PDA

View Full Version : Malware Problem win32.TDSS.rtk Skynet



dakotasjag
2009-08-15, 04:53
Hi. I seem to have picked up a problem of some sort which seems to be recurring even though I get messages saying it has been removed. Sometimes the tools I have run to clean it do not even find it. I have Spybot and free versions AVG, Malware Bytes Anti Malware, Super Anti Spyware, Zone Alarm and Ad-Aware installed with the latest updates.

Sometimes when I boot I see numerous iterations of dos command type windows popup and then go away.
My IE8 browser also seems to get redirected on many of the links I attempt to bring up.
Also it seems all my restore points prior to today in System Restore are no longer available.
I am not sure if this is all being caused by the same thing.
I do recall seeing a popup yesterday (when I first started having problems) about My computer but I killed the window from Task Manager as I recall

I ran the ERUNT registry backup tool as noted and deactivated the Spybot TeaTimer. The Hijack This log file follows this.

Any help would be greatly appreciated. Thanks!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:22:31 PM, on 8/14/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
E:\PhotoshopElementsFileAgent.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\RETROS~1\RETROS~1.5\retrorun.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\htpatch.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\System32\WScript.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
E:\apdproxy.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
C:\Program Files\Brother\Brmfcmon\BrMfimon.exe
c:\progra~1\Support.com\client\bin\tgcmd.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\HistoryKill\histkill.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=localhost:8118;http=localhost:8118;https=localhost:8118;socks=localhost:9050
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;127.0.0.1
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [Adobe Photo Downloader] "E:\apdproxy.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingA6662] command.com /c del "C:\WINDOWS\system32\drivers\SKYNETwyvtwcnd.sys_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5152] cmd.exe /c del "C:\WINDOWS\system32\drivers\SKYNETwyvtwcnd.sys_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA592] command.com /c del "C:\WINDOWS\system32\drivers\SKYNETwyvtwcnd.sys"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5867] cmd.exe /c del "C:\WINDOWS\system32\drivers\SKYNETwyvtwcnd.sys"
O4 - HKLM\..\RunOnce: [SpybotDeletingA6046] command.com /c del "C:\WINDOWS\system32\SKYNETjboponmn.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2501] cmd.exe /c del "C:\WINDOWS\system32\SKYNETjboponmn.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA3622] command.com /c del "C:\WINDOWS\system32\SKYNETjboponmn.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7159] cmd.exe /c del "C:\WINDOWS\system32\SKYNETjboponmn.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7655] command.com /c del "C:\WINDOWS\system32\SKYNETyuhnxckk.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6258] cmd.exe /c del "C:\WINDOWS\system32\SKYNETyuhnxckk.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2956] command.com /c del "C:\WINDOWS\system32\SKYNETyuhnxckk.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8161] cmd.exe /c del "C:\WINDOWS\system32\SKYNETyuhnxckk.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2625] command.com /c del "C:\WINDOWS\system32\SKYNETmhxdorgr.dat_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8577] cmd.exe /c del "C:\WINDOWS\system32\SKYNETmhxdorgr.dat_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7734] command.com /c del "C:\WINDOWS\system32\SKYNETmhxdorgr.dat"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1183] cmd.exe /c del "C:\WINDOWS\system32\SKYNETmhxdorgr.dat"
O4 - HKLM\..\RunOnce: [SpybotDeletingA166] command.com /c del "C:\WINDOWS\system32\SKYNETvjyrjfyp.dat_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4762] cmd.exe /c del "C:\WINDOWS\system32\SKYNETvjyrjfyp.dat_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7302] command.com /c del "C:\WINDOWS\system32\SKYNETvjyrjfyp.dat"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2746] cmd.exe /c del "C:\WINDOWS\system32\SKYNETvjyrjfyp.dat"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB4508] command.com /c del "C:\WINDOWS\system32\drivers\SKYNETwyvtwcnd.sys_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8338] cmd.exe /c del "C:\WINDOWS\system32\drivers\SKYNETwyvtwcnd.sys_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB5273] command.com /c del "C:\WINDOWS\system32\drivers\SKYNETwyvtwcnd.sys"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2995] cmd.exe /c del "C:\WINDOWS\system32\drivers\SKYNETwyvtwcnd.sys"
O4 - HKCU\..\RunOnce: [SpybotDeletingB1876] command.com /c del "C:\WINDOWS\system32\SKYNETjboponmn.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8991] cmd.exe /c del "C:\WINDOWS\system32\SKYNETjboponmn.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB6452] command.com /c del "C:\WINDOWS\system32\SKYNETjboponmn.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2625] cmd.exe /c del "C:\WINDOWS\system32\SKYNETjboponmn.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB4101] command.com /c del "C:\WINDOWS\system32\SKYNETyuhnxckk.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9590] cmd.exe /c del "C:\WINDOWS\system32\SKYNETyuhnxckk.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB489] command.com /c del "C:\WINDOWS\system32\SKYNETyuhnxckk.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1684] cmd.exe /c del "C:\WINDOWS\system32\SKYNETyuhnxckk.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB9418] command.com /c del "C:\WINDOWS\system32\SKYNETmhxdorgr.dat_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6939] cmd.exe /c del "C:\WINDOWS\system32\SKYNETmhxdorgr.dat_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7533] command.com /c del "C:\WINDOWS\system32\SKYNETmhxdorgr.dat"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5925] cmd.exe /c del "C:\WINDOWS\system32\SKYNETmhxdorgr.dat"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7856] command.com /c del "C:\WINDOWS\system32\SKYNETvjyrjfyp.dat_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4413] cmd.exe /c del "C:\WINDOWS\system32\SKYNETvjyrjfyp.dat_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB463] command.com /c del "C:\WINDOWS\system32\SKYNETvjyrjfyp.dat"
O4 - HKCU\..\RunOnce: [SpybotDeletingD589] cmd.exe /c del "C:\WINDOWS\system32\SKYNETvjyrjfyp.dat"
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'Default user')
O4 - Startup: Epson printer Registration.lnk = H:\E_reg\EPSONREG.EXE
O4 - Startup: ERUNT AutoBackup.lnk = D:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://help.bellsouth.net/sdccommon/download/tgctlcm.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase1140.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1132930528652
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1132933956953
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E9A7F56F-C40F-4928-8C6F-7A72F2A25222} (AxRUploadControl Object) - http://www.imagestation.com/common/classes/SonyISUpload.cab?v=1,0,0,34
O17 - HKLM\System\CCS\Services\Tcpip\..\{3DCFE92E-C6CA-4F48-BCC9-A281D2F2291C}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{C91E02B2-0B74-407F-A4FD-F4C5B714A471}: NameServer = 208.67.220.220,208.67.222.222
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - E:\PhotoshopElementsFileAgent.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - EMC Corporation - C:\PROGRA~1\RETROS~1\RETROS~1.5\retrorun.exe
O23 - Service: Retrospect Helper - EMC Corporation - C:\Program Files\Retrospect\Retrospect 7.5\rthlpsvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: VAIO Media Music Server (Application) (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (Application) (VAIOMediaPlatform-PhotoServer-AppServer) - Unknown owner - C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 15702 bytes

