PDA

View Full Version : SpyBot installs, won't run



funknjam
2009-03-04, 18:38
A Team SpyBot member recommended I post here in this forum (http://forums.spybot.info/showthread.php?p=294599#post294599).

PROBLEM: Spybot will install but won't run. I get the error message, "This application has been changed since it was created. Since SpyBot S&D does not change itself, we recommend you check your system for malware and viruses immediately."

HISTORY AND FIXES SO FAR: AVG AntiVirus shows the whole system as clean. I've been playing with CWShredder (this all started with me noticing "Waiting for about:blank" in IE7's task bar during page loads), Malwarebytes, CCleaner, SuperAntiSpyware. I have no system restore points before yesterday as they have been purged (I know, I'm an idiot.)

I have searched this forum, read FAQs, and I can't find much here on my problem with SpyBot. I did find two suggestions here in these forums: 1) Run sfc /scannow to check for corrupt system files and 2) Run a diagnostic memory test on system RAM. Both of these have checked out and I still can not run SpyBot.

I am attempting to use the current version - ver 1.6.2.46, a 15.6 MB download.

I used a previous version of SpyBot prior to this with no problems. I uninstalled it and ever since have not been able to get the new install to work. What is curious is that at the same time I did this, I did the same to Lavasoft's Ad-Aware SE. That always ran no problem but now I can't get their Ad-Aware AE to install.

As directed, here's my HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:26:19 AM, on 3/4/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppdirector.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\hppapml0.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [HP SchedIndexer] C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppschedindexer.exe
O4 - HKLM\..\Run: [HP AutoIndexer] C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppautoindexer.exe
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP LaserJet Director.lnk = C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppdirector.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15031/CTSUEng.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {51A1CDAB-573D-45A4-B69F-B44791DFF60A} (Pictometry Viewer Control) - http://www.brevardpropertyappraiser.com/picto/include/PictImageCtrl30.cab
O16 - DPF: {594ECDD4-A991-4208-A7B7-00DDAD9BE328} (Photosynth Class) - http://media.labs.live.com/all/ps/_code_/Photosynth.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.unsigned.com/js/img_upload/ImageUploader4.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15034/CTPID.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Unknown owner - C:\WINDOWS\system32\LEXBCES.EXE (file missing)

--
End of file - 12240 bytes

Thanks for anything!
D

shelf life
2009-03-05, 23:30
hi,

I dont see anything i recognize as malware in the log. If you have scanned with your updated AV, Malwarebytes and SAS then I would assume your machine is clean. We can do a online scan just to get another opinion for possible malware.
You can update your AV/anti-malware apps ok?
Are you having any signs of malware? (http://www.virusvault.us/signs1.html)

ESET online scanner:

http://www.eset.com/onlinescan/

uses Internet Explorer only
check "YES" to accept terms
click start button
allow the ActiveX component to install
click the start button. the Scanner will update.
check both "Remove found threats" and "Scan unwanted applications"
click scan
when done you can find the scan log at:C:\Program Files\EsetOnlineScanner\log.txt
please copy/paste that log in next reply.

funknjam
2009-03-06, 14:05
Hi and thanks for the offer of assistance -

Normally I run SpyBot, Ad-Aware and HiJackThis periodically to keep a check on things. But recently I noticed a couple signs of malware and this is them in order of appearance:

1) I started to get tabs popping up (not windows) whereas I've never noticed this happening before.

2) When loading a page in IE, it would seem to take a long time and I'd see "waiting for about:blank" in the task bar.

3) Anti-malware software won't start up when you click on the icons.

I had heard about the malware "about:blank" before so I downloaded CWShredder and tried that. Even though it never found anything, the browser always worked much better after running it so I figured I was somehow infected.

Since SpyBot and Ad-Aware hadn't found anything either I tried some other malware removal tools like Malwarebytes and SuperAntiSpyware and CCleaner. After removing a bunch of tracking cookies, and since I had always used SpyBot and Ad-Aware, I uninstalled them and downloaded the newest versions to give them another shot. That's when I realized I couldn't even install Ad-Aware and I could install SpyBot but couldn't get it to run due to that error message.

I ran the scan you requested and the log is below. But since it detected nothing, I'm beginning to wonder if one of the other applications (CCleaner) damaged my registry somehow when "cleaning" the registry.

