Malwarebyte will not update/ Google redirect [Closed]

Hello, epicholic, and welcome to GeeksToGo! We have updated our forums, and need you to follow a few new steps before I can help you. Please do the following:

Please follow the steps in this topic, and post back with the following logs if you are still having problems and I will look over the log for you:

• Malwarebytes' Anti-Malware log
• OTListIt2.txt and Extras.txt
• Rooter.txt

1) Malwarebytes' Anti-Malware log

Malwarebytes' Anti-Malware 1.36
Database version: 1945
Windows 5.1.2600 Service Pack 2

2009-04-28 04:56:48 PM
mbam-log-2009-04-28 (16-56-48).txt

Scan type: Quick Scan
Objects scanned: 77353
Time elapsed: 6 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Name\Local Settings\Temp\wavvsnet.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Name\Local Settings\Temp\rasesnet.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Name\Local Settings\Temp\xpre.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.

2) OTListIt2.txt and Extras.txt
I downloaded it fine but when I did Run Scan it finished with this: "1/1/1900 12 is not a valid date and time" and no logs appeared.

3) Rooter.txt
Was able to download Rooter.exe. but when I doubleclick it does not open anything.

Edited by epicholic, 28 April 2009 - 03:12 PM.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).
• Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you don't know how to disable them then just continue on.
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

I downloaded SDFix and followed the instructions until I opened RunThis.bat and nothing happened except a small reboot of the OS.

I downloaded ComboFix and I double clicked but nothing happened.

Download avz4.zip from here

• Unzip it to your desktop to a folder named avz4
• Double click on AVZ.exe to run it.
• Run an update by clicking the Auto Update button on the Right of the Log window:
• Click Start to begin the update

Note: If you recieve an error message, chose a different source, then click Start again

• After the update, from the "File" menu, choose "Standard Scripts"
• Put a check next to item 2: Advanced System Investigation
• Click Execute selected scripts
• At the next prompt, click the OK button
• Let the scan run and click "OK" when the completion prompt pops up
• Now Close out of the Standard Scripts window, and exit AVZ
• Navigate to the avz4 folder and locate the folder LOG
• Inside the LOG folder you will find virusinfo_syscheck.htm and virusinfo_syscheck.zip
• Attach the Compressed file, virusinfo_syscheck.zip, to your next reply, along with a fresh HijackThis log

Here you go. No problems with downloading and going thorugh instructions

Edited by epicholic, 28 April 2009 - 07:09 PM.

I have seen improvements: my start up programs are coming back up and I can update Malwarebyte.
However for some reason, my streaming audio such as audio on internet or audio from video is not working at all. I can play music on the Windows Media Player.

I did a Malwarebyte scan after I updated and I will post the log for you.

Malwarebytes' Anti-Malware 1.36
Database version: 2059
Windows 5.1.2600 Service Pack 2

2009-04-29 11:48:55 AM
mbam-log-2009-04-29 (11-48-55).txt

Scan type: Quick Scan
Objects scanned: 85638
Time elapsed: 7 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\rn.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Name\Local Settings\Temp\prun.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Name\Local Settings\Temp\incosnet.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

Do SDFix and ComboFix work? If so, please run them and post the logs. If not, I'm not so sure to jump to your computer being clean yet.

Oh I already know that it is not completely fixed.

