can't run spybot, redirects spybot webpage. Email,skype, messenger don't work

[ken545]

You just needed to run Gooredfix once.

Backup Your Registry with ERUNT:

• Download erunt.zip to your Desktop from here:
  http://aumha.org/downloads/erunt.zip
• Right-click erunt.zip, select Extract All... and follow the prompts to extract ERUNT to a new folder on your Desktop
• Inside the new folder, double-click ERUNT.exe to start the program
• OK all the prompts to back up your registry to the default location.

Note: to restore your registry, go to the backup folder and start ERDNT.exe







Run OTL.exe

• Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
  
  

  :OTL
  PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
  DRV - (catchme) -- C:\DOCUME~1\Bo\LOCALS~1\Temp\catchme.sys File not found
  
  :ADS
  @Alternate Data Stream - 217 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:F35A93AD
  
  :Services
  
  :Reg
  
  :Files
  
  
  :Commands
  [purity]
  [emptytemp]
  [RESETHOSTS]
  [start explorer]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot when it is done
• Then post the results of the log and a new OTL log ( don't check the boxes beside LOP Check or Purity this time )

• Please download GMER from one of the following locations, and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zip Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

• Extract the contents of the zipped file to desktop (applicable only to Zip mirror) .
• Double click
  
  or
  
  on your desktop.
• If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  
  
  
  
  
  Click the image to enlarge it
  
• In the right panel, you will see several boxes that have been checked. Uncheck the following ...
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  
• Save it where you can easily find it, such as your desktop, and post it in your reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

 

[LilPengy]

log 1

All processes killed
========== OTL ==========
No active process named explorer.exe was found!
Service catchme stopped successfully!
Service catchme deleted successfully!
File C:\DOCUME~1\Bo\LOCALS~1\Temp\catchme.sys File not found not found.
Error: Unable to interpret <:ADS> in the current context!
Error: Unable to interpret <@Alternate Data Stream - 217 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:F35A93AD> in the current context!
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: All Users

User: Bo
->Temp folder emptied: 20472231 bytes
->Temporary Internet Files folder emptied: 80484353 bytes
->Java cache emptied: 2229344 bytes
->FireFox cache emptied: 106565247 bytes
->Flash cache emptied: 69276 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 38550 bytes

User: LogMeInRemoteUser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 1464386 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 202.00 mb

C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTL by OldTimer - Version 3.2.17.3 log created on 11202010_170632

Files\Folders moved on Reboot...
File\Folder C:\WINDOWS\temp\Perflib_Perfdata_183c.dat not found!

Registry entries deleted on Reboot...


log 2

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2010-11-21 03:26:40
Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4 WDC_WD1600JB-00GVA0 rev.08.02D08
Running: 5wkdbz8x.exe; Driver: C:\DOCUME~1\Bo\LOCALS~1\Temp\kglcykod.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xA7B86620]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

Device \FileSystem\Fastfat \Fat A5AE2C8A

AttachedDevice \FileSystem\Fastfat \Fat SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\HP Officejet Pro 8500 A909n Series@ChangeID 276375

---- EOF - GMER 1.0.15 ----

 

[ken545]

Did you run GMER unchecking and checking the boxes that it shows in the picture, you can click on that picture to enlarge it and see, if not try running it again, I don't believe thats the whole log.

Are you still getting redirected ?

 

[LilPengy]

yes... I carefully followed your instructions... but did you mean to say "CHECK" the "show all" instead of "uncheck"???

In the right panel, you will see several boxes that have been checked. Uncheck the following ...

* IAT/EAT
* Drives/Partition other than Systemdrive (typically C:\)
* Show All (don't miss this one)

and yes... shoot me... it's still here... ahhhhhhhhhhhhhhhhhhhhh

I might have to make a second donation when this is all over... my computer has turned into a full time job for you
thanks again

 

[ken545]

ok,

Explain to me exactly whats going on, are there popups and what are they? Are you being redirected , and to where ?