Thanks for anything. I'd like to be able to continue to run SpyBot if possible.

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3911 (20090305)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=79a369fb83738842b5c3598bcd47476b
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2009-03-06 04:31:26
# local_time=2009-03-05 11:31:26 (-0500, Eastern Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 3
# scanned=612937
# found=0
# scan_time=4060

funknjam
2009-03-06, 17:38
Here's some more information that may be helpful in troubleshooting....

I was just browsing in IE and I got a pop-up warning me that my computer was infected and I needed to scan with "Antivirus 360." I closed the warning several times and it kept coming back and then I got redirected to a webpage called fastanimalwarescanner.com which was allegedly scanning my system. I had no choice but to shut down IE.

Hope this helps cause I am clueless.

Thanks,
D

shelf life
2009-03-06, 22:37
hi funknjam,

thanks for all the info. We will get another download to check for possible malware. It should tell use if your not being able to launch apps is being caused by malware on your machine. Its called combofix. There is a guide to read first. It will explain everything. Read through the guide, download combofix to your desktop, disable any AV etc as explained in the guide. Double click the icon and follow the prompts. Post the combofix log in your reply.

the guide:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

funknjam
2009-03-08, 05:20
ComboFix log follows! (Not that you'd notice but I removed my full name where it appeared and replaced with "FunknJam".)

Thanks,
D

ComboFix 09-03-06.02 - FunknJam 2009-03-07 21:52:59.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1505 [GMT -5:00]
Running from: c:\documents and settings\FunknJam\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-02-08 to 2009-03-08 )))))))))))))))))))))))))))))))
.

