Desot, Rootkit, Porntube...HELPPPPP

Unfortunately, your log shows a dangerous trojan is residing on your computer which has a backdoor functionality. It is possible that a remote attacker has already breached your computer. If you do any banking or other financial transactions on the computer, or if it contains any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would
be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, your computer is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the Operating System.

Visit the following sites for more information on internet theft and when to reformat!
How Do I Handle Possible Identity Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

Should you decide not to follow that advice, we will of course do our best to clean the computer of any infections that we can see but, as I already stated, we can in no way guarantee it to be trustworthy.

If you have any questions before making a final decision, please feel free to ask.

Please let me know if you would like to continue with trying to clean your computer.

Instead, if you decide to format and reinstall, please disconnect your computer from the Internet immediately.

Guides for format and reinstall: http://www.geekpolice.net/tutorials-guides-f13/how-to-reformat-and-reinstall-your-operating-system-t15119.htm#95115

http://www.helpmyos.com/tutorials-software-alternatives-to-proprietary-f19/how-to-reformat-and-reinstall-your-operating-system-the-easy-way-t1307.htm#3143

Is it safe to use; but just not performing banking transactions on here? I JUST viewed my bank account information about 2 minutes ago.
Did you say that if I changed my passwords on another computer then this computer would be safe to use?

I would like to continue to clean this system

Please download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please reboot to Safe Mode (tap the F8 key just before Windows starts to load and select the Safe Mode option from the menu).

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
  
• Type Y to begin the cleanup process.
  
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  
• Press any Key and it will restart the PC.
  
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  
• Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
  

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:53:31 PM, on 10/14/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\dlbucoms.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Documents and Settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Documents and Settings\user\Desktop\HijackThis1.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [DLBUCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBUtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\11d9db9c-3f06-4cd2-938f-dc7c338b093b.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-790525478-688789844-1343024091-1004\..\Run: [Google Update] "C:\Documents and Settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c (User '?')
O4 - HKUS\S-1-5-21-790525478-688789844-1343024091-1004\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\11d9db9c-3f06-4cd2-938f-dc7c338b093b.exe (User '?')
O4 - HKUS\S-1-5-21-790525478-688789844-1343024091-1004\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://ciscosales.webex.com/client/T26LSP49EP12/webex/ieatgpc.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: McAfee Application Installer Cleanup (0092171255552200) (0092171255552200mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\009217~1.EXE (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: dlbu_device - - C:\WINDOWS\system32\dlbucoms.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: WDefend - Unknown owner - C:\WINDOWS\svohost.exe (file missing)

--
End of file - 4574 bytes

Sorry here is the SDFIX log...

SDFix: Version 1.240
Run by user on Wed 10/14/2009 at 09:08 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\188065~1 - Deleted
C:\DOCUME~1\USER\COOKIES\ZOZERY~1.SYS - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-14 21:13:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden services & system hive ...

scanning hȋdden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"
@=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
@=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
@=""

scanning hȋdden files ...

scan completed successfully
hȋdden processes: 0
hȋdden services: 0
hȋdden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\WINDOWS\\system32\\dlbucoms.exe"="C:\\WINDOWS\\system32\\dlbucoms.exe:*:Enabled:Photo AIO Printer 942 Server"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with hȋdden Attributes :

Sat 29 Aug 2009 20,688 A.SHR --- "C:\Program Files\McAfee\MQC\MRU.bak"
Sat 29 Aug 2009 265 A.SHR --- "C:\Program Files\McAfee\MQC\qcconf.bak"
Mon 10 Nov 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Mon 14 Sep 2009 88,576 ...H. --- "C:\Documents and Settings\user\Desktop\CRIM\~WRL0440.tmp"
Tue 30 Jun 2009 59,392 ...H. --- "C:\Documents and Settings\user\Desktop\Onyx\~WRL2578.tmp"
Fri 2 May 2008 3,493,888 A..H. --- "C:\Documents and Settings\user\Application Data\U3\temp\Launchpad Removal.exe"
Thu 3 Sep 2009 170,496 ...H. --- "C:\Documents and Settings\user\Desktop\Onyx\ONYX BP\~WRL0153.tmp"
Thu 3 Sep 2009 172,544 ...H. --- "C:\Documents and Settings\user\Desktop\Onyx\ONYX BP\~WRL0326.tmp"
Thu 3 Sep 2009 172,032 ...H. --- "C:\Documents and Settings\user\Desktop\Onyx\ONYX BP\~WRL1665.tmp"
Thu 3 Sep 2009 172,544 ...H. --- "C:\Documents and Settings\user\Desktop\Onyx\ONYX BP\~WRL2031.tmp"
Thu 3 Sep 2009 172,544 ...H. --- "C:\Documents and Settings\user\Desktop\Onyx\ONYX BP\~WRL2257.tmp"
Thu 3 Sep 2009 172,032 ...H. --- "C:\Documents and Settings\user\Desktop\Onyx\ONYX BP\~WRL2344.tmp"
Thu 3 Sep 2009 170,496 ...H. --- "C:\Documents and Settings\user\Desktop\Onyx\ONYX BP\~WRL2669.tmp"
Thu 3 Sep 2009 180,736 ...H. --- "C:\Documents and Settings\user\Desktop\Onyx\ONYX BP\~WRL3064.tmp"
Thu 3 Sep 2009 171,520 ...H. --- "C:\Documents and Settings\user\Desktop\Onyx\ONYX BP\~WRL3122.tmp"
Thu 3 Sep 2009 171,520 ...H. --- "C:\Documents and Settings\user\Desktop\Onyx\ONYX BP\~WRL3392.tmp"
Thu 3 Sep 2009 171,008 ...H. --- "C:\Documents and Settings\user\Desktop\Onyx\ONYX BP\~WRL3905.tmp"
Thu 3 Sep 2009 172,544 ...H. --- "C:\Documents and Settings\user\Desktop\Onyx\ONYX BP\~WRL3915.tmp"
Thu 3 Sep 2009 170,496 ...H. --- "C:\Documents and Settings\user\Desktop\Onyx\ONYX BP\~WRL3925.tmp"
Thu 3 Sep 2009 172,544 ...H. --- "C:\Documents and Settings\user\Desktop\Onyx\ONYX BP\~WRL3938.tmp"