thanks again.

ken545
2009-08-15, 18:00
Hello dakotasjag

Welcome to Safer Networking.

Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
That said, All advice given by anyone volunteering here, is taken at your own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.




Be sure to follow the instructions, Combofix will not run unless its renamed.


Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)

http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif


http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif

* IMPORTANT !!! Save ComboFix.exe to your Desktop


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.


Double click on ComboFix.exe & follow the prompts.


As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.


Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



http://i24.photobucket.com/albums/c30/ken545/RcAuto1.gif


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://i24.photobucket.com/albums/c30/ken545/whatnext.jpg

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

dakotasjag
2009-08-16, 04:55
Hi Ken,
Thanks much. I really appreciate your assistance in helping me resolve this situation.

Here's the Combo Fix log ....
ComboFix 09-08-10.06 - Al 08/15/2009 19:58.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1024.619 [GMT -4:00]
Running from: c:\documents and settings\Al\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-1202660629-1972579041-839522115-1003
c:\recycler\S-1-5-21-1648481601-1982567501-556630225-1003
c:\recycler\S-1-5-21-189430292-247783450-3460961655-1003
c:\recycler\S-1-5-21-226743455-1856479922-3962560683-1003
c:\recycler\S-1-5-21-2770305649-4197832782-483577514-1003
c:\recycler\S-1-5-21-3271188710-1571569475-1073813041-1003
c:\windows\Installer\9dc0f.msi
c:\windows\Installer\e3ec4.msi
c:\windows\Installer\WMEncoder.msi
c:\windows\system32\Data
c:\windows\system32\Data\ctp0161w.dat
c:\windows\system32\drivers\SKYNETwyvtwcnd.sys
c:\windows\system32\SKYNETjboponmn.dll
c:\windows\system32\SKYNETmhxdorgr.dat
c:\windows\system32\SKYNETvjyrjfyp.dat
c:\windows\system32\SKYNETyuhnxckk.dll
c:\windows\winhelp.ini


.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SKYNETfobrsnoe
-------\Legacy_SKYNETfobrsnoe


((((((((((((((((((((((((( Files Created from 2009-07-15 to 2009-08-15 )))))))))))))))))))))))))))))))
.