2009-03-07 12:07 . 2009-03-07 12:07 <DIR> d-------- c:\documents and settings\FunknJam\Application Data\Ahead
2009-03-07 12:07 . 2004-03-03 21:30 125,184 --a------ c:\windows\system32\drivers\imagesrv.sys
2009-03-07 12:07 . 2004-03-03 21:30 5,504 --a------ c:\windows\system32\drivers\imagedrv.sys
2009-03-07 12:06 . 2009-03-07 12:06 <DIR> d-------- c:\program files\Common Files\Ahead
2009-03-07 12:06 . 2009-03-07 12:06 <DIR> d-------- c:\program files\Ahead
2009-03-07 12:06 . 2001-07-06 14:41 569,344 --a------ c:\windows\system32\imagr5.dll
2009-03-07 12:06 . 2001-07-06 12:44 544,768 --a------ c:\windows\system32\imagx5.dll
2009-03-07 12:06 . 2001-07-06 18:24 283,920 --a------ c:\windows\system32\ImagXpr5.dll
2009-03-07 12:06 . 2001-07-09 11:50 155,648 --a------ c:\windows\system32\NeroCheck.exe
2009-03-07 12:06 . 2000-06-26 11:45 106,496 --a------ c:\windows\system32\TwnLib20.dll
2009-03-07 12:06 . 2001-06-26 08:15 38,912 --a------ c:\windows\system32\picn20.dll
2009-03-05 22:22 . 2009-03-06 01:14 <DIR> d-------- c:\program files\EsetOnlineScanner
2009-03-04 11:22 . 2009-03-04 11:22 <DIR> d-------- c:\documents and settings\FunknJam\Application`Data
2009-03-04 08:08 . 2009-03-05 03:16 <DIR> d--h----- C:\$AVG8.VAULT$
2009-03-04 07:47 . 2009-03-04 07:47 107,912 --a------ c:\windows\system32\drivers\avgtdix.sys
2009-03-04 07:47 . 2009-03-04 07:47 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-03-04 07:46 . 2009-03-07 06:27 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-03-04 07:46 . 2009-03-04 07:46 <DIR> d-------- c:\program files\AVG
2009-03-04 07:46 . 2009-03-04 14:06 <DIR> d-------- c:\documents and settings\FunknJam\Application Data\AVGTOOLBAR
2009-03-04 07:46 . 2009-03-04 14:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-03-04 07:46 . 2009-03-04 07:46 325,640 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-03-04 07:33 . 2009-03-04 07:33 <DIR> d-------- c:\program files\Trend Micro
2009-03-03 11:02 . 2001-08-17 13:28 794,654 --a--c--- c:\windows\system32\dllcache\usr1801.sys
2009-03-03 11:01 . 2001-08-17 13:28 899,146 --a--c--- c:\windows\system32\dllcache\r2mdkxga.sys
2009-03-03 11:00 . 2001-08-17 14:05 351,616 --a--c--- c:\windows\system32\dllcache\ovcodek2.sys
2009-03-03 10:59 . 2001-08-17 13:28 802,683 --a--c--- c:\windows\system32\dllcache\ltsm.sys
2009-03-03 10:58 . 2001-08-17 14:56 1,733,120 --a--c--- c:\windows\system32\dllcache\g400d.dll
2009-03-03 10:57 . 2001-08-17 12:13 980,034 --a--c--- c:\windows\system32\dllcache\cicap.sys
2009-03-03 10:56 . 2001-08-17 13:28 871,388 --a--c--- c:\windows\system32\dllcache\bcmdm.sys
2009-03-03 10:55 . 2001-08-17 13:28 762,780 --a--c--- c:\windows\system32\dllcache\3cwmcru.sys
2009-03-03 10:54 . 2001-08-17 14:56 66,048 --a--c--- c:\windows\system32\dllcache\s3legacy.dll
2009-03-02 21:03 . 2009-03-02 21:03 <DIR> d-------- c:\program files\CCleaner
2009-03-02 16:50 . 2009-03-02 16:50 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-02 16:50 . 2009-03-02 16:50 <DIR> d-------- c:\documents and settings\FunknJam\Application Data\Malwarebytes
2009-03-02 16:50 . 2009-03-02 16:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-02 16:50 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-02 16:50 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-02 16:47 . 2009-03-02 16:47 <DIR> d-------- c:\program files\ERUNT
2009-03-02 16:27 . 2009-01-09 14:19 1,089,593 -----c--- c:\windows\system32\dllcache\ntprint.cat
2009-03-02 13:22 . 2009-03-03 12:55 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-03-02 13:22 . 2009-03-03 12:55 <DIR> d-------- c:\documents and settings\FunknJam\Application Data\SUPERAntiSpyware.com
2009-03-02 13:22 . 2009-03-02 13:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-03-02 13:18 . 2009-03-02 13:18 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-03-02 12:19 . 2009-03-02 12:19 <DIR> d-------- c:\program files\Windows Installer Clean Up
2009-03-02 09:17 . 2009-03-02 09:17 <DIR> d-------- c:\windows\system32\XPSViewer
2009-03-02 09:17 . 2009-03-02 09:17 <DIR> d-------- c:\program files\MSBuild
2009-03-02 09:16 . 2009-03-02 09:25 <DIR> d-------- c:\windows\SxsCaPendDel
2009-03-02 09:16 . 2009-03-02 09:16 <DIR> d-------- c:\program files\Reference Assemblies
2009-03-02 09:16 . 2008-07-06 07:06 1,676,288 --------- c:\windows\system32\xpssvcs.dll
2009-03-02 09:16 . 2008-07-06 07:06 1,676,288 -----c--- c:\windows\system32\dllcache\xpssvcs.dll
2009-03-02 09:16 . 2008-07-06 05:50 597,504 -----c--- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-03-02 09:16 . 2008-07-06 07:06 575,488 --------- c:\windows\system32\xpsshhdr.dll
2009-03-02 09:16 . 2008-07-06 07:06 575,488 -----c--- c:\windows\system32\dllcache\xpsshhdr.dll
2009-03-02 09:16 . 2008-07-06 07:06 117,760 --------- c:\windows\system32\prntvpt.dll
2009-03-02 09:16 . 2008-07-06 07:06 89,088 -----c--- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-02-28 10:34 . 2009-02-28 10:34 <DIR> d-------- c:\windows\Google Toolbar
2009-02-27 09:30 . 2009-02-27 13:58 <DIR> d-------- c:\documents and settings\FunknJam\Application Data\OfficeUpdate12
2009-02-27 09:29 . 2009-02-27 09:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-02-26 20:31 . 2009-02-27 18:07 <DIR> d---s---- c:\documents and settings\All Users\Application Data\Memeo
2009-02-26 20:30 . 2009-02-28 10:34 <DIR> d-------- c:\program files\Western Digital
2009-02-20 15:34 . 2009-02-20 15:34 <DIR> d-------- c:\documents and settings\FunknJam\Application Data\Thunderbird
2009-02-13 10:38 . 2009-03-02 12:19 <DIR> d-------- c:\program files\MSECache
2009-02-11 09:22 . 2009-02-11 09:23 87 --a------ c:\windows\cdplayer.ini
2009-02-10 13:16 . 2009-02-10 13:16 <DIR> d-------- c:\documents and settings\FunknJam\Application Data\Inkscape
2009-02-10 13:13 . 2009-02-10 13:15 <DIR> d-------- c:\program files\Inkscape