Finished!

Please re-run ComboFix as noted above and post a log.

ComboFix 09-10-15.04 - user 10/15/2009 21:36.5.1 - NTFSx86
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Install.txt
c:\windows\system32\Install.txt

.
((((((((((((((((((((((((( Files Created from 2009-09-16 to 2009-10-16 )))))))))))))))))))))))))))))))
.

2009-10-15 02:07 . 2009-10-15 02:07 578560 -c--a-w- c:\windows\system32\dllcache\user32.dll
2009-10-15 02:05 . 2009-10-15 02:05 -------- d-----w- c:\windows\ERUNT
2009-10-15 02:01 . 2009-10-15 02:17 -------- d-----w- C:\SDFix
2009-10-14 22:50 . 2009-10-14 22:50 -------- d-----w- c:\documents and settings\user\Application Data\Malwarebytes
2009-10-14 22:50 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-14 22:50 . 2009-10-14 22:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-14 22:50 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-14 22:50 . 2009-10-14 22:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-14 07:25 . 2009-10-14 07:25 -------- d-----w- c:\windows\srchasst

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-14 20:29 . 2009-08-25 18:03 -------- d-----w- c:\program files\McAfee
2009-10-14 08:54 . 2009-08-24 06:25 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-10-14 08:21 . 2008-10-01 20:21 -------- d-----w- c:\program files\dl_Cats
2009-10-11 06:05 . 2009-08-24 18:55 664 ----a-w- c:\documents and settings\user\Local Settings\Application Data\d3d9caps.dat
2009-09-05 04:24 . 2009-09-05 04:24 -------- d-----w- c:\documents and settings\All Users\Application Data\PopCap
2009-09-03 07:47 . 2009-09-03 07:47 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-08-27 01:48 . 2009-08-27 01:48 68256 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-26 21:46 . 2009-08-27 03:34 3185678 ----a-w- C:\ComboFix.exe
2009-08-25 20:38 . 2009-08-25 17:32 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-08-25 18:07 . 2009-08-25 18:04 -------- d-----w- c:\program files\Common Files\McAfee
2009-08-25 18:05 . 2009-08-25 18:03 -------- d-----w- c:\program files\McAfee.com
2009-08-25 04:55 . 2009-08-25 04:55 -------- d-----w- c:\documents and settings\user\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-08-24 20:59 . 2009-08-24 20:59 -------- d-----w- c:\program files\Trend Micro
2009-08-24 13:38 . 2009-08-24 13:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-24 13:24 . 2009-08-24 18:06 812344 ----a-w- C:\HJTInstall.exe
2009-08-24 13:10 . 2009-08-24 13:11 389120 ----a-w- c:\windows\system32\CF17216.exe
2009-08-24 06:25 . 2009-08-24 06:25 -------- d-----w- c:\documents and settings\user\Application Data\SUPERAntiSpyware.com
2009-08-24 05:59 . 2009-08-24 05:59 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-23 00:03 . 2008-07-17 16:01 -------- d--h--w- c:\program files\InstallShield Installation Information
.

((((((((((((((((((((((((((((( SnapShot@2009-10-14_09.59.57 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-14 15:47 . 2009-10-14 15:43 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-07-17 15:43 . 2009-10-14 15:43 98304 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-07-17 15:43 . 2009-10-14 07:31 98304 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-10-14 15:47 . 2009-10-14 15:43 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-10-15 02:05 . 2009-10-15 02:05 233472 c:\windows\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
+ 2009-10-15 02:05 . 2008-08-07 20:27 163328 c:\windows\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2009-10-15 02:05 . 2009-10-15 02:05 233472 c:\windows\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2009-10-15 02:05 . 2008-08-07 20:27 163328 c:\windows\ERUNT\SDFIX\ERDNT.EXE
+ 2009-10-15 02:05 . 2009-10-15 02:05 3850240 c:\windows\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2009-10-15 02:05 . 2009-10-15 02:05 3850240 c:\windows\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-02-09 133104]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\11d9db9c-3f06-4cd2-938f-dc7c338b093b.exe" [2009-08-05 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-11-11 344064]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-20 77824]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-16 148888]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"DLBUCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\DLBUtime.dll" [2007-02-12 73728]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 17:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dlbucoms.exe"=

