Hijacked Computer, SAS not fixing problem

[jimrward]

Hi,

I'm running Windows XP Media Center Edition and run SAS Pro on startup.

My computer has been hijacked and now SAS won't run on startup and won't run if I start it manually.

I found an alternate way to run SAS and did a scan which removed a bunch of adware stuff and asked me to reboot my computer.

I rebooted but SAS did not run on startup as I would have expected.

Also, my Chrome browser no longer can find anything. My Internet Explorer is able to connect to the network but sometimes when I go to a web site something takes me to another website. I went to do a system restore but this has been shut off in my OS and there is no way to restart it. I also have internet based games, like COD2 that no longer work. STEAM is a program associated with COD2 that is not running either on startup. It can't see the net. I also tried to run Malwarebytes and it won't run either. Something is seriously messing with my computer and SAS did not find it.

Any suggestions would be greatly appreciated.

Thanks

Best

-jim

[siliconman01]

Please post the scan log from the SAS scan that removed infections.

Also do another scan using the SAS Portable. Have your computer booted into SAFE MODE when you do the SAS Portable scan.

https://www.superantispyware.com/portablescanner.html?tag=SAS_PORTABLEFOLDER

[jimrward]

Please post the scan log from the SAS scan that removed infections.

Also do another scan using the SAS Portable. Have your computer booted into SAFE MODE when you do the SAS Portable scan.

https://www.superantispyware.com/portablescanner.html?tag=SAS_PORTABLEFOLDER'>https://www.superantispyware.com/portablescanner.html?tag=SAS_PORTABLEFOLDER

OK, Here is the content of the log file:

SUPERAntiSpyware Scan Log

https://www.superantispyware.com

Generated 10/31/2010 at 02:19 AM

Application Version : 4.44.1000

Core Rules Database Version : 5610

Trace Rules Database Version: 3422

Scan type : Complete Scan

Total Scan Time : 04:04:00

Memory items scanned : 226

Memory threats detected : 0

Registry items scanned : 9596

Registry threats detected : 2

File items scanned : 28090

File threats detected : 55

Adware.Tracking Cookie

C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@content.yieldmanager[2].txt

C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@advertising[1].txt

C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@imrworldwide[4].txt

C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@oasn04.247realmedia[1].txt

C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@liveperson[3].txt

C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@adecn[1].txt

C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@247realmedia[1].txt

C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@bs.serving-sys[1].txt

C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@ad.wsod[2].txt

C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@kontera[1].txt

C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@ads.undertone[2].txt

C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@questionmarket[2].txt

C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@advertise[1].txt

C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@media6degrees[1].txt

C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@atdmt[6].txt

C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@adserving.autotrader[1].txt

C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@sales.liveperson[1].txt

C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@stopzilla[2].txt

C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@tribalfusion[1].txt

C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@clickbank[1].txt

C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@2o7[1].txt

C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@partypoker[1].txt

C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@zedo[1].txt

C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@apmebf[1].txt

C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@dc.tremormedia[2].txt

C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@fastclick[2].txt

C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@clickmax.co[1].txt

C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@adserver.adtechus[1].txt

C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@interclick[2].txt

C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@a1.interclick[2].txt

C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@revsci[4].txt

C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@collective-media[4].txt

C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@yieldmanager[1].txt

C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@pointroll[2].txt

C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@content.yieldmanager[3].txt

C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@adbrite[2].txt

C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@adinterax[2].txt

C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@ads.pointroll[1].txt

C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@casalemedia[1].txt

C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@doubleclick[1].txt

C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@ad.yieldmanager[2].txt

C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@invitemedia[1].txt

C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@atdmt[1].txt

C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@liveperson[1].txt

C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@serving-sys[2].txt

.specificmedia.com [ C:\Documents and Settings\Owner.YOUR-780C524461\Application Data\Mozilla\Firefox\Profiles\shbnf906.default\cookies.sqlite ]

.adopt.specificclick.net [ C:\Documents and Settings\Owner.YOUR-780C524461\Application Data\Mozilla\Firefox\Profiles\shbnf906.default\cookies.sqlite ]