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-07 13:12 --------- d-----w c:\documents and settings\FunknJam\Application Data\Roxio
2009-03-05 20:13 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-03 17:55 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-03-02 18:18 410,984 ----a-w c:\windows\system32\deploytk.dll
2009-03-02 18:14 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-03-02 18:09 --------- d-----w c:\program files\Java
2009-03-02 18:03 --------- d-----w c:\documents and settings\FunknJam\Application Data\Lavasoft
2009-03-02 14:32 --------- d-----w c:\documents and settings\FunknJam\Application Data\SmartFTP
2009-03-02 13:14 --------- d-----w c:\program files\Common Files\ESRI
2009-02-28 15:28 --------- d-----w c:\program files\Google
2009-02-27 23:07 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-23 23:28 --------- d-----w c:\documents and settings\FunknJam\Application Data\OpenOffice.org2
2009-02-23 23:19 79,760 ----a-w c:\documents and settings\FunknJam\Application Data\GDIPFONTCACHEV1.DAT
2009-01-19 19:08 524,288 ----a-w c:\windows\opuc.dll
2008-12-20 23:15 826,368 ----a-w c:\windows\system32\wininet.dll
2008-09-14 16:11 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008091420080915\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-19 68856]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"RemoteCenter"="c:\program files\Creative\MediaSource\RemoteControl\RCMan.EXE" [2003-11-21 143360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2003-05-15 114688]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-02 148888]
"SBDrvDet"="c:\program files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-03 45056]
"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-01-13 69632]
"RoxioAudioCentral"="c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2003-01-09 253952]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2003-05-15 163840]
"HP SchedIndexer"="c:\program files\Hewlett-Packard\LaserJet 33xx\hppschedindexer.exe" [2002-04-22 94208]
"HP AutoIndexer"="c:\program files\Hewlett-Packard\LaserJet 33xx\hppautoindexer.exe" [2002-04-22 90112]
"CTSysVol"="c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-07-02 57344]
"CTDVDDET"="c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-14 623992]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-03-04 1932568]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 c:\windows\system32\CTXFIHLP.EXE]
"CTHelper"="CTHELPER.EXE" [2003-10-06 c:\windows\system32\CTHELPER.EXE]

c:\documents and settings\FunknJam\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-05-22 113664]
HP LaserJet Director.lnk - c:\program files\Hewlett-Packard\LaserJet 33xx\hppdirector.exe [2007-06-14 204800]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-05-16 663552]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-03-04 07:47 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"WinTools"=c:\progra~1\COMMON~1\WinTools\WToolsA.exe
"DeskAd Service"=c:\program files\DeskAd Service\DeskAdServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\SmartFTP\\SmartFTP.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\program files\BitTorrent\btdownloadgui.exe"= c:\program files\BitTorrent\btdownloadgui.exe:*zEnabled:BitTorrent (SHAD0W's Experimental)
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Empire Interactive\\FlatOut\\FlatOut.exe"=
"c:\\Program Files\\WS_FTP\\WS_FTP95.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\MSI\\i-Speeder\\i-Speeder.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [2004-05-15 77312]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-03-04 325640]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-03-04 107912]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-02-17 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-02-17 55024]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-03-04 298264]
S3 ELECTRO;ELECTRO;c:\windows\system32\drivers\electro.sys [2007-05-03 34260]
S3 HwIOctl;HwIOctl;\??\c:\program files\Setup Files\MS-6702 v1.60\HwIOctl.sys --> c:\program files\Setup Files\MS-6702 v1.60\HwIOctl.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-02-17 7408]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys --> c:\windows\system32\DRIVERS\wdcsam.sys [?]
S4 Mvdati0ygsa;Mvdati0ygsa; [x]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
AudioSrv\pBrowser

