link to post Share on other sites
siliconman01 Posted October 31, 2010 Okay, First, V4.45.1000 is the latest version of SAS. You need to update the program. Second, your core/trace definitions are significantly out dated. The latest Core is 5787 and Trace is 3599. You need to update these. Please do the above, rescan, and see if this corrects the problem. IF you cannot update, run the portable version which will have the very latest core/trace definitions. Be sure to run the Portable scan while booted in SAFE MODE. Let it clean what it finds. If you can get SAS to run, go to the Tools section in Preferences and execute the "Enable Task Manager" tool. Share this post Link to post Share on other sites
jimrward Posted October 31, 2010 Okay, First, V4.45.1000 is the latest version of SAS. You need to update the program. Second, your core/trace definitions are significantly out dated. The latest Core is 5787 and Trace is 3599. You need to update these. Please do the above, rescan, and see if this corrects the problem. IF you cannot update, run the portable version which will have the very latest core/trace definitions. Be sure to run the Portable scan while booted in SAFE MODE. Let it clean what it finds. If you can get SAS to run, go to the Tools section in Preferences and execute the "Enable Task Manager" tool. Siliconman, Thanks for the help but I did what you asked and it still has not corrected my problem. SAS will still not startup. I had to download the SAS portable again to get th correct version and ran it in safemode as requested. Here is the scan log: SUPERAntiSpyware Scan Log https://www.superantispyware.com Generated 10/31/2010 at 10:00 AM Application Version : 4.45.1000 Core Rules Database Version : 5787 Trace Rules Database Version: 3599 Scan type : Complete Scan Total Scan Time : 00:42:17 Memory items scanned : 276 Memory threats detected : 0 Registry items scanned : 9605 Registry threats detected : 0 File items scanned : 28152 File threats detected : 26 Adware.Tracking Cookie C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@apartmentfinder[2].txt C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@advertising[2].txt C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@admarketplace[1].txt C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@www.apartmentfinder[1].txt C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@bs.serving-sys[1].txt C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@ad.wsod[2].txt C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@questionmarket[2].txt C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@atdmt[6].txt C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@atdmt[1].txt C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@pointroll[2].txt C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@ads.pointroll[1].txt C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@counter.surfcounters[1].txt C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@doubleclick[1].txt C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@ad.yieldmanager[1].txt C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@bridge2.admarketplace[1].txt C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@serving-sys[1].txt .specificmedia.com [ C:\Documents and Settings\Owner.YOUR-780C524461\Application Data\Mozilla\Firefox\Profiles\shbnf906.default\cookies.sqlite ] .adopt.specificclick.net [ C:\Documents and Settings\Owner.YOUR-780C524461\Application Data\Mozilla\Firefox\Profiles\shbnf906.default\cookies.sqlite ] .adopt.specificclick.net [ C:\Documents and Settings\Owner.YOUR-780C524461\Application Data\Mozilla\Firefox\Profiles\shbnf906.default\cookies.sqlite ] .adopt.specificclick.net [ C:\Documents and Settings\Owner.YOUR-780C524461\Application Data\Mozilla\Firefox\Profiles\shbnf906.default\cookies.sqlite ] .adopt.specificclick.net [ C:\Documents and Settings\Owner.YOUR-780C524461\Application Data\Mozilla\Firefox\Profiles\shbnf906.default\cookies.sqlite ] .adopt.specificclick.net [ C:\Documents and Settings\Owner.YOUR-780C524461\Application Data\Mozilla\Firefox\Profiles\shbnf906.default\cookies.sqlite ] .content.yieldmanager.edgesuite.net [ C:\Documents and Settings\Owner.YOUR-780C524461\Application Data\Mozilla\Firefox\Profiles\shbnf906.default\cookies.sqlite ] .content.yieldmanager.com [ C:\Documents and Settings\Owner.YOUR-780C524461\Application Data\Mozilla\Firefox\Profiles\shbnf906.default\cookies.sqlite ] .zedo.com [ C:\Documents and Settings\Owner.YOUR-780C524461\Application Data\Mozilla\Firefox\Profiles\shbnf906.default\cookies.sqlite ] .dynamic.media.adrevolver.com [ C:\Documents and Settings\Owner.YOUR-780C524461\Application Data\Mozilla\Firefox\Profiles\shbnf906.default\cookies.sqlite ] Please advise next step. Thanks -jim Share this post Link to post Share on other sites
siliconman01 Posted November 1, 2010 Okay, SAS is only finding cookies which I am certain is not causing your problem. Please run Combofix as per the instructions in the link below. After Combofix has done its job, please post back here the Combofix log. I am assuming that your Windows is 32-bit. If it is 64-bit, DO NOT run Combofix. http://www.bleepingcomputer.com/combofix/how-to-use-combofix Share this post Link to post Share on other sites
jimrward Posted November 1, 2010 OK, Here is the Combofix Log file: ComboFix 10-10-31.04 - Owner 11/01/2010 12:53:55.1.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.609 [GMT -7:00] Running from: c:\documents and settings\Owner.YOUR-780C524461\Desktop\xxx.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Owner.YOUR-780C524461\Local Settings\Application Data\{1F9ECC25-79D2-4231-B549-03E2C990407B} c:\documents and settings\Owner.YOUR-780C524461\Local Settings\Application Data\{1F9ECC25-79D2-4231-B549-03E2C990407B}\chrome.manifest c:\documents and settings\Owner.YOUR-780C524461\Local Settings\Application Data\{1F9ECC25-79D2-4231-B549-03E2C990407B}\chrome\content\_cfg.js c:\documents and settings\Owner.YOUR-780C524461\Local Settings\Application Data\{1F9ECC25-79D2-4231-B549-03E2C990407B}\chrome\content\overlay.xul c:\documents and settings\Owner.YOUR-780C524461\Local Settings\Application Data\{1F9ECC25-79D2-4231-B549-03E2C990407B}\install.rdf c:\program files\Internet Explorer\SET132.tmp c:\program files\Internet Explorer\SET133.tmp c:\program files\Internet Explorer\SET135.tmp c:\windows\jestertb.dll c:\windows\system32\11478.exe c:\windows\system32\11942.exe c:\windows\system32\15724.exe c:\windows\system32\16827.exe c:\windows\system32\18467.exe c:\windows\system32\19169.exe c:\windows\system32\23281.exe c:\windows\system32\24464.exe c:\windows\system32\26500.exe c:\windows\system32\26962.exe c:\windows\system32\28145.exe c:\windows\system32\29358.exe c:\windows\system32\2995.exe c:\windows\system32\4827.exe c:\windows\system32\491.exe c:\windows\system32\5705.exe c:\windows\system32\6334.exe c:\windows\system32\9961.exe c:\windows\Tasks\gkkfnmrj.job H:\Autorun.inf Infected copy of c:\windows\system32\drivers\agp440.sys was found and disinfected Restored copy from - Kitty had a snack . ((((((((((((((((((((((((( Files Created from 2010-10-01 to 2010-11-01 ))))))))))))))))))))))))))))))) . 2010-10-30 02:13 . 2010-10-30 02:13 -------- d-----w- C:\spoolerlogs 2010-10-30 00:21 . 2010-10-30 00:21 -------- d--h--w- c:\windows\system32\GroupPolicy 2010-10-28 16:02 . 2010-10-28 16:02 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE 2010-10-28 15:59 . 2010-10-28 15:59 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache 2010-10-17 20:53 . 2010-10-17 20:54 -------- d-----w- c:\documents and settings\Owner.YOUR-780C524461\Logitech 2010-10-17 20:52 . 2010-10-17 20:52 -------- d-----w- c:\program files\Common Files\Remote Control Software Common . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-10-27 04:34 . 2009-05-11 05:56 233960 ----a-w- c:\windows\system32\PnkBstrB.xtr 2010-10-27 04:34 . 2007-04-05 04:17 233960 ----a-w- c:\windows\system32\PnkBstrB.exe 2010-10-27 03:42 . 2007-04-05 04:17 138520 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys 2009-01-06 16:03 . 2008-02-22 18:56 27976 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll 2009-01-06 16:03 . 2008-02-22 18:56 125848 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll 2008-12-02 16:36 . 