2009-08-14 19:02 . 2009-08-14 19:03 -------- dc-h--w- c:\windows\ie8
2009-08-14 18:27 . 2009-08-14 18:27 -------- d-----w- c:\program files\Trend Micro
2009-08-13 23:09 . 2009-08-13 23:13 -------- d-----w- c:\documents and settings\Al\Local Settings\Application Data\Temp
2009-08-13 20:49 . 2009-08-13 20:49 -------- d-----w- c:\program files\Microsoft Windows OneCare Live
2009-08-13 20:40 . 2009-08-13 20:52 -------- d-----w- c:\program files\Windows Live Safety Center
2009-08-13 04:51 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-08-13 01:28 . 2009-08-13 01:28 -------- d-----w- c:\documents and settings\Al\Application Data\Malwarebytes
2009-08-13 01:27 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-13 01:27 . 2009-08-13 01:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-13 01:27 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-10 17:33 . 2009-08-10 17:33 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-08-09 01:36 . 2009-08-09 01:38 117760 ----a-w- c:\documents and settings\Visitor\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-08-05 23:07 . 2009-08-05 23:07 -------- d-----w- c:\windows\system32\wbem\Repository
2009-08-05 09:01 . 2009-08-05 09:01 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-03 23:19 . 2009-08-03 23:19 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-07-28 00:32 . 2009-07-03 14:49 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-07-27 23:19 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-07-27 23:19 . 2009-07-27 23:19 -------- dc----w- c:\windows\system32\DRVSTORE
2009-07-27 23:18 . 2009-07-08 17:28 2920112 -c--a-w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.exe
2009-07-27 23:15 . 2009-07-27 23:18 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-07-17 19:01 . 2009-07-17 19:01 58880 -c----w- c:\windows\system32\dllcache\atl.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-14 19:40 . 2009-03-24 03:14 117760 ----a-w- c:\documents and settings\Al\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-08-14 01:39 . 2005-11-27 21:45 -------- d-----w- c:\program files\BestPopUpKiller
2009-08-13 23:48 . 2005-11-27 21:37 63352 ----a-w- c:\documents and settings\Visitor\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-13 23:42 . 2006-07-16 07:07 4469464 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2009-08-13 22:16 . 2005-11-25 17:44 -------- d-----w- c:\documents and settings\Al\Application Data\Sony Corporation
2009-08-13 17:30 . 2005-11-25 16:26 63352 ----a-w- c:\documents and settings\Al\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-13 13:01 . 2006-07-27 19:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Retrospect
2009-08-12 19:47 . 2006-02-12 18:15 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-06 22:41 . 2006-07-08 13:47 63352 ----a-w- c:\documents and settings\Zoe\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-05 23:05 . 2008-08-09 17:02 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-08-05 23:05 . 2008-08-09 17:02 -------- d-----w- c:\program files\NOS
2009-08-05 22:48 . 2008-09-22 13:20 -------- d-----w- c:\program files\Google
2009-08-05 14:46 . 2006-07-07 23:42 63352 ----a-w- c:\documents and settings\Abi\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-05 09:01 . 2002-12-05 01:15 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-27 23:18 . 2008-02-05 00:45 -------- d-----w- c:\program files\Lavasoft
2009-07-27 23:12 . 2008-10-15 16:06 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-07-27 16:42 . 2006-04-17 12:49 -------- d-----w- c:\program files\Common Files\Ulead Systems
2009-07-27 16:31 . 2006-04-17 18:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Ulead Systems
2009-07-25 19:01 . 2009-07-25 19:02 1488384 ----a-w- c:\windows\Internet Logs\xDB3.tmp
2009-07-24 14:56 . 2009-03-14 17:17 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-07-18 09:43 . 2009-07-18 10:47 1453568 ----a-w- c:\windows\Internet Logs\xDB2.tmp
2009-07-17 19:01 . 2002-12-05 01:14 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-16 13:17 . 2009-07-16 13:18 1449984 ----a-w- c:\windows\Internet Logs\xDB1.tmp
2009-07-14 03:43 . 2004-08-04 07:56 286208 ------w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2005-06-18 04:49 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-01 22:46 . 2009-07-01 15:37 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-07-01 15:37 . 2009-07-01 15:37 -------- d-----w- c:\documents and settings\LocalService\Application Data\AVGTOOLBAR
2009-07-01 15:36 . 2009-03-14 17:17 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-07-01 15:36 . 2009-03-14 17:16 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-30 16:39 . 2005-11-25 21:35 57 ----a-w- c:\documents and settings\All Users\Application Data\Brother\BrLog\BrCollectDir\BR_cat.bat
2009-06-30 16:20 . 2005-11-25 19:42 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-06-30 15:54 . 2002-12-05 18:44 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-25 08:25 . 2005-06-15 17:50 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2002-12-05 01:15 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2002-12-05 01:15 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2002-12-05 01:15 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2002-12-05 01:15 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:25 . 2002-12-05 01:15 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-24 11:18 . 2002-12-05 01:15 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-17 02:46 . 2008-09-17 14:43 -------- d-----w- c:\program files\Java