SDFix Report.txt


SDFix: Version 1.240
Run by Name on 2009-04-29 at 02:30

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-29 14:39:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000001
"ujdew"=hex:ce,f2,a4,d7,dd,7c,b9,6e,08,ce,c3,80,3d,b4,da,20,7a,8c,45,09,62,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools Lite\"
"h0"=dword:00000000
"khjeh"=hex:ac,59,4d,d4,1a,56,af,0d,62,5d,8a,9c,18,85,02,7d,e6,c1,b2,01,e8,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,a7,e8,17,ec,bc,ed,69,8a,bb,ed,36,12,f9,3d,74,b4,b9,..
"khjeh"=hex:7e,99,ee,11,e0,be,ca,86,94,cc,d7,8f,06,22,c5,e3,f8,f7,d0,a4,94,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:1a,7c,ec,d2,5f,09,80,f6,34,06,21,2f,74,c7,08,13,83,e5,e0,2d,37,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000001
"ujdew"=hex:ce,f2,a4,d7,dd,7c,b9,6e,08,ce,c3,80,3d,b4,da,20,7a,8c,45,09,62,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools Lite\"
"h0"=dword:00000000
"khjeh"=hex:ac,59,4d,d4,1a,56,af,0d,62,5d,8a,9c,18,85,02,7d,e6,c1,b2,01,e8,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,a7,e8,17,ec,bc,ed,69,8a,bb,ed,36,12,f9,3d,74,b4,b9,..
"khjeh"=hex:7e,99,ee,11,e0,be,ca,86,94,cc,d7,8f,06,22,c5,e3,f8,f7,d0,a4,94,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:1a,7c,ec,d2,5f,09,80,f6,34,06,21,2f,74,c7,08,13,83,e5,e0,2d,37,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000001
"ujdew"=hex:ce,f2,a4,d7,dd,7c,b9,6e,08,ce,c3,80,3d,b4,da,20,7a,8c,45,09,62,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools Lite\"
"h0"=dword:00000000
"khjeh"=hex:ac,59,4d,d4,1a,56,af,0d,62,5d,8a,9c,18,85,02,7d,e6,c1,b2,01,e8,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,a7,e8,17,ec,bc,ed,69,8a,bb,ed,36,12,f9,3d,74,b4,b9,..
"khjeh"=hex:7e,99,ee,11,e0,be,ca,86,94,cc,d7,8f,06,22,c5,e3,f8,f7,d0,a4,94,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:1a,7c,ec,d2,5f,09,80,f6,34,06,21,2f,74,c7,08,13,83,e5,e0,2d,37,..

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
"midimapper"="midimap.dll"
"msacm.imaadpcm"="imaadp32.acm"
"msacm.msadpcm"="msadp32.acm"
"msacm.msg711"="msg711.acm"
"msacm.msgsm610"="msgsm32.acm"
"msacm.trspch"="tssoft32.acm"
"vidc.cvid"="iccvid.dll"
"VIDC.I420"="lvcodec2.dll"
"vidc.iv31"="ir32_32.dll"
"vidc.iv32"="ir32_32.dll"
"vidc.iv41"="ir41_32.ax"
"VIDC.IYUV"="iyuv_32.dll"
"vidc.mrle"="msrle32.dll"
"vidc.msvc"="msvidc32.dll"
"VIDC.UYVY"="msyuv.dll"
"VIDC.YUY2"="msyuv.dll"
"VIDC.YVU9"="tsbyuv.dll"
"VIDC.YVYU"="msyuv.dll"
"wavemapper"="msacm32.drv"
"msacm.msg723"="msg723.acm"
"vidc.M263"="msh263.drv"
"vidc.M261"="msh261.drv"
"msacm.msaudio1"="msaud32.acm"
"msacm.sl_anet"="sl_anet.acm"
"msacm.iac2"="C:\WINDOWS\system32\iac25_32.ax"
"vidc.iv50"="ir50_32.dll"
"msacm.l3acm"="C:\WINDOWS\system32\l3codeca.acm"
"vidc.LEAD"="LCODCCMP.DLL"
"vidc.DIVX"="DivX.dll"
"vidc.VP60"="C:\WINDOWS\system32\vp6vfw.dll"
"vidc.VP61"="C:\WINDOWS\system32\vp6vfw.dll"
"msacm.siren"="sirenacm.dll"
"MSVideo"="vfwwdm32.dll"
"MSVideo8"="VfWWDM32.dll"
"wave1"="wdmaud.drv"
"midi1"="wdmaud.drv"
"mixer1"="wdmaud.drv"
"aux1"="wdmaud.drv"
"wave2"="wdmaud.drv"
"midi2"="wdmaud.drv"
"mixer2"="wdmaud.drv"
"aux2"="wdmaud.drv"
"wave3"="wdmaud.drv"
"midi3"="wdmaud.drv"
"mixer3"="wdmaud.drv"
"aux3"="wdmaud.drv"
"wave"="wdmaud.drv"
"midi"="wdmaud.drv"
"mixer"="wdmaud.drv"
"aux"="wdmaud.drv"
"aux4"="C:\WINDOWS\system32\..\ervmmmn.mps"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\Terminal Server]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\Terminal Server\RDP]
"wave"="rdpsnd.dll"
"mixer"="rdpsnd.dll"
"MaxBandwidth"=dword:000056b9
"wavemapper"="msacm32.drv"
"EnableMP3Codec"=dword:00000001
"midimapper"="midimap.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"AppInit_DLLs"="wbsys.dll"