2008-02-22 18:56 46408 ----a-w- c:\program files\mozilla firefox\plugins\atmccli.dll 2008-02-22 18:56 . 2008-02-22 18:56 98712 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-12-25 36864] "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-10-25 2424560] "OM_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master\Monitor.exe" [2006-05-17 57344] "Steam"="c:\program files\Steam\Steam.exe" [2010-09-29 1242448] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 49152] "HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-18 7561216] "RTHDCPL"="RTHDCPL.EXE" [2007-11-06 16855552] "VolPanel"="c:\program files\Creative\USB Headsets\Volume Panel\VolPanlu.exe" [2008-05-05 221300] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792] "DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-09-01 1164584] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "Power2GoExpress"="NA" [X] c:\documents and settings\All Users\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-5-28 241664] HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-5-28 53248] Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2007-12-25 196608] [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoSetActiveDesktop"= 1 (0x1) "NoActiveDesktopChanges"= 1 (0x1) [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AT&T Self Support Tool.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AT&T Self Support Tool.lnk backup=c:\windows\pss\AT&T Self Support Tool.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk backup=c:\windows\pss\BigFix.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Owner.YOUR-780C524461^Start Menu^Programs^Startup^MagicDisc.lnk] path=c:\documents and settings\Owner.YOUR-780C524461\Start Menu\Programs\Startup\MagicDisc.lnk backup=c:\windows\pss\MagicDisc.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager] 1 [X] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr] 2005-05-04 02:43 69632 ----a-w- c:\windows\Alcmtr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] 2006-10-09 19:28 139264 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJCFD] 2002-09-11 04:26 368706 ----a-w- c:\program files\BroadJump\Client Foundation\CFD.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CHotkey] 2004-12-09 00:57 550912 ----a-w- c:\windows\zHotkey.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] 2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray] 2005-08-06 04:56 64512 ----a-w- c:\windows\ehome\ehtray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2010-02-16 02:07 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge] 2005-08-24 14:51 442455 ----a-w- c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe] 2005-08-12 23:16 1121792 ----a-w- c:\program files\McAfee\SpamKiller\MSKDetct.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] 2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nero PhotoShow Media Manager] 2006-05-10 19:52 249856 ----a-w- c:\progra~1\Nero\NERO7~1\NEROPH~2\data\Xtras\mssysmgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] 2006-01-13 00:40 155648 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] 2006-05-18 14:56 7561216 ----a-w- c:\windows\system32\nvcpl.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter] 2006-05-18 14:56 86016 ----a-w- c:\windows\system32\nvmctray.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] 2006-05-18 14:56 1519616 ----a-w- c:\windows\system32\nwiz.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OM_Monitor] 2006-05-17 00:50 40960 ----a-w- c:\program files\OLYMPUS\OLYMPUS Master\FirstStart.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2009-11-11 07:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\readericon] 2005-12-10 01:44 139264 ----a-w- c:\program files\Digital Media Reader\readericon45G.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard] 2002-09-14 05:42 212992 ----a-w- c:\windows\SMINST\Recguard.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder] 2005-02-26 00:24 966656 ----a-w- c:\windows\creator\Remind_XP.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL] 2007-11-06 18:50 16855552 ----a-w- c:\windows\RTHDCPL.