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]
msiexec /fums {3CBBEE47-C8F4-316A-92FF-ED7E3DFAE41E} /qb
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig?hl=en&amp;ned=us&amp;tab=nw&amp;q=
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar =
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: {51A1CDAB-573D-45A4-B69F-B44791DFF60A} - hxxp://www.brevardpropertyappraiser.com/picto/include/PictImageCtrl30.cab
DPF: {594ECDD4-A991-4208-A7B7-00DDAD9BE328} - hxxp://media.labs.live.com/all/ps/_code_/Photosynth.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-07 21:56:04
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(820)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-03-07 21:58:05
ComboFix-quarantined-files.txt 2009-03-08 02:57:46

Pre-Run: 195,569,672,192 bytes free
Post-Run: 195,617,361,920 bytes free

213 --- E O F --- 2009-02-25 16:12:40

funknjam
2009-03-08, 16:49
The only thing I've done besides email and web browsing is run ComboFix and this morning the newest symptom has manifested - iTunes won't play any music. I keep getting an error that says "iTunes has detected a problem with your audio configuration." The program will start but won't function. I uninstalled and reinstalled everything apple on my machine. And I reinstalled my audio drivers. Nothing.

Can't wait to see if these are the problems:

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"WinTools"=c:\progra~1\COMMON~1\WinTools\WToolsA.exe
"DeskAd Service"=c:\program files\DeskAd Service\DeskAdServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

shelf life
2009-03-08, 23:09
hi,

thanks for the info log dosnt look bad at all as far as malware goes. Those items in bold:

"WinTools"=c:\progra~1\COMMON~1\WinTools\WToolsA.exe

You can look in C/Program files/common files and delete the entire:
WinTools folder

this one:
c:\program files\DeskAd Service\DeskAdServ.exe
Look in add/remove programs panel first for anything with the same name and uninstall from there if present. Otherwise you can delete the entire folder from C/program files.

the last entry is how the MS security center monitors your AV, if its active or not. If you open up the security center on the left under resources you will see "change the Security Center Alerts me"

funknjam
2009-03-09, 23:09
Well, you can't find any malware. I can't figure out why my browser likes to sit around and tell me it's waiting for about:blank and I still can't install SpyBot. :sad:

Oh well. If I can hold out that long once Windows 7 gets its first service pack I'll buy it and do a low-level format before installing. :crazy:

Or just switch entirely to my MacBook. :ninja:

Thanks,
D

shelf life
2009-03-10, 00:19
for your browser try this;
start>settings>control panel>Internet Options>Advanced Tab> click on "Reset Internet Explorer Settings" see if that does anything

funknjam
2009-03-11, 13:03
Yeah, that worked for my browser. And the only thing I had installed extra (to my knowledge) was the Google toolbar. I've always been told to trust Google but apparently they are affiliated with about:blank?

Anyway, thanks again for taking the time. I still can't install SpyBot though. Everything on my system seems to be working perfectly now with the exception that I can install but not run SpyBot and I can't even install Ad-Aware.

If I am totally infection free and my computer is seemingly perfect right now, why can't I run SpyBot?

D

shelf life
2009-03-11, 23:30
the about:blank you where experiencing wasnt the older malware that went around a few years ago. Sometimes browser add-ons can mess with IE.
If you uninstalled the google toolbar you can re-install it if you want.

Can you download and install any programs? See if you can install Malwarebytes ok:


http://www.malwarebytes.org/mbam.php

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.

funknjam
2009-03-17, 18:06
Sory for the delay.... and thanks for not closing the thread.

Yes - I can install software no problem. I have installed and run Malwarebytes' program. In fact, my computer has been running perfectly all week!

It's SpyBot that is the problem. SpyBot installs no problem but it won't run. Ad-Aware AE won't even install. To my knowledge these are the only programs I'm having problems with and given that they're both anti-malware products I have to assume that the problem is the same.

D

shelf life
2009-03-18, 20:56
hi,

sorry for delay, havent been online in a few days. anti malware apps not running when you click on them could be caused by malware but i dont think thats your problem. lets see if you can run it in safe mode by chance.

also maybe you got a corrupt download? You have tried uninstalling spybot, reboot computer then redownload and install?

To reach safe mode you would tap the f8 key during a computer restart, chose the first option from the list: safe mode. Once at the safe mode desktop try launching spybot.