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:*:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\EA GAMES\\Medal of Honor Allied Assault Spearhead Demo\\moh_spearhead_demo.exe"="C:\\Program Files\\EA GAMES\\Medal of Honor Allied Assault Spearhead Demo\\moh_spearhead_demo.exe:*:Enabled:Medal of Honor Allied Assault™ Spearhead"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:*:Enabled:ActiveSync Application"
"C:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"="C:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe:*:Enabled:Nexon Game Manager"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Java\\jre6\\bin\\java.exe"="C:\\Program Files\\Java\\jre6\\bin\\java.exe:*:Enabled:Java™ Platform SE binary"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Nexon\\Combat Arms\\CombatArms.exe"="C:\\Nexon\\Combat Arms\\CombatArms.exe:*Enabled:CombatArms.exe"
"C:\\Nexon\\Combat Arms\\Engine.exe"="C:\\Nexon\\Combat Arms\\Engine.exe:*Enabled:Engine.exe"

Remaining Files :



Files with Hidden Attributes :

Wed 13 Oct 2004 1,694,208 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Wed 22 Oct 2008 949,072 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\advcheck.dll"
Mon 15 Sep 2008 1,562,960 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll"
Wed 22 Oct 2008 962,896 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\Tools.dll"
Sun 26 Aug 2007 104 ..SHR --- "C:\WINDOWS\system32\D6DF696C83.sys"
Sun 26 Aug 2007 6,580 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Sat 7 Jun 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Mon 25 Dec 2006 9,506 A.SH. --- "C:\Documents and Settings\Name\My Documents\My Music\License Backup\drmv2key.bak"

Finished!

I followed the directions for Combofix and it went well until after the restart it did not give me a log.

The log should be saved at C:\ComboFix.txt.

I cannot find it. I shall try Combofix again.

Odd. Sure, try it one more time. But, if not, we'll move on.

Okay it worked this time. Here is the log~

ComboFix 09-04-29.01 - Name 2009-04-29 15:33.7 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.567 [GMT -4:00]
Running from: c:\documents and settings\Name\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\windows\ervmmmn.mps
c:\windows\TEMP\logishrd\LVPrcInj01.dll

.
((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-29 )))))))))))))))))))))))))))))))
.