.adopt.specificclick.net [ C:\Documents and Settings\Owner.YOUR-780C524461\Application Data\Mozilla\Firefox\Profiles\shbnf906.default\cookies.sqlite ]

.adopt.specificclick.net [ C:\Documents and Settings\Owner.YOUR-780C524461\Application Data\Mozilla\Firefox\Profiles\shbnf906.default\cookies.sqlite ]

.adopt.specificclick.net [ C:\Documents and Settings\Owner.YOUR-780C524461\Application Data\Mozilla\Firefox\Profiles\shbnf906.default\cookies.sqlite ]

.adopt.specificclick.net [ C:\Documents and Settings\Owner.YOUR-780C524461\Application Data\Mozilla\Firefox\Profiles\shbnf906.default\cookies.sqlite ]

.content.yieldmanager.edgesuite.net [ C:\Documents and Settings\Owner.YOUR-780C524461\Application Data\Mozilla\Firefox\Profiles\shbnf906.default\cookies.sqlite ]

.content.yieldmanager.com [ C:\Documents and Settings\Owner.YOUR-780C524461\Application Data\Mozilla\Firefox\Profiles\shbnf906.default\cookies.sqlite ]

.zedo.com [ C:\Documents and Settings\Owner.YOUR-780C524461\Application Data\Mozilla\Firefox\Profiles\shbnf906.default\cookies.sqlite ]

.dynamic.media.adrevolver.com [ C:\Documents and Settings\Owner.YOUR-780C524461\Application Data\Mozilla\Firefox\Profiles\shbnf906.default\cookies.sqlite ]

Disabled.TaskManager

HKU\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM#DISABLETASKMGR

HKU\S-1-5-18\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM#DISABLETASKMGR

After I ran the scan, and let SAS clear up the found problems, it still does not work.

THanks

-jim

[siliconman01]

Okay,

First, V4.45.1000 is the latest version of SAS. You need to update the program.

Second, your core/trace definitions are significantly out dated. The latest Core is 5787 and Trace is 3599. You need to update these.

Please do the above, rescan, and see if this corrects the problem.

IF you cannot update, run the portable version which will have the very latest core/trace definitions. Be sure to run the Portable scan while booted in SAFE MODE. Let it clean what it finds.

If you can get SAS to run, go to the Tools section in Preferences and execute the "Enable Task Manager" tool.

[jimrward]

Okay,

First, V4.45.1000 is the latest version of SAS. You need to update the program.

Second, your core/trace definitions are significantly out dated. The latest Core is 5787 and Trace is 3599. You need to update these.

Please do the above, rescan, and see if this corrects the problem.

IF you cannot update, run the portable version which will have the very latest core/trace definitions. Be sure to run the Portable scan while booted in SAFE MODE. Let it clean what it finds.

If you can get SAS to run, go to the Tools section in Preferences and execute the "Enable Task Manager" tool.

Siliconman,

Thanks for the help but I did what you asked and it still has not corrected my problem. SAS will still not startup. I had to download the SAS portable again to get th correct version and ran it in safemode as requested.

Here is the scan log:

SUPERAntiSpyware Scan Log

https://www.superantispyware.com

Generated 10/31/2010 at 10:00 AM

Application Version : 4.45.1000

Core Rules Database Version : 5787

Trace Rules Database Version: 3599

Scan type : Complete Scan

Total Scan Time : 00:42:17

Memory items scanned : 276

Memory threats detected : 0

Registry items scanned : 9605

Registry threats detected : 0

File items scanned : 28152

File threats detected : 26

Adware.Tracking Cookie

C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@apartmentfinder[2].txt

C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@advertising[2].txt

C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@admarketplace[1].txt

C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@www.apartmentfinder[1].txt

C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@bs.serving-sys[1].txt

C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@ad.wsod[2].txt

C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@questionmarket[2].txt

C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@atdmt[6].txt

C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@atdmt[1].txt

C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@pointroll[2].txt

C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@ads.pointroll[1].txt

C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@counter.surfcounters[1].txt