2009-06-16 14:36 . 2002-12-05 01:15 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2002-12-05 01:15 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-14 20:07 . 2009-07-01 15:38 1004800 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-06-12 12:31 . 2002-12-05 01:15 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:13 . 2002-12-05 01:14 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 13:19 . 2002-12-05 02:21 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2002-12-05 01:15 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-03 19:09 . 2005-08-30 04:02 1291264 ----a-w- c:\windows\system32\quartz.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-26 14:36 1008896 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="d:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-12-22 1830128]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingD8338"="del" [X]
"SpybotDeletingD2995"="del" [X]
"SpybotDeletingD8991"="del" [X]
"SpybotDeletingD2625"="del" [X]
"SpybotDeletingD9590"="del" [X]
"SpybotDeletingD1684"="del" [X]
"SpybotDeletingD6939"="del" [X]
"SpybotDeletingD5925"="del" [X]
"SpybotDeletingD4413"="del" [X]
"SpybotDeletingD589"="del" [X]
"SpybotDeletingB4508"="command.com" - c:\windows\system32\command.com [2002-08-29 50620]
"SpybotDeletingB5273"="command.com" - c:\windows\system32\command.com [2002-08-29 50620]
"SpybotDeletingB1876"="command.com" - c:\windows\system32\command.com [2002-08-29 50620]
"SpybotDeletingB6452"="command.com" - c:\windows\system32\command.com [2002-08-29 50620]
"SpybotDeletingB4101"="command.com" - c:\windows\system32\command.com [2002-08-29 50620]
"SpybotDeletingB489"="command.com" - c:\windows\system32\command.com [2002-08-29 50620]
"SpybotDeletingB9418"="command.com" - c:\windows\system32\command.com [2002-08-29 50620]
"SpybotDeletingB7533"="command.com" - c:\windows\system32\command.com [2002-08-29 50620]
"SpybotDeletingB7856"="command.com" - c:\windows\system32\command.com [2002-08-29 50620]
"SpybotDeletingB463"="command.com" - c:\windows\system32\command.com [2002-08-29 50620]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HTpatch"="c:\windows\htpatch.exe" [2002-10-31 28672]
"ezShieldProtector for Px"="c:\windows\System32\ezSP_Px.exe" [2002-08-20 40960]
"ZTgServerSwitch"="c:\program files\support.com\client\lserver\server.vbs" [2002-07-14 11406]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"StorageGuard"="c:\program files\VERITAS Software\Update Manager\sgtray.exe" [2002-06-18 155648]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-02-23 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 57393]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2002-11-07 4243456]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 40960]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2004-07-20 851968]
"Adobe Photo Downloader"="E:\apdproxy.exe" [2005-09-09 57344]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-07-01 1948440]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"ZoneAlarm Client"="d:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"CTHelper"="CTHELPER.EXE" - c:\windows\system32\cthelper.exe [2002-11-08 24576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingC1183"="del" [X]
"SpybotDeletingC4762"="del" [X]
"SpybotDeletingC2746"="del" [X]
"GrpConv"="grpconv -o" [X]
"SpybotDeletingA7734"="command.com" - c:\windows\system32\command.com [2002-08-29 50620]
"SpybotDeletingA166"="command.com" - c:\windows\system32\command.com [2002-08-29 50620]
"SpybotDeletingA7302"="command.com" - c:\windows\system32\command.com [2002-08-29 50620]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SetDefaultMidi"="MIDIDEF.EXE" - c:\windows\mididef.exe [2002-03-01 61440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - d:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Status Monitor.lnk - c:\program files\Brother\Brmfcmon\BrMfcWnd.exe [2005-11-25 819200]
VAIO Action Setup (Server).lnk - c:\program files\Sony\VAIO Action Setup\VAServ.exe [2002-12-5 40960]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "d:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- d:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-07-01 15:36 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\support.com\\client\\bin\\tgcmd.exe"=
"c:\\Program Files\\Outlook Express\\msimn.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [7/27/2009 7:19 PM 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [3/14/2009 1:17 PM 335752]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [3/14/2009 1:17 PM 108552]
R1 SASDIFSV;SASDIFSV;d:\program files\SUPERAntiSpyware\sasdifsv.sys [12/22/2008 12:06 PM 8944]
R1 SASKUTIL;SASKUTIL;d:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/22/2008 12:05 PM 55024]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [3/14/2009 1:16 PM 907032]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [3/14/2009 1:16 PM 298776]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
R3 USA19W;USA19W;c:\windows\system32\drivers\usa19w2k.sys [11/25/2005 10:46 AM 292920]
R3 USA19w2KP;Keyspan High Speed USB Serial Adapter Port Driver;c:\windows\system32\drivers\usa19w2kp.sys [11/25/2005 10:47 AM 40848]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 10:49 AM 1029456]
S3 SASENUM;SASENUM;d:\program files\SUPERAntiSpyware\SASENUM.SYS [12/22/2008 12:06 PM 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-08-10 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:49]