2009-04-29 18:25 . 2009-04-29 18:25 -------- d-----w c:\windows\ERUNT
2009-04-29 16:52 . 2009-04-29 16:52 -------- d-sh--w C:\found.000
2009-04-29 00:15 . 2009-04-29 18:44 -------- dc----w C:\SDFix
2009-04-28 21:04 . 2009-04-28 21:04 -------- dc----w C:\Rooter$
2009-04-28 20:47 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-28 20:47 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-28 20:47 . 2009-04-28 20:48 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-28 20:46 . 2009-04-28 20:46 -------- d-----w c:\program files\ERUNT
2009-04-22 04:34 . 2009-04-22 04:34 -------- d-----w c:\documents and settings\Name\Application Data\vlc
2009-04-16 18:05 . 2009-03-06 14:00 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-16 18:05 . 2005-07-26 04:20 60416 ------w c:\windows\system32\dllcache\colbact.dll
2009-04-16 18:05 . 2009-02-09 10:01 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-16 18:05 . 2009-02-06 10:22 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-16 18:05 . 2009-02-09 10:01 473088 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-16 18:05 . 2009-02-06 09:41 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 18:05 . 2009-02-09 10:01 617984 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-16 18:05 . 2009-02-09 10:01 715264 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-16 18:02 . 2008-04-21 10:02 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-08 20:19 . 2009-04-08 20:19 -------- d-----w c:\documents and settings\Name\Application Data\Music Recognition
2009-04-08 20:19 . 2009-04-08 20:19 -------- d-----w c:\program files\Able Editor 1.3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-26 21:06 . 2007-12-08 02:14 -------- d-----w c:\program files\BitTorrent
2009-04-23 01:52 . 2009-04-06 04:57 0 ----a-w c:\windows\system32\drivers\lvuvc.hs
2009-04-23 01:52 . 2009-02-25 01:00 0 ----a-w c:\windows\system32\drivers\logiflt.iad
2009-04-19 03:36 . 2007-05-13 19:01 86304 -c--a-w c:\documents and settings\Name\Application Data\GDIPFONTCACHEV1.DAT
2009-04-13 01:09 . 2009-03-24 06:32 -------- d-----w c:\program files\SUPERAntiSpyware
2009-03-24 06:32 . 2009-03-24 06:32 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-03-24 06:32 . 2009-03-24 06:32 -------- d-----w c:\documents and settings\Name\Application Data\SUPERAntiSpyware.com
2009-03-24 06:32 . 2009-02-25 21:02 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-03-24 06:07 . 2009-03-24 06:07 4170352 ----a-w c:\documents and settings\All Users\SPL1CF9.tmp
2009-03-22 02:57 . 2009-03-22 02:57 -------- d-----w c:\program files\AT&T
2009-03-14 20:02 . 2006-09-12 04:40 86304 -c--a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-10 06:22 . 2009-03-10 06:22 -------- d-----w c:\program files\Common Files\Logitech
2009-03-10 05:05 . 2007-12-09 01:10 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-09 03:04 . 2006-03-16 04:00 23552 ----a-w c:\windows\system32\wadmaud.drv
2009-03-08 23:34 . 2009-03-08 23:34 -------- d-----w c:\program files\Trend Micro
2009-03-08 22:44 . 2009-03-08 22:44 -------- d-----w c:\program files\AIM6
2009-03-08 22:44 . 2007-05-06 03:49 -------- d-----w c:\program files\Common Files\AOL
2009-03-08 21:21 . 2006-09-12 03:33 -------- d-----w c:\program files\Java
2009-03-08 21:16 . 2009-03-08 21:16 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-08 17:47 . 2009-01-27 22:07 -------- d-----w c:\program files\Common Files\Apple
2009-03-08 17:24 . 2009-03-08 17:24 107912 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-03-08 17:24 . 2009-03-08 17:24 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-03-08 17:24 . 2009-03-08 17:24 325640 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-03-08 17:23 . 2009-03-08 17:23 -------- d-----w c:\program files\AVG