 

[LilPengy]

when the firefox browser is open, every so often another window opens and goes to an advertisement

sometimes they are in a completely new browser window or just a new tab... they go to various spammy advert places successfully... and much of the time also, a small window pops up in the bottom right hand corner that says
"message ad by clicksor"

once and a while I see the following link that firefox is stopping when its trying to load http://www.epoclick.com/?ad=1290375102

 

[LilPengy]

one more thing... it just opened up an explorer window out of the blue. Explorer was not even open... and it trying to find results.google-analytics.com

then it popped up an ad

 

[ken545]

OK, lets go back to square one.

You have Malwarebytes installed, open it, check for updates and run the quick scan removing what it finds and post the log.


Drag your copy of Combofix to the trash and download a fresh copy as its updated on a regular basis , run the program and post the log please

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

 

[LilPengy]

As I had mentioned earlier in the process. Malware bytes will not update on my machine, it errors.

I ran it and it found nothing... here is the log

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

11/22/10 10:05:58 PM
mbam-log-2010-11-22 (22-05-58).txt

Scan type: Quick scan
Objects scanned: 145521
Time elapsed: 9 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

 

[LilPengy]

ComboFix 10-11-22.04 - Bo 11/22/10 22:35:52.4.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2038.1372 [GMT -5:00]
Running from: c:\documents and settings\Bo\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2010-10-23 to 2010-11-23 )))))))))))))))))))))))))))))))
.

2010-11-12 00:16 . 2010-11-12 00:16 -------- d-----w- C:\_OTL
2010-11-11 16:42 . 2010-11-23 01:28 -------- d-----w- c:\program files\Fighters
2010-11-11 16:42 . 2010-11-11 16:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Fighters
2010-11-11 16:42 . 2010-11-11 16:43 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{1BBDB15E-BE9E-4EEA-8849-CB176F3F62A4}
2010-11-11 16:39 . 2010-11-11 16:42 -------- d-----w- c:\documents and settings\Bo\Application Data\Fighters
2010-11-11 16:39 . 2010-11-11 16:39 -------- d-----w- c:\documents and settings\Bo\Local Settings\Application Data\PackageAware
2010-11-07 05:00 . 2010-11-07 05:00 -------- d-----w- c:\documents and settings\Bo\Application Data\SUPERAntiSpyware.com
2010-11-07 05:00 . 2010-11-07 05:00 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-11-07 05:00 . 2010-11-07 05:01 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-11-06 16:09 . 2010-11-06 16:09 -------- d-----w- c:\documents and settings\Bo\Application Data\Malwarebytes
2010-11-06 16:09 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-06 16:09 . 2010-11-06 16:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-11-06 16:09 . 2010-11-06 16:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-06 16:09 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-28 00:00 . 2010-10-28 00:01 -------- d-----w- c:\program files\ERUNT
2010-10-27 19:40 . 2010-10-27 19:40 -------- d-----w- c:\documents and settings\All Users\Application Data\RegCure
2010-10-27 19:40 . 2010-10-27 19:57 -------- d-----w- c:\program files\RegCure
2010-10-27 19:36 . 2010-10-27 19:36 -------- d-----w- c:\documents and settings\Administrator