C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@doubleclick[1].txt

C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@ad.yieldmanager[1].txt

C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@bridge2.admarketplace[1].txt

C:\Documents and Settings\Owner.YOUR-780C524461\Cookies\owner@serving-sys[1].txt

.specificmedia.com [ C:\Documents and Settings\Owner.YOUR-780C524461\Application Data\Mozilla\Firefox\Profiles\shbnf906.default\cookies.sqlite ]

.adopt.specificclick.net [ C:\Documents and Settings\Owner.YOUR-780C524461\Application Data\Mozilla\Firefox\Profiles\shbnf906.default\cookies.sqlite ]

.adopt.specificclick.net [ C:\Documents and Settings\Owner.YOUR-780C524461\Application Data\Mozilla\Firefox\Profiles\shbnf906.default\cookies.sqlite ]

.adopt.specificclick.net [ C:\Documents and Settings\Owner.YOUR-780C524461\Application Data\Mozilla\Firefox\Profiles\shbnf906.default\cookies.sqlite ]

.adopt.specificclick.net [ C:\Documents and Settings\Owner.YOUR-780C524461\Application Data\Mozilla\Firefox\Profiles\shbnf906.default\cookies.sqlite ]

.adopt.specificclick.net [ C:\Documents and Settings\Owner.YOUR-780C524461\Application Data\Mozilla\Firefox\Profiles\shbnf906.default\cookies.sqlite ]

.content.yieldmanager.edgesuite.net [ C:\Documents and Settings\Owner.YOUR-780C524461\Application Data\Mozilla\Firefox\Profiles\shbnf906.default\cookies.sqlite ]

.content.yieldmanager.com [ C:\Documents and Settings\Owner.YOUR-780C524461\Application Data\Mozilla\Firefox\Profiles\shbnf906.default\cookies.sqlite ]

.zedo.com [ C:\Documents and Settings\Owner.YOUR-780C524461\Application Data\Mozilla\Firefox\Profiles\shbnf906.default\cookies.sqlite ]

.dynamic.media.adrevolver.com [ C:\Documents and Settings\Owner.YOUR-780C524461\Application Data\Mozilla\Firefox\Profiles\shbnf906.default\cookies.sqlite ]

Please advise next step.

Thanks

-jim

[siliconman01]

Okay, SAS is only finding cookies which I am certain is not causing your problem.

Please run Combofix as per the instructions in the link below. After Combofix has done its job, please post back here the Combofix log. I am assuming that your Windows is 32-bit. If it is 64-bit, DO NOT run Combofix.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

[jimrward]

OK,

Here is the Combofix Log file:

ComboFix 10-10-31.04 - Owner 11/01/2010 12:53:55.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.609 [GMT -7:00]

Running from: c:\documents and settings\Owner.YOUR-780C524461\Desktop\xxx.exe

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Owner.YOUR-780C524461\Local Settings\Application Data\{1F9ECC25-79D2-4231-B549-03E2C990407B}

c:\documents and settings\Owner.YOUR-780C524461\Local Settings\Application Data\{1F9ECC25-79D2-4231-B549-03E2C990407B}\chrome.manifest

c:\documents and settings\Owner.YOUR-780C524461\Local Settings\Application Data\{1F9ECC25-79D2-4231-B549-03E2C990407B}\chrome\content\_cfg.js

c:\documents and settings\Owner.YOUR-780C524461\Local Settings\Application Data\{1F9ECC25-79D2-4231-B549-03E2C990407B}\chrome\content\overlay.xul

c:\documents and settings\Owner.YOUR-780C524461\Local Settings\Application Data\{1F9ECC25-79D2-4231-B549-03E2C990407B}\install.rdf