2009-03-08 16:30 . 2009-03-08 04:07 -------- d-----w c:\program files\Pidgin
2009-03-08 16:29 . 2009-03-08 04:45 -------- d-----w c:\program files\AIM
2009-03-08 16:29 . 2006-12-25 16:08 -------- d-----w c:\program files\AOD
2009-03-08 16:29 . 2009-03-08 14:45 -------- d-----w c:\program files\AIM6(2)
2009-03-08 16:29 . 2006-12-26 17:52 -------- d-----w c:\program files\Common Files\Real
2009-03-08 16:29 . 2009-03-08 16:29 -------- d-----w c:\program files\Common Files\xing shared
2009-03-08 16:28 . 2007-06-29 00:11 -------- d-----w c:\program files\Real
2009-03-08 16:28 . 2009-03-08 15:50 -------- d-----w c:\program files\AT&T(2)
2009-03-07 19:10 . 2009-03-07 19:10 -------- d-----w c:\program files\CCleaner
2009-03-07 16:21 . 2009-03-07 16:21 -------- d-----w c:\program files\Unity
2009-03-06 14:00 . 2006-03-16 04:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-02-20 08:14 . 2006-03-16 04:00 668160 ----a-w c:\windows\system32\wininet.dll
2009-02-20 08:14 . 2006-03-16 04:00 81920 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 10:19 . 2006-03-16 04:00 1846272 ----a-w c:\windows\system32\win32k.sys
2009-02-09 10:01 . 2006-03-16 04:00 728576 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 10:01 . 2006-03-16 04:00 617984 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 10:01 . 2006-03-16 04:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 10:01 . 2006-03-16 04:00 715264 ----a-w c:\windows\system32\ntdll.dll
2009-02-06 10:32 . 2006-03-16 04:00 2186112 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:22 . 2006-03-16 04:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 09:54 . 2006-03-16 04:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 09:49 . 2006-03-16 04:00 2062976 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 20:08 . 2006-03-16 04:00 55808 ----a-w c:\windows\system32\secur32.dll
2007-06-29 00:11 . 2007-06-29 00:12 774144 ----a-w c:\program files\RngInterstitial.dll
2006-05-06 16:42 . 2009-04-22 04:33 7260160 ----a-w c:\program files\mozilla firefox\plugins\libvlc.dll
2007-08-26 22:49 . 2007-08-25 21:52 104 -csh--r c:\windows\system32\D6DF696C83.sys
2007-08-26 22:50 . 2007-08-25 21:52 6580 -csha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2005-08-18 307200]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-03-16 15360]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-06-21 1207080]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-01-03 486856]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-09-29 21755688]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-21 50472]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-04-13 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-06-17 794713]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-06-19 40960]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"Reminder"="c:\windows\CREATOR\Remind_XP.exe" [2006-02-09 643072]
"FaxCenterServer"="c:\program files\Dell PC Fax\fm3032.exe" [2006-11-03 312200]
"dlcxmon.exe"="c:\program files\Dell Photo AIO Printer 926\dlcxmon.exe" [2007-01-12 292336]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-10 185896]
"CTCheck"="c:\program files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe" [2007-11-06 397312]
"DLCXCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCXtime.dll" [2006-10-16 106496]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-08-14 565008]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-08-14 2407184]
"AT&T Communication Manager"="c:\program files\AT&T\Communication Manager\ATTCM.exe" [2008-12-01 33280]
"MsmqIntCert"="mqrt.dll" - c:\windows\system32\mqrt.dll [2007-07-06 177152]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" - c:\windows\system32\CHDAudPropShortcut.exe [2006-06-02 61952]