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-15 16:07 . 2010-05-24 05:40 156672 ----a-w- c:\windows\system32\rmc_fixasf.exe
2010-11-15 16:07 . 2010-05-24 05:40 237568 ----a-w- c:\windows\system32\rmc_rtspdl.dll
2010-09-29 07:12 . 2007-06-04 19:47 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2010-09-29 07:12 . 2007-05-09 01:18 53632 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
2010-09-29 07:12 . 2007-05-09 01:18 29568 ----a-w- c:\windows\system32\LMIport.dll
2010-09-29 07:12 . 2007-05-09 01:18 87424 ----a-w- c:\windows\system32\LMIinit.dll
2010-09-09 19:48 . 2007-03-16 19:17 89680 ----a-w- c:\documents and settings\Bo\MSSSerif120.fon
2006-07-31 14:36 . 2006-07-31 14:36 352256 ----a-w- c:\program files\Common Files\ParseEngineTest.dll
2006-07-29 17:04 . 2006-07-29 17:04 610304 ----a-w- c:\program files\Common Files\ezUpdaterVb6.dll
2006-04-27 15:09 . 2006-04-27 15:09 53248 ----a-w- c:\program files\Common Files\cjDebug.dll
2006-04-27 15:09 . 2006-04-27 15:09 32768 ----a-w- c:\program files\Common Files\cjErrHandler.dll
2006-03-29 18:32 . 2006-03-29 18:32 118784 ----a-w- c:\program files\Common Files\CJTimePicker.ocx
2005-12-24 18:08 . 2005-12-24 18:08 258048 ----a-w- c:\program files\Common Files\eDropShadow.ocx
2006-05-02 23:00 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-20 23:00 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-15 23:00 216064 --sh--r- c:\windows\system32\nbDX.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-11-18_05.50.21 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-11-21 01:24 . 2010-11-21 01:24 16384 c:\windows\temp\Perflib_Perfdata_7b8.dat
+ 2010-11-21 01:24 . 2010-11-21 01:24 16384 c:\windows\temp\Perflib_Perfdata_130.dat
+ 2010-03-13 18:03 . 2010-11-22 04:57 4876 c:\windows\system32\d3d9caps.dat
+ 2010-11-21 01:29 . 2010-11-21 01:29 376832 c:\windows\ERDNT\AutoBackup\11-20-10\Users\00000002\UsrClass.dat
+ 2010-11-21 01:29 . 2005-10-20 16:02 163328 c:\windows\ERDNT\AutoBackup\11-20-10\ERDNT.EXE
+ 2010-11-18 06:00 . 2010-11-18 06:00 376832 c:\windows\ERDNT\AutoBackup\11-18-10\Users\00000002\UsrClass.dat
+ 2010-11-18 06:00 . 2005-10-20 16:02 163328 c:\windows\ERDNT\AutoBackup\11-18-10\ERDNT.EXE
+ 2010-11-20 22:06 . 2010-11-20 22:06 376832 c:\windows\ERDNT\11-20-10\Users\00000002\UsrClass.dat
+ 2010-11-20 22:06 . 2005-10-20 16:02 163328 c:\windows\ERDNT\11-20-10\ERDNT.EXE
+ 2010-11-19 21:27 . 2010-11-19 21:27 376832 c:\windows\ERDNT\11-19-10\Users\00000002\UsrClass.dat
+ 2010-11-19 21:27 . 2005-10-20 16:02 163328 c:\windows\ERDNT\11-19-10\ERDNT.EXE
+ 2010-11-21 01:29 . 2010-11-21 01:29 18501632 c:\windows\ERDNT\AutoBackup\11-20-10\Users\00000001\NTUSER.DAT
+ 2010-11-18 06:00 . 2010-11-18 06:00 18501632 c:\windows\ERDNT\AutoBackup\11-18-10\Users\00000001\NTUSER.DAT
+ 2010-11-20 22:06 . 2010-11-20 22:06 18501632 c:\windows\ERDNT\11-20-10\Users\00000001\NTUSER.DAT
+ 2010-11-19 21:27 . 2010-11-19 21:27 18501632 c:\windows\ERDNT\11-19-10\Users\00000001\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Blue]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2010-06-28 21:33 668816 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@="{95A27763-F62A-4114-9072-E81D87DE3B68}"
[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2010-06-28 21:33 668816 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Blue]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2010-06-28 21:33 668816 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Red]
@="{01CCCC8C-1D50-4b13-B96D-4B922DD3128B}"
[HKEY_CLASSES_ROOT\CLSID\{01CCCC8C-1D50-4b13-B96D-4B922DD3128B}]
2010-06-28 21:33 668816 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2010-06-28 21:33 668816 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2010-06-01 5252408]
"Evernote"="c:\program files\Evernote\Evernote3.5\evernote.exe" [2010-08-03 4093376]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-10-25 2424560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-10-03 198160]
"Samsung PanelMgr"="c:\windows\Samsung\PanelMgr\ssmmgr.exe" [2006-08-09 507904]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2007-04-17 63048]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-15 94208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-15 114688]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-15 77824]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"Carbonite Backup"="c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2010-06-28 900240]
"vptray"="c:\program files\NavNT\vptray.exe" [2000-12-22 53248]
"sfagent"="c:\program files\Fighters\sfagent.exe" [2010-10-21 760968]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]