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] 2009-01-17 16:48 136600 ----a-w- c:\program files\Java\jre6\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr] 2006-03-30 23:45 313472 ----a-r- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "PrismXL"=2 (0x2) "NBService"=3 (0x3) "idsvc"=3 (0x3) "FlipShare Service"=2 (0x2) "WMPNetworkSvc"=3 (0x3) [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"= "c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\WINDOWS\\system32\\PnkBstrA.exe"= "c:\\WINDOWS\\system32\\PnkBstrB.exe"= "c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Steam\\SteamApps\\common\\call of duty modern warfare 2\\iw4sp.exe"= "c:\\Program Files\\Steam\\SteamApps\\common\\call of duty modern warfare 2\\iw4mp.exe"= "c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"= "c:\\Program Files\\SUPERAntiSpyware\\RUNSAS.EXE"= "c:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"= R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 11:41 AM 67656] S2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [1/15/2008 10:28 AM 204800] S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [12/18/2006 9:59 PM 16512] S3 cm1123264;C-Media CM112 UDAX Sound Interface;c:\windows\system32\drivers\cm112.sys --> c:\windows\system32\drivers\cm112.sys [?] S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [3/4/2009 8:42 PM 79360] S3 Creative Media Toolbox 6 Licensing Service;Creative Media Toolbox 6 Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\MT6Licensing.exe [3/4/2009 8:54 PM 79360] S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [1/9/2005 4:48 PM 14336] S3 skfilt;skfilt;c:\windows\system32\drivers\skfilt.sys [3/4/2009 8:45 PM 1670016] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper . Contents of the 'Scheduled Tasks' folder 2010-09-14 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34] . . ------- Supplementary Scan ------- . uStart Page = hxxp://yahoo.com/ uInternet Settings,ProxyServer = http=127.0.0.1:5555 uInternet Settings,ProxyOverride = <local> uSearchAssistant = hxxp://www.google.com Trusted Zone: att.net Trusted Zone: sbcglobal.net Trusted Zone: yahoo.com\clientapps Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab FF - ProfilePath - c:\documents and settings\Owner.YOUR-780C524461\Application Data\Mozilla\Firefox\Profiles\shbnf906.default\ FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q= FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/ FF - component: c:\documents and settings\Owner.YOUR-780C524461\Application Data\Mozilla\Firefox\Profiles\shbnf906.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll FF - plugin: c:\documents and settings\Owner.YOUR-780C524461\Application Data\Mozilla\Firefox\Profiles\shbnf906.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll FF - plugin: c:\documents and settings\Owner.YOUR-780C524461\Application Data\Mozilla\Firefox\Profiles\shbnf906.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07074039.dll FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false); . - - - - ORPHANS REMOVED - - - - Toolbar-Locked - (no file) Notify-AtiExtEvent - (no file) SafeBoot-svcWRSSSDK MSConfigStartUp-AntiMalware - c:\program files\AntiMalware\antimalware.exe MSConfigStartUp-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe MSConfigStartUp-Google Desktop Search - c:\program files\Google\Google Desktop Search\GoogleDesktop.exe MSConfigStartUp-gwmimhfg - c:\documents and settings\Owner.YOUR-780C524461\Local Settings\Application Data\srfgtx\gdgvsysguard.exe MSConfigStartUp-HostManager - c:\program files\Common Files\AOL\1147409254\EE\AOLHostManager.exe MSConfigStartUp-ibiimxdg - c:\documents and settings\Owner.YOUR-780C524461\Local Settings\Application Data\heyxtn\rrbasysguard.exe MSConfigStartUp-kivuzobuye - ruyutave.dll MSConfigStartUp-lnuubgfd - c:\documents and settings\Owner.YOUR-780C524461\Local Settings\Application Data\whooibjkt\mpnhxcvtssd.exe MSConfigStartUp-qcihyqoj - c:\documents and settings\Owner.YOUR-780C524461\Local Settings\Application Data\sxwwdi\pmkcsysguard.exe MSConfigStartUp-qggcqcdn - c:\documents