c:\documents and settings\Name\Start Menu\Programs\Startup\
Stardock ObjectDock.lnk - c:\program files\Stardock\ObjectDock\ObjectDock.exe [2007-11-17 3450608]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 15:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2007-11-28 21:55 229376 ----a-w c:\program files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-03-08 17:24 10520 ----a-w c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\EA GAMES\\Medal of Honor Allied Assault Spearhead Demo\\moh_spearhead_demo.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-04-13 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-02-17 55024]
S2 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [2009-01-16 266240]
S2 dlcx_device;dlcx_device;c:\windows\system32\dlcxcoms.exe [2006-11-03 537480]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-02-17 7408]

.
Contents of the 'Scheduled Tasks' folder

2009-01-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-FreeRAM XP - c:\program files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
HKCU-Run-BitTorrent DNA - c:\program files\BitTorrent_DNA\dna.exe
HKCU-Run-Veoh - c:\program files\Veoh Networks\Veoh\VeohClient.exe
HKCU-Run-Calendarscope - c:\program files\Calendarscope\cs.exe
HKLM-Run-Adobe Photo Downloader - c:\program files\Adobe\Photoshop Elements 6.0\apdproxy.exe
HKLM-Run-MemoryCardManager - (no file)


.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = hxxp://register.hp.com/servlet/WebReg.servlets.ProdReg1Servlet?appID=309&PURCH_DT_MONTH=09&PURCH_DT_DAY=11&PURCH_DT_YEAR=2006&product_name=&PROD_SERIAL_ID=&gwCountry=US&language=EN&prodOS=&lf=RED
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
DPF: {4C833081-D026-4FF8-968F-7EAB660D2FBA} - hxxp://www.sc2.org/misc/tvants.cab
FF - ProfilePath - c:\documents and settings\Name\Application Data\Mozilla\Firefox\Profiles\y0yzvhmd.default\
FF - prefs.js: browser.startup.homepage - www.msn.com
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npArtistScope42.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npArtistScopeDRM11.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npvlc.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-29 15:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????????L?@? ????d??????`?@?????L?@
DLCXCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCXtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2230873245-3016696742-639317436-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*&¨0Ó0Ç0ü0&m*p*3*\OpenWithList]
@Class="Shell"
"a"="audacity.exe"
"MRUList"="a"

[HKEY_USERS\S-1-5-21-2230873245-3016696742-639317436-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*S0c0a0M0f0B*A*B*Y*\OpenWithList]
@Class="Shell"
"a"="wmplayer.exe"
"MRUList"="a"

[HKEY_USERS\S-1-5-21-2230873245-3016696742-639317436-1005\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\ActiveSync]
"Name"="ActiveSync"
"DisplayName"="Microsoft ActiveSync"
"Param1"="ActiveSync"
"Type"="wellknown"
"Order"=dword:00000001
"State"=dword:0000000b

[HKEY_USERS\S-1-5-21-2230873245-3016696742-639317436-1005\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\IESettings]
"Name"="IESettings"
"Type"="IESettings"
"Order"=dword:00000004
"State"=dword:00000003

[HKEY_USERS\S-1-5-21-2230873245-3016696742-639317436-1005\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\MediaFiles]
"Name"="MediaFiles"
"Type"="MediaFiles"
"Order"=dword:00000003
"State"=dword:00000003

[HKEY_USERS\S-1-5-21-2230873245-3016696742-639317436-1005\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\NPW]
"Name"="NPW"
"Param1"="NPW"
"Type"="wellknown"
"Order"=dword:00000002
"State"=dword:00000007

[HKEY_USERS\S-1-5-21-2230873245-3016696742-639317436-1005\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\Outlook]
"Name"="Outlook"
"DisplayName"="Microsoft Outlook"
"Param1"="Outlook"
"Type"="wellknown"
"Order"=dword:00000000
"State"=dword:0000000b
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(748)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\documents and settings\Name\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
c:\program files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll

- - - - - - - > 'explorer.exe'(6060)
c:\program files\Stardock\ObjectDock\DockShellHook.dll
c:\program files\Stardock\Object Desktop\WindowBlinds\tray.dll
c:\program files\SUPERAntiSpyware\SASSEH.DLL
c:\windows\system32\browselc.dll
c:\program files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
c:\progra~1\SPYBOT~1\SDHelper.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Microsoft Office\Office10\msohev.dll
c:\program files\Bonjour\mdnsNSP.dll
.
Completion time: 2009-04-29 15:40
ComboFix-quarantined-files.txt 2009-04-29 19:39

Pre-Run: 15,162,171,392 bytes free
Post-Run: 15,156,076,544 bytes free

280