c:\documents and settings\Bo\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk.disabled [2007-3-14 1040]
Adobe Gamma.lnk.disabled [2007-4-12 1042]
America Online 9.0 Tray Icon.lnk.disabled [2006-4-29 831]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-10-16 214360]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
Microsoft Office.lnk.disabled [2008-2-10 1779]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2010-5-18 1154848]
QuickBooks Update Agent.lnk.disabled [2008-5-29 2163]
TotalMedia Backup Monitor.lnk - c:\program files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe [2010-2-18 278528]
USBKVM Switcher.lnk - c:\program files\Trendnet\USBKVM Switcher\USBKVM.exe [2010-2-24 589824]
Windows Search.lnk.disabled [2009-6-7 1841]
Yahoo! Autosync.lnk.disabled [2008-5-12 850]
ymetray.lnk.disabled [2008-2-8 972]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "r:\eudora files\EuShlExt.dll" [2006-08-17 86016]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2010-09-29 07:12 87424 ----a-w- c:\windows\system32\LMIinit.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" /startup
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"BitTorrent DNA"="c:\program files\DNA\btdna.exe"
"Search Protection"=c:\program files\Yahoo!\Search Protection\SearchProtection.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"DMXLauncher"=c:\program files\Dell\Media Experience\DMXLauncher.exe
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe"
"MSKDetectorExe"=c:\program files\McAfee\SpamKiller\MSKDetct.exe /uninstall
"SigmatelSysTrayApp"=stsystra.exe
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"Samsung PanelMgr"=c:\windows\Samsung\PanelMgr\ssmmgr.exe /autorun
"PWRISOVM.EXE"=c:\program files\PowerISO\PWRISOVM.EXE
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"<NO NAME>"=
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"Ask and Record FLV Service"="c:\program files\Replay Media Catcher\FLVSrvc.exe" /run
"DNS7reminder"="d:\dragon\Ereg\Ereg.exe" -r "c:\documents and settings\All Users\Application Data\Nuance\NaturallySpeaking10\Ereg.ini
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe"
"HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe
"Intuit SyncManager"=c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe startup
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\ICWin313\\j2re1.4.2_04\\bin\\java.exe"=
"c:\\Program Files\\Macromedia\\Dreamweaver MX 2004\\Dreamweaver.exe"=
"c:\\Program Files\\FileZilla\\FileZilla.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Adobe\\Adobe Contribute CS3\\Contribute.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Adobe\\Adobe Dreamweaver CS4\\Dreamweaver.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqfxt08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Smart Web Printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\{624E7452-BA43-4f55-B9D5-FC75EEA0808B}\\setup\\hpznui01.exe"=
"d:\\dragon\\Program\\datacollector.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2010\\QBDBMgrN.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Rhapsody\\rhapsody.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"4457:TCP"= 4457:TCP:Application Sharing
"4458:TCP"= 4458:TCP:Application Sharing

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [02/17/10 1:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [05/10/10 1:41 PM 67656]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [09/29/10 12:05 PM 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [06/04/07 2:47 PM 12856]
R2 SPAMfighter Update Service;SPAMfighter Update Service;c:\program files\Fighters\sfus.exe [10/21/10 7:44 AM 189064]
R2 Suite Service;Suite Service;c:\program files\Fighters\FighterSuiteService.exe [10/21/10 7:44 AM 1130120]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [05/02/07 1:49 PM 24652]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - KGLCYKOD
*Deregistered* - kglcykod
*Deregistered* - MBAMSwissArmy

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-11-22 c:\windows\Tasks\ABF OB backup.job
- c:\program files\ABF software\ABF Outlook Backup\abfOutlookBackup.exe [2007-07-17 16:34]