2009-08-16 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]

2005-11-25 c:\windows\Tasks\Registration reminder 2.job
- c:\windows\System32\OOBE\oobebaln.exe [2002-12-05 00:12]

2005-11-25 c:\windows\Tasks\Registration reminder 3.job
- c:\windows\System32\OOBE\oobebaln.exe [2002-12-05 00:12]
.
- - - - ORPHANS REMOVED - - - -

HKLM-RunOnce-<NO NAME> - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = ftp=localhost:8118;http=localhost:8118;https=localhost:8118;socks=localhost:9050
uInternet Settings,ProxyOverride = localhost;127.0.0.1
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~1\Office10\EXCEL.EXE/3000
Trusted Zone: ncesc.com\www
TCP: {3DCFE92E-C6CA-4F48-BCC9-A281D2F2291C} = 208.67.220.220,208.67.222.222
TCP: {C91E02B2-0B74-407F-A4FD-F4C5B714A471} = 208.67.220.220,208.67.222.222
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
FF - ProfilePath - c:\documents and settings\Al\Application Data\Mozilla\Firefox\Profiles\hp8or3t7.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://google.com/
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - component: c:\documents and settings\Al\Application Data\Mozilla\Firefox\Profiles\hp8or3t7.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprpjplug.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-15 20:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HTpatch = c:\windows\htpatch.exe?ows\CurrentVersion\Run???\??????Z????`??Z???Z`??Z???????????????Z???Z???Z???Z$??????Z???????????????Z???????????Z???w????(????3?w???w?????3?w ??w???Z:???????d???r??Z1??Z???Zd??????Z?-?Z????z??w8h?Z\2?Z?1?Zhtinst.INI?Z?u?Z????d???????0G?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-26074111-3898033577-2276567363-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(572)
d:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
.
Completion time: 2009-08-16 20:09
ComboFix-quarantined-files.txt 2009-08-16 00:08

Pre-Run: 2,547,253,248 bytes free
Post-Run: 2,695,688,192 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

353 --- E O F --- 2009-08-14 19:23

================================================

And here is a new Hijack This log........

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:17:36 PM, on 8/15/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
E:\PhotoshopElementsFileAgent.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\RETROS~1\RETROS~1.5\retrorun.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\AVG\AVG8\avgui.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=localhost:8118;http=localhost:8118;https=localhost:8118;socks=localhost:9050
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;127.0.0.1
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [Adobe Photo Downloader] "E:\apdproxy.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7734] command.com /c del "C:\WINDOWS\system32\SKYNETmhxdorgr.dat"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1183] cmd.exe /c del "C:\WINDOWS\system32\SKYNETmhxdorgr.dat"
O4 - HKLM\..\RunOnce: [SpybotDeletingA166] command.com /c del "C:\WINDOWS\system32\SKYNETvjyrjfyp.dat_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4762] cmd.exe /c del "C:\WINDOWS\system32\SKYNETvjyrjfyp.dat_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7302] command.com /c del "C:\WINDOWS\system32\SKYNETvjyrjfyp.dat"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2746] cmd.exe /c del "C:\WINDOWS\system32\SKYNETvjyrjfyp.dat"
O4 - HKLM\..\RunOnce: [GrpConv] grpconv -o
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'Default user')
O4 - Startup: Epson printer Registration.lnk = H:\E_reg\EPSONREG.EXE
O4 - Startup: ERUNT AutoBackup.lnk = D:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://help.bellsouth.net/sdccommon/download/tgctlcm.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase1140.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1132930528652
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1132933956953
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E9A7F56F-C40F-4928-8C6F-7A72F2A25222} (AxRUploadControl Object) - http://www.imagestation.com/common/classes/SonyISUpload.cab?v=1,0,0,34
O17 - HKLM\System\CCS\Services\Tcpip\..\{3DCFE92E-C6CA-4F48-BCC9-A281D2F2291C}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{C91E02B2-0B74-407F-A4FD-F4C5B714A471}: NameServer = 208.67.220.220,208.67.222.222
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - E:\PhotoshopElementsFileAgent.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - EMC Corporation - C:\PROGRA~1\RETROS~1\RETROS~1.5\retrorun.exe
O23 - Service: Retrospect Helper - EMC Corporation - C:\Program Files\Retrospect\Retrospect 7.5\rthlpsvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: VAIO Media Music Server (Application) (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (Application) (VAIOMediaPlatform-PhotoServer-AppServer) - Unknown owner - C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 11470 bytes