c:\program files\Internet Explorer\SET132.tmp

c:\program files\Internet Explorer\SET133.tmp

c:\program files\Internet Explorer\SET135.tmp

c:\windows\jestertb.dll

c:\windows\system32\11478.exe

c:\windows\system32\11942.exe

c:\windows\system32\15724.exe

c:\windows\system32\16827.exe

c:\windows\system32\18467.exe

c:\windows\system32\19169.exe

c:\windows\system32\23281.exe

c:\windows\system32\24464.exe

c:\windows\system32\26500.exe

c:\windows\system32\26962.exe

c:\windows\system32\28145.exe

c:\windows\system32\29358.exe

c:\windows\system32\2995.exe

c:\windows\system32\4827.exe

c:\windows\system32\491.exe

c:\windows\system32\5705.exe

c:\windows\system32\6334.exe

c:\windows\system32\9961.exe

c:\windows\Tasks\gkkfnmrj.job

H:\Autorun.inf

Infected copy of c:\windows\system32\drivers\agp440.sys was found and disinfected

Restored copy from - Kitty had a snack

.

((((((((((((((((((((((((( Files Created from 2010-10-01 to 2010-11-01 )))))))))))))))))))))))))))))))

.

2010-10-30 02:13 . 2010-10-30 02:13 -------- d-----w- C:\spoolerlogs

2010-10-30 00:21 . 2010-10-30 00:21 -------- d--h--w- c:\windows\system32\GroupPolicy

2010-10-28 16:02 . 2010-10-28 16:02 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE

2010-10-28 15:59 . 2010-10-28 15:59 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

2010-10-17 20:53 . 2010-10-17 20:54 -------- d-----w- c:\documents and settings\Owner.YOUR-780C524461\Logitech

2010-10-17 20:52 . 2010-10-17 20:52 -------- d-----w- c:\program files\Common Files\Remote Control Software Common

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-10-27 04:34 . 2009-05-11 05:56 233960 ----a-w- c:\windows\system32\PnkBstrB.xtr

2010-10-27 04:34 . 2007-04-05 04:17 233960 ----a-w- c:\windows\system32\PnkBstrB.exe

2010-10-27 03:42 . 2007-04-05 04:17 138520 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys

2009-01-06 16:03 . 2008-02-22 18:56 27976 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll

2009-01-06 16:03 . 2008-02-22 18:56 125848 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll

2008-12-02 16:36 . 2008-02-22 18:56 46408 ----a-w- c:\program files\mozilla firefox\plugins\atmccli.dll

2008-02-22 18:56 . 2008-02-22 18:56 98712 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-12-25 36864]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-10-25 2424560]

"OM_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master\Monitor.exe" [2006-05-17 57344]

"Steam"="c:\program files\Steam\Steam.exe" [2010-09-29 1242448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 49152]

"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-18 7561216]

"RTHDCPL"="RTHDCPL.EXE" [2007-11-06 16855552]

"VolPanel"="c:\program files\Creative\USB Headsets\Volume Panel\VolPanlu.exe" [2008-05-05 221300]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]

"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-09-01 1164584]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"Power2GoExpress"="NA" [X]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-5-28 241664]

HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-5-28 53248]

Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2007-12-25 196608]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSetActiveDesktop"= 1 (0x1)

"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AT&T Self Support Tool.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AT&T Self Support Tool.lnk

backup=c:\windows\pss\AT&T Self Support Tool.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk

backup=c:\windows\pss\BigFix.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner.YOUR-780C524461^Start Menu^Programs^Startup^MagicDisc.lnk]

path=c:\documents and settings\Owner.YOUR-780C524461\Start Menu\Programs\Startup\MagicDisc.lnk

backup=c:\windows\pss\MagicDisc.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]

1 [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]

2005-05-04 02:43 69632 ----a-w- c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]

2006-10-09 19:28 139264 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJCFD]

2002-09-11 04:26 368706 ----a-w- c:\program files\BroadJump\Client Foundation\CFD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CHotkey]

2004-12-09 00:57 550912 ----a-w- c:\windows\zHotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]

2005-08-06 04:56 64512 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2010-02-16 02:07 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]

2005-08-24 14:51 442455 ----a-w- c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]

2005-08-12 23:16 1121792 ----a-w- c:\program files\McAfee\SpamKiller\MSKDetct.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nero PhotoShow Media Manager]