2010-11-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-11-18 c:\windows\Tasks\NatSpeak Periodic Acoustic Optimization.job
- d:\dragon\Program\schedmgr.exe [2009-02-13 08:21]

2010-11-18 c:\windows\Tasks\NatSpeak Periodic Data Collection.job
- d:\dragon\Program\datacollector.exe [2009-02-13 08:21]

2010-11-22 c:\windows\Tasks\NatSpeak Periodic Language Model Optimization.job
- d:\dragon\Program\schedmgr.exe [2009-02-13 08:21]

2010-11-22 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2010-05-19 23:20]

2010-11-21 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2010-05-19 23:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: Add to &Evernote - c:\program files\Evernote\Evernote3.5\enbar.dll/2000
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: {{E0B8C461-F8FB-49b4-8373-FE32E92528A6} - {BC0E0A5D-AB5A-4fa4-A5FA-280E1D58EEEE} - c:\program files\Evernote\Evernote3.5\enbar.dll
Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll
DPF: vzTCPConfig - hxxp://www2.verizon.net/help/fios_settings/include/vzTCPConfig.CAB
DPF: {164B406B-0FD6-4E7F-BA7E-64D227D4CA37} - hxxp://www.digitalwebbooks.com/reader/dbplugin.cab
FF - ProfilePath - c:\documents and settings\Bo\Application Data\Mozilla\Firefox\Profiles\d18038a5.default\
FF - prefs.js: browser.search.defaulturl -
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\documents and settings\Bo\Application Data\Mozilla\Firefox\Profiles\d18038a5.default\extensions\{E0B8C461-F8FB-49b4-8373-FE32E9252800}\platform\WINNT_x86-msvc\components\enbar.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-22 22:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(776)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
c:\windows\system32\NavLogon.dll

- - - - - - - > 'explorer.exe'(3416)
c:\windows\system32\WININET.dll
c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\LMIRfsClientNP.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\hnetcfg.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-11-22 22:47:07
ComboFix-quarantined-files.txt 2010-11-23 03:47
ComboFix2.txt 2010-11-18 05:53

Pre-Run: 27,710,009,344 bytes free
Post-Run: 27,704,770,560 bytes free

- - End Of File - - ABD53D3010FF9C663670E167A357DBB5

 

[ken545]

Hi,

Your using a file sharing program, this is most likely how you got infected, the bad guys know this are a using programs like this to infect computers, your downloading that file from an unknown source and most contain some sort of malware.

You need to uninstall this via Add remove Programs in the Control Panel
c:\\Program Files\\DNA\\btdna.exe"=


Lets see if we can update your Malwarebytes .


1. Uninstall Malwarebytes' Anti-Malware using Add/Remove programs in the control panel.
2. Restart your computer (very important).
3. Download and run this utility. Mbam clean
http://www.malwarebytes.org/mbam-clean.exe
4. It will ask to restart your computer (please allow it to).
5. After the computer restarts, install the latest version from here. http://www.malwarebytes.org/mbam-download.php
Note: You will need to reactivate the program using the license you were sent.
Note: If using Free version, ignore the part about putting in your license key and activating.
Launch the program and set the Protection and Registration.
Then go to the UPDATE tab if not done during installation and check for updates.
Restart the computer again and verify that MBAM is in the task tray and run a Quick Scan and post that log.

 

[LilPengy]

have no idea what DNA is... I'll remove and update malware
thanks

 

[LilPengy]

wow, I just can't win here.
Malware bytes was the free version and even after following your instructions to the letter and trying it with my virus checker removed, still got me the dreaded error. It won't update. I'm running the full scan now in case it helps... but not sure if it's going to help since it didn't update.