I reactivated the my Firewall, AVG and such..... I think I created the new Hijack This log after doing so. Now that I think about it I believe I still need to restore my Windows Defender settings.

With your help its looking like this problem may be solved. My System Restore seems to be working again and I did not notice my IE8 being redirected for the last few URL's I tried. Also did not see the black cmd window type screens flash by when I rebooted the second time after running Combo Fix. Hopefully after verifying the logs you will be able to say or let me know what else I need to do to be rid of this.
Sure wish I knew how I picked it up so that activity will not be repeated.
Thanks again

ken545
2009-08-16, 05:46
Hi,

Do this first...Important

Disable the TeaTimer, leave it disabled, do not turn it back on until we're done or it will prevent fixes from taking

Run Spybot-S&D in Advanced Mode.
If it is not already set to do this Go to the Mode menu select "Advanced Mode"
On the left hand side, Click on Tools
Then click on the Resident Icon in the List
Uncheck "Resident TeaTimer" and OK any prompts.
Restart your computer.<--You need to do this for it to take effect

Please do not proceed until the TeaTimer is disabled


Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.

These may be gone

O4 - HKLM\..\RunOnce: [SpybotDeletingA7734] command.com /c del "C:\WINDOWS\system32\SKYNETmhxdorgr.dat"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1183] cmd.exe /c del "C:\WINDOWS\system32\SKYNETmhxdorgr.dat"
O4 - HKLM\..\RunOnce: [SpybotDeletingA166] command.com /c del "C:\WINDOWS\system32\SKYNETvjyrjfyp.dat_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4762] cmd.exe /c del "C:\WINDOWS\system32\SKYNETvjyrjfyp.dat_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7302] command.com /c del "C:\WINDOWS\system32\SKYNETvjyrjfyp.dat"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2746] cmd.exe /c del "C:\WINDOWS\system32\SKYNETvjyrjfyp.dat"




Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility.


You have SuperAntiSpyware installed, open it , check for updates and run the scan removing all it finds.

Then post the SAS log and a new HJT log please

dakotasjag
2009-08-17, 03:01
Good Evening Ken,

I deactivated the Spybot Teatimer and ran Hijack This.

None of the 6 entries containing SKYNET were present on the panel where you check the boxes prior to hitting the "fix" button.

Here is the latest Hijack This log.....
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:21:25 PM, on 8/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
E:\PhotoshopElementsFileAgent.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\RETROS~1\RETROS~1.5\retrorun.exe
C:\WINDOWS\htpatch.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\System32\WScript.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
E:\apdproxy.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
c:\progra~1\Support.com\client\bin\tgcmd.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=localhost:8118;http=localhost:8118;https=localhost:8118;socks=localhost:9050
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;127.0.0.1
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [Adobe Photo Downloader] "E:\apdproxy.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'Default user')
O4 - Startup: Epson printer Registration.lnk = H:\E_reg\EPSONREG.EXE
O4 - Startup: ERUNT AutoBackup.lnk = D:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://help.bellsouth.net/sdccommon/download/tgctlcm.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase1140.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1132930528652
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1132933956953
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E9A7F56F-C40F-4928-8C6F-7A72F2A25222} (AxRUploadControl Object) - http://www.imagestation.com/common/classes/SonyISUpload.cab?v=1,0,0,34
O17 - HKLM\System\CCS\Services\Tcpip\..\{3DCFE92E-C6CA-4F48-BCC9-A281D2F2291C}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{C91E02B2-0B74-407F-A4FD-F4C5B714A471}: NameServer = 208.67.220.220,208.67.222.222
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - E:\PhotoshopElementsFileAgent.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - EMC Corporation - C:\PROGRA~1\RETROS~1\RETROS~1.5\retrorun.exe
O23 - Service: Retrospect Helper - EMC Corporation - C:\Program Files\Retrospect\Retrospect 7.5\rthlpsvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: VAIO Media Music Server (Application) (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (Application) (VAIOMediaPlatform-PhotoServer-AppServer) - Unknown owner - C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 11097 bytes



I ran the ATF Cleaner as you indicated then SAS. Here is the SAS log.....