2006-05-10 19:52 249856 ----a-w- c:\progra~1\Nero\NERO7~1\NEROPH~2\data\Xtras\mssysmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

2006-01-13 00:40 155648 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

2006-05-18 14:56 7561216 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]

2006-05-18 14:56 86016 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

2006-05-18 14:56 1519616 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OM_Monitor]

2006-05-17 00:50 40960 ----a-w- c:\program files\OLYMPUS\OLYMPUS Master\FirstStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2009-11-11 07:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\readericon]

2005-12-10 01:44 139264 ----a-w- c:\program files\Digital Media Reader\readericon45G.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]

2002-09-14 05:42 212992 ----a-w- c:\windows\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]

2005-02-26 00:24 966656 ----a-w- c:\windows\creator\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]

2007-11-06 18:50 16855552 ----a-w- c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2009-01-17 16:48 136600 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]

2006-03-30 23:45 313472 ----a-r- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"PrismXL"=2 (0x2)

"NBService"=3 (0x3)

"idsvc"=3 (0x3)

"FlipShare Service"=2 (0x2)

"WMPNetworkSvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"=

"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\WINDOWS\\system32\\PnkBstrA.exe"=

"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Steam\\SteamApps\\common\\call of duty modern warfare 2\\iw4sp.exe"=

"c:\\Program Files\\Steam\\SteamApps\\common\\call of duty modern warfare 2\\iw4mp.exe"=

"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=

"c:\\Program Files\\SUPERAntiSpyware\\RUNSAS.EXE"=

"c:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 11:41 AM 67656]

S2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [1/15/2008 10:28 AM 204800]

S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [12/18/2006 9:59 PM 16512]

S3 cm1123264;C-Media CM112 UDAX Sound Interface;c:\windows\system32\drivers\cm112.sys --> c:\windows\system32\drivers\cm112.sys [?]

S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [3/4/2009 8:42 PM 79360]

S3 Creative Media Toolbox 6 Licensing Service;Creative Media Toolbox 6 Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\MT6Licensing.exe [3/4/2009 8:54 PM 79360]

S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [1/9/2005 4:48 PM 14336]

S3 skfilt;skfilt;c:\windows\system32\drivers\skfilt.sys [3/4/2009 8:45 PM 1670016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper

.

Contents of the 'Scheduled Tasks' folder

2010-09-14 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://yahoo.com/

uInternet Settings,ProxyServer = http=127.0.0.1:5555

uInternet Settings,ProxyOverride = <local>

uSearchAssistant = hxxp://www.google.com

Trusted Zone: att.net

Trusted Zone: sbcglobal.net

Trusted Zone: yahoo.com\clientapps

Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab

FF - ProfilePath - c:\documents and settings\Owner.YOUR-780C524461\Application Data\Mozilla\Firefox\Profiles\shbnf906.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/

FF - component: c:\documents and settings\Owner.YOUR-780C524461\Application Data\Mozilla\Firefox\Profiles\shbnf906.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll

FF - plugin: c:\documents and settings\Owner.YOUR-780C524461\Application Data\Mozilla\Firefox\Profiles\shbnf906.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll

FF - plugin: c:\documents and settings\Owner.YOUR-780C524461\Application Data\Mozilla\Firefox\Profiles\shbnf906.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07074039.dll

FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)

Notify-AtiExtEvent - (no file)

SafeBoot-svcWRSSSDK

MSConfigStartUp-AntiMalware - c:\program files\AntiMalware\antimalware.exe

MSConfigStartUp-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe

MSConfigStartUp-Google Desktop Search - c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

MSConfigStartUp-gwmimhfg - c:\documents and settings\Owner.YOUR-780C524461\Local Settings\Application Data\srfgtx\gdgvsysguard.exe

MSConfigStartUp-HostManager - c:\program files\Common Files\AOL\1147409254\EE\AOLHostManager.exe

MSConfigStartUp-ibiimxdg - c:\documents and settings\Owner.YOUR-780C524461\Local Settings\Application Data\heyxtn\rrbasysguard.exe