 

[ken545]

There is a patch I believe that can be installed to fix Malwarebytes, why don't you post directly in there forum and the people that own and maintain this great tool can help you get it up and running. When they do, open the program, check for updates and run the quick scan and post the log please
http://forums.malwarebytes.org/index.php?showforum=41


Please run this free online virus scanner from ESET

• Note: You will need to use Internet explorer for this scan
• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Click Start
• Make sure that the option Remove found threats is ticked, and the option Scan unwanted applications is checked
• Click Scan
• Wait for the scan to finish
• Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
• Copy and paste that log as a reply to this topic

 

[LilPengy]

I have had no luck getting malwarebytes to work. From what I've read, its possible that the virus is not letting it work.

also, wondering now if it could be in my router? as I had told you. all the computers on my network are effected... so that would make sense, although they do share hard drives so it could happen that way as well.

any thoughts on what to do if it's in the router? I have a verizon fios setup with their typical router/wireless/modem box.

here is the info from ESET

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=efb7e1e527211e408aa3edeb97a81266
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-11-29 11:56:48
# local_time=2010-11-29 06:56:48 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=768 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=263567
# found=7
# cleaned=7
# scan_time=6065
C:\Documents and Settings\All Users\Application Data\AOL Downloads\SUD4131\setup.exe probably a variant of Win32/Agent.HZHBURL trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Bo\Desktop\downloads, hacks and programs\slow-pcfighter_Web.exe a variant of Win32/SlowPCfighter application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Bo\My Documents\Downloads\slow-pcfighter_Web.exe probably a variant of Win32/SlowPCfighter application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP20\A0008809.exe probably a variant of Win32/Agent.HZHBURL trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP20\A0008810.exe a variant of Win32/SlowPCfighter application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
D:\tbackup\home\clip\uploads\clips\Studio_8\artisanplayer.exe Win32/Adware.NdotNet application (deleted - quarantined) 00000000000000000000000000000000 C
D:\tbackup\home\clip\uploads\clips\Studio_8\artisanplayer1.exe Win32/Adware.NdotNet application (deleted - quarantined) 00000000000000000000000000000000 C

 

[ken545]

What I would do is disconnect your other computers from your network. Not sure about the FIOS set up as its new but you may want to call them and ask how to reset the router. On most routers there is a tiny hole that you can put a paper clip in and it will reset it, then your going to have to reinstall it.

We can also clear your DNS Cache

Copy and paste these lines in Note pad.

@Echo on
pushd\windows\system32\drivers\etc
attrib -h -s -r hosts
echo 127.0.0.1 localhost>HOSTS
attrib +r +h +s hosts
popd
ipconfig /release
ipconfig /renew
ipconfig /flushdns
netsh winsock reset all
netsh int ip reset all
shutdown -r -t 1
del %0

Save as flush.bat to your desktop. Double click to run.
*** note: Win Vista and Win 7 need to right click and choose to "run as Administrator" .. the computer will reboot itself.




Download the HostsXpert 4.3 - Hosts File Manager.

• Unzip HostsXpert 4.2.0.0 - Hosts File Manager to a convenient folder such as C:\HostsXpert
• Click HostsXpert.exe to Run HostsXpert - Hosts File Manager from its new home
• Click "Make Hosts Writable?" in the upper left corner.
• Click Restore Microsoft's Hosts file and then click OK.
• Click the X to exit the program.
• Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

If malware was preventing Malwarebytes from running, when you clicked on it it would do nothing.


Its been awhile, post a new OTL log

 

[LilPengy]

I think I've solved it

It seems to have been in the router
I reset it and it seems to be gone.

crossing fingers....

if so, thank you so much for all your help... you guys are amazing here... helping all of us for absolutely no money whatsoever...

I made a donation to you folks a week or so ago, to show my appreciation, please also accept my glowing accolades as well.

a heartfelt thank you for your precious time.

regards

 

[ken545]

Thats great :bigthumb:

Thanks for the donation, every donation big or small just goes for research and to help keep the forum up and running

I will keep this thread open for you for a few days , post back if things reoccur .

Open OTL and click on Cleanup and it will remove most of the tools we used to clean your system along with there backups.

• 
  How did I get infected in the first place ?
  Read these links and find out how to prevent getting infected again.
• Tutorial for System Restore <-- Do this first to prevent yourself from being reinfected.
• WhattheTech
• Grinler BleepingComputer
• GeeksTo Go
• Dslreports

Safe Surfn
Ken

 

[ken545]

Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.