and settings\Owner.YOUR-780C524461\Local Settings\Application Data\kambxo\mpfrsysguard.exe MSConfigStartUp-rqprlinv - c:\documents and settings\Owner.YOUR-780C524461\Local Settings\Application Data\lewdwy\yjldsysguard.exe MSConfigStartUp-smss32 - c:\windows\system32\smss32.exe MSConfigStartUp-SpySweeper - c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe MSConfigStartUp-uphgemib - c:\documents and settings\Owner.YOUR-780C524461\Local Settings\Application Data\cvvnidxmn\mokwtertssd.exe MSConfigStartUp-votudehoj - c:\windows\system32\yizimife.dll MSConfigStartUp-wow64main - c:\docume~1\OWNER~1.YOU\LOCALS~1\Temp\wow64main.exe MSConfigStartUp-ygua8e7yhuiesfha876yfauy8fe - c:\docume~1\OWNER~1.YOU\LOCALS~1\Temp\jxuxxa.exe AddRemove-Sierra Uninstall - c:\documents and settings\Owner.YOUR-780C524461\Desktop\USB112-Full\VISTA\Setup.exe AddRemove-{7585478E9D9B42108671C12F8714CEFE} - c:\program files\DivX\DivXConverterUninstall.exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-11-01 13:02 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL] @DACL=(02 0000) "Installed"="1" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI] @DACL=(02 0000) "Installed"="1" "NoChange"="1" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS] @DACL=(02 0000) "Installed"="1" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(612) c:\program files\SUPERAntiSpyware\SASWINLO.DLL c:\windows\system32\WININET.dll c:\documents and settings\Owner.YOUR-780C524461\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL c:\documents and settings\Owner.YOUR-780C524461\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll c:\documents and settings\Owner.YOUR-780C524461\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll . Completion time: 2010-11-01 13:05:40 ComboFix-quarantined-files.txt 2010-11-01 20:05 Pre-Run: 44,330,409,984 bytes free Post-Run: 48,283,930,624 bytes free Not sure yet if this fixed my problem. I will reboot and check again. Thanks Best -jim Share this post Link to post Share on other sites
siliconman01 Posted November 2, 2010 Okay, Combofix found many things infected and supposedly fixed them. Did it correct your problems? Share this post Link to post Share on other sites
jimrward Posted November 3, 2010 Okay, Combofix found many things infected and supposedly fixed them. Did it correct your problems? YES!!! Thanks so much in helping me correct this. All is good now. This was a nasty problem but pretty clever in stopping any of the AntiSpyware programs from running. Only thing that worked was internet explorer which I guess they needed working so they could redirect me to the various websites they got paid for. Again, Appreciate your help on this. Best -jim Share this post Link to post Share on other sites
Seth Posted November 3, 2010 Lol Siliconman. So much for all those elitist warnings that only "special people" can use CF:) I've suggested its use a few times on this forum, and have used it hundreds of times in my business with no issue. Share this post Link to post Share on other sites
siliconman01 Posted November 4, 2010 Lol Siliconman. So much for all those elitist warnings that only "special people" can use CF:) I've suggested its use a few times on this forum, and have used it hundreds of times in my business with no issue. We ARE special people! Jimrward, Would you please do the following: 1. Combofix quarantined everything it found to a folder named Qoobox located at C:\. Would you please ZIP this folder and send it to the SAS gurus via the instructions at the link below. Please state in the submital that this is Qoobox from a Combofix run. https://forums.superantispyware.com/index.php?/topic/2814-submitting-samples-to-superantispyware/ 2. Then delete Combofix from your system. - Go to Start>Run and type in Combofix /u (space before /u) This will instruct Combofix to delete itself and all folders (including Qoobox) it created from your computer. Combofix is a tool that needs to be re-downloaded to obtain the latest version if it is needed in the future. 3. Delete the Zipped Qoobox folder too. Share this post Link to post Share on other sites