MSConfigStartUp-kivuzobuye - ruyutave.dll

MSConfigStartUp-lnuubgfd - c:\documents and settings\Owner.YOUR-780C524461\Local Settings\Application Data\whooibjkt\mpnhxcvtssd.exe

MSConfigStartUp-qcihyqoj - c:\documents and settings\Owner.YOUR-780C524461\Local Settings\Application Data\sxwwdi\pmkcsysguard.exe

MSConfigStartUp-qggcqcdn - c:\documents and settings\Owner.YOUR-780C524461\Local Settings\Application Data\kambxo\mpfrsysguard.exe

MSConfigStartUp-rqprlinv - c:\documents and settings\Owner.YOUR-780C524461\Local Settings\Application Data\lewdwy\yjldsysguard.exe

MSConfigStartUp-smss32 - c:\windows\system32\smss32.exe

MSConfigStartUp-SpySweeper - c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe

MSConfigStartUp-uphgemib - c:\documents and settings\Owner.YOUR-780C524461\Local Settings\Application Data\cvvnidxmn\mokwtertssd.exe

MSConfigStartUp-votudehoj - c:\windows\system32\yizimife.dll

MSConfigStartUp-wow64main - c:\docume~1\OWNER~1.YOU\LOCALS~1\Temp\wow64main.exe

MSConfigStartUp-ygua8e7yhuiesfha876yfauy8fe - c:\docume~1\OWNER~1.YOU\LOCALS~1\Temp\jxuxxa.exe

AddRemove-Sierra Uninstall - c:\documents and settings\Owner.YOUR-780C524461\Desktop\USB112-Full\VISTA\Setup.exe

AddRemove-{7585478E9D9B42108671C12F8714CEFE} - c:\program files\DivX\DivXConverterUninstall.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-11-01 13:02

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]

@DACL=(02 0000)

"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]

@DACL=(02 0000)

"Installed"="1"

"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]

@DACL=(02 0000)

"Installed"="1"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(612)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\WININET.dll

c:\documents and settings\Owner.YOUR-780C524461\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

c:\documents and settings\Owner.YOUR-780C524461\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll

c:\documents and settings\Owner.YOUR-780C524461\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll

.

Completion time: 2010-11-01 13:05:40

ComboFix-quarantined-files.txt 2010-11-01 20:05

Pre-Run: 44,330,409,984 bytes free

Post-Run: 48,283,930,624 bytes free

Not sure yet if this fixed my problem. I will reboot and check again.

Thanks

Best

-jim

[siliconman01]

Okay, Combofix found many things infected and supposedly fixed them. Did it correct your problems?

[jimrward]

Okay, Combofix found many things infected and supposedly fixed them. Did it correct your problems?

YES!!!

Thanks so much in helping me correct this. All is good now.

This was a nasty problem but pretty clever in stopping any of the AntiSpyware programs from running.

Only thing that worked was internet explorer which I guess they needed working so they could redirect me to the various websites they got paid for.

Again,

Appreciate your help on this.

Best

-jim

[Seth]

Lol Siliconman.

So much for all those elitist warnings that only "special people" can use CF:)

I've suggested its use a few times on this forum, and have used it hundreds of times in my business with no issue.

[siliconman01]

Lol Siliconman.

So much for all those elitist warnings that only "special people" can use CF:)

I've suggested its use a few times on this forum, and have used it hundreds of times in my business with no issue.

We ARE special people!

Jimrward,

Would you please do the following:

1. Combofix quarantined everything it found to a folder named Qoobox located at C:\. Would you please ZIP this folder and send it to the SAS gurus via the instructions at the link below. Please state in the submital that this is Qoobox from a Combofix run.

https://forums.superantispyware.com/index.php?/topic/2814-submitting-samples-to-superantispyware/

2. Then delete Combofix from your system.

- Go to Start>Run and type in Combofix /u (space before /u)

This will instruct Combofix to delete itself and all folders (including Qoobox) it created from your computer. Combofix is a tool that needs to be re-downloaded to obtain the latest version if it is needed in the future.

3. Delete the Zipped Qoobox folder too.