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/16/2009 at 07:07 PM

Application Version : 4.24.1004

Core Rules Database Version : 4058
Trace Rules Database Version: 1998

Scan type : Complete Scan
Total Scan Time : 01:38:58

Memory items scanned : 399
Memory threats detected : 0
Registry items scanned : 5214
Registry threats detected : 0
File items scanned : 101783
File threats detected : 0

Hopefully all is back to normal ........(appears to be )
Thanks!!!!!!!

ken545
2009-08-17, 04:29
Hi,

Remove this with HJT, its just clutter
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

Rest of your log is looking good :bigthumb:

Lets run this free online virus scanner to check for leftovers

Please run this free online virus scanner from ESET (http://www.eset.eu/online-scanner)

Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is ticked, and the option Scan unwanted applications is checked
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic

dakotasjag
2009-08-18, 06:40
Hi Ken,
I reran Hijack This and was successful with eliminating the No File entry as you indicated.

I am not having much luck with eset. I tried unsuccessfullu about a dozen times.

When I click the link in the post I get a msg that the site cannot be found.

When I go to a goole page and search on ESET Virus Scanner I get to the proper URL, hit the start button, then the EULA screen comes up which I accept.

When it trys to run a new page comes up with a light blue background but it is empty and below in the lower left it says "Done but with errors on the page"

I never get a prompt relating to allowing Active X to install or run. So I then went into my browser and enabled some Active x stuff but still no success.
I have since reset those Active X items that I enabled since I got messages indicating I would be at risk with those settings.

Im not sure sure what to try at this point to get ESEt runnng.

Thanks.

ken545
2009-08-18, 11:16
Hi,

Lets try this other one.

Please do a scan with Kaspersky Online Scanner (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) or from Here. (http://www.kaspersky.com/virusscanner)

Click on the Accept button and install any components it needs.
The program will install and then begin downloading the latest definition files.
After the files have been downloaded on the left side of the page in the Scan section select My Computer.
This will start the program and scan your system.
The scan will take a while, so be patient and let it run. (At times it may appear to stall)
Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.

Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.


Once the scan is complete, click on View scan report To obtain the report:
Click on: Save Report As
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply.



http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif

dakotasjag
2009-08-18, 19:18
Hi Ken,
I am not having much luck with running Kaspersky either. The 2 links in your post bring me to scanners that appear to be in Russian.
So I brought up a Google page and searched for it. I get the English version (Running it from IE8) and then the program checks my configuration. When that completes it tells me I need at least Java version 1.5 installed. I have Java version 6 installed and I believe it is update 15. I tried it 3 times and got the same message. So then I tried to reinstall Java which was successful and I confirmed it in Add/Remove programs. Tried Kaspersky several more times and it still does not recognize that a version of Java greater than 1.5 is installed.
I then tried Kaspersky from a Mozilla browser and got a bit further. It made it to the update screen, took quite awhile as the updates were loaded and then failed with an error msg indicating the "Antivirus bases have been updated after key expiration. License check failed.
I closed it and tried again and once again it started downloading the updates but eventually came back with a non descriptive msg saying Update failed restart the program and try again.
Oh I should mention that I did disable my AVG program based on the warning messages I saw on one of the Kaspersky pages about other AV programs causing problems with the scanner.
Any suggestions!

ken545
2009-08-18, 19:35
Have you tried this site
http://www.kaspersky.com/virusscanner

dakotasjag
2009-08-19, 23:32
Hi Ken,
Sort of looks familiar but I am not sure. As I recall when I came to a page that looked like that and I hit the scanner button it brought me to a Russian language version..... so perhaps this is one I have not tried.

At any rate I just tried it now (twice) and when the download starts to run I get....

Launch of the Java application is interrupted! Please establish an uninterrupted Internet connection for work with this program.

ken545
2009-08-20, 03:47
Try this link

http://www.kaspersky.com/virusscanner

dakotasjag
2009-08-20, 17:49
Good morning Ken,

Yes, I tried that link the other day...... and again this morning (2x).

For some reason I still get messages about Java that stop it from completing the download.

Nothing else is having problems with Java so I am not sure what is going on.
Im hoping it is not related so some infection hosing me.


thanks

ken545
2009-08-20, 19:27
Lets update your Java

Go to your Control Panel and click on the Java Icon ( looks like a little coffee cup ) click on About and you should have Version 6 Update 15, if not proceed with the instructions.

Download the latest version Here (http://java.sun.com/javase/downloads/index.jsp) save it, do not install it yet.

Java SE Runtime Environment (JRE)JRE 6 Update 15 <--The wording is confusing but this is what you need


Go to your Add Remove Programs in the Control Panel and uninstall any previous versions of Java
Reboot your computer
Install the latest version

You can verify the installation Here (http://www.java.com/en/download/help/testvm.xml)


Then try ESET again,

dakotasjag
2009-08-21, 21:47
Hi Ken,
I already have Java 16 update 15 installed. I just verified it (Build 1.6.0_15-b03).

I brought up eset and once again got a blank light blue window and no prompting to run Active X .....but this time I saw a real small white box with a red x on the page (Something I am running somewhere must of been blocking it.... I see those little red x's in a white box lots of times especially in my e-mails...... and usually I get prompted as to whether or not I want to accept it or not) I clicked the little box it and the eset license panel came up after a little bit.

After accepting, the download and scan commenced and finished in about 1.5 hrs.

No problems found fortunately....... here is the log ----

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=6
# IEXPLORE.EXE=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6048
# api_version=3.0.2
# EOSSerial=13ab03d99667b34bbb5f9d51ae7e37cb
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-08-21 06:18:56
# local_time=2009-08-21 02:18:56 (-0500, Eastern Daylight Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1026 21 83 97 4496657343750
# compatibility_mode=5889 61 66 100 882823808906250
# scanned=103910
# found=0
# cleaned=0
# scan_time=5782

Thanks

ken545
2009-08-21, 22:11
Great, looks like your good to go :bigthumb:

How are things running now ?

dakotasjag
2009-08-22, 02:09
Hi Ken,

Im hoping Im back to normal. My IE browser no longer gets hijacked and my System Restore is working again. Those were the problems that first surfaced when I was hit by the Skynet malware. So Im good along those lines.

My hard drive seems to be chattering quite a bit and my Mozilla browser seems to be taking a long time to come up.... also it is missing a few icons I put on the Navigation Tool bar (such as the icons for Bookmarks, New Tab, and New Window) before I started having problems. Those are just minor issues hopefully with just Mozilla and not malware related.

Im also assuming some of the chatter on the drive is some of the programs running in the background that were added to resolve this malware issue. I did notice that one of those programs is in my Startup folder -- ERUNT Auto Backup.

Is there anything that I installed that I should now uninstall?

I still dont know what I did to trigger this problem but hopefully I wont do it again anytime soon.

I really appreciate all your help on this.

Thanks.

ken545
2009-08-22, 02:35
Hi,

Firefox, not you, I have noticed that it takes a time to load the first time you start your system .

I am going to link you to some windows support sites to check your hard drive as we just do malware removal on this forum.

Windows Tech Support Forums

Windows Support (http://forums.whatthetech.com/Microsoft_Windows_f119.html) <-- Our sister site
PcPitStop (http://pcpitstop.com/) <-- You can take your system in for a checkup here.
Bleeping Computer (http://www.bleepingcomputer.com/forums/forum56.html) <--Excellent Forum
Windows Helpnet (http://www.windowsbbs.com/) <-- Excellent Forum
Hardwareguys (http://forums.hardwareguys.com/) <-- Another good one




It's Not Always Malware

Slow Computer (http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html)
Microsoft (http://www.microsoft.com/windows/IE/community/columns/IEtopten.mspx)

Speedup Windows
TechBuilder (http://www.techbuilder.org/recipes/59201471)

Windows Tips
Techruler (http://www.techruler.com/tips.html#1)
Kellys Korner (http://www.kellys-korner-xp.com/xp_abc.htm)



ATF Cleaner <-- Yours to keep, run it now and then to clean out the clutter.

Combofix <---Is not a general cleaning tool, just run it with supervision or you can bork your system


Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.


http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png


When shown the disclaimer, Select "2"

The above procedure will:

Delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.



How did I get infected in the first place ?
Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)





Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster and Spyware Guard, they will conflict with the TeaTimer in Spybot , you can still install Spybot Search and Destroy but do not enable the TeaTimer .


Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community

Spybot Search and Destroy 1.6 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.

Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.

Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.

IE-Spyad (http://www.pcworld.com/downloads/file/fid,23332-order,1-page,1-c,antispywaretools/description.html)
IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.

Firefox 3 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.



Safe Surfn
Ken

ken545
2009-08-26, 01:58
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.