R2 0092171255552200mcinstcleanup;McAfee Application Installer Cleanup (0092171255552200);c:\windows\TEMP\009217~1.EXE [x]
R2 WDefend;WDefend;c:\windows\svohost.exe [x]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-08-05 7408]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-08-05 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-08-05 74480]
S3 OZSCR;O2Micro SmartCardBus Smartcard Reader;c:\windows\system32\DRIVERS\ozscr.sys [2008-01-17 92550]


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
BtwSrv
.
Contents of the 'Scheduled Tasks' folder

2009-09-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-790525478-688789844-1343024091-1004Core.job
- c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-09 20:21]

2009-10-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-790525478-688789844-1343024091-1004UA.job
- c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-09 20:21]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-15 21:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLBUCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\DLBUtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"Installed"="1"
"NoChange"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
@=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(696)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-10-16 21:49
ComboFix-quarantined-files.txt 2009-10-16 02:48
ComboFix2.txt 2009-10-14 22:27
ComboFix3.txt 2009-10-14 15:38
ComboFix4.txt 2009-10-14 10:23

Pre-Run: 10,428,555,264 bytes free
Post-Run: 10,465,759,232 bytes free

146 --- E O F --- 2009-04-16 01:50

Run the Malicious Software Removal tool

The Microsoft Malware Protection Center has updated the Malicious Software Removal tool (MSRT). This is a stand-alone binary that is useful in the removal of prevalent malicious software, and it can help remove malware.

Note The MSRT does not prevent reinfection because it is not a real-time antivirus program.

You can download the MSRT from here: http://www.microsoft.com/downloads/details.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en

Then, please run the tool.

NEXT

Please re-open Malwarebytes, click the Update tab, and click Check for Updates. Then, click the Scanner tab, select Perform Quick Scan, and press Scan. Remove selected, and post the log in your next reply.

Malwarebytes' Anti-Malware 1.41
Database version: 2971
Windows 5.1.2600 Service Pack 3

10/16/2009 9:33:56 AM
mbam-log-2009-10-16 (09-33-56).txt

Scan type: Quick Scan
Objects scanned: 98812
Time elapsed: 7 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

One more scan for malware to make sure...

Please run Trend Micro Housecall online scan.

• Click Scan now.
  
• Read and put a Check next to Yes I accept the terms of use.
  
• Click the Launching HouseCall>> button.
  
• If confirmed that HouseCall can run on your system, under Using Java-based HouseCall kernel click the Starting HouseCall>> button.
  
• You may receive a Security Warning about the TrendMicro Java applet, click YES.
  
• Under Scan complete computer for malware, grayware, and vulnerabilities click the Next>> button.
  
• Please be patient while it installs, updates, and scans your system.
  
• Once the scan is complete, it will take you to the summary page.
  
• Under Cleanup options, choose clean all detected infections automatically.
  
• Click the Clean now>> button.
  
• If anything was found you may be prompted to run the scan again, you can just close the browser window.

It found 2 Trojans. 1 was ignored and the other was fȋxed.
What should I do now?

Sorry clicked Beta; I am performing the correct scan now!

Post when ready.

I am getting an error; it says that it is happening transferring from the internet...also it says that Java 1.4 or higher is not installed but it is.

ok. No big deal..

Please re-open Malwarebytes, click the Update tab, and click Check for Updates. Then, click the Scanner tab, select Perform Quick Scan, and press Scan. Remove selected, and post the log in your next reply.

Malwarebytes' Anti-Malware 1.41
Database version: 2991
Windows 5.1.2600 Service Pack 3

10/19/2009 8:21:16 PM
mbam-log-2009-10-19 (20-21-16).txt

Scan type: Quick Scan
Objects scanned: 122772
Time elapsed: 17 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Active Security (Rogue.ActiveSecurity) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Please download CKScanner by askey127 from here

Save it to your desktop.

• Doubleclick CKScanner.exe and click Search For Files.
  
• After a very short time, when the cursor hourglass disappears, click Save List To File.
  
• A message box will verify that the file is saved.
  
• Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.
  

NEXT

Download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Please post the Security Check and CKScanner logs in your next reply.

CKScanner - Additional Security Risks - These are not necessarily bad
scanner sequence 3.MN.11
----- EOF -----


Results of screen317's Security Check version 0.99.0
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Disabled!
``````````````````````````````
Anti-malware/Other Utilities Check:
SUPERAntiSpyware Free Edition
HijackThis 2.0.2
Java(TM) 6 Update 16
Adobe Flash Player 10
Adobe Reader 9
``````````````````````````````
Process Check:
objlist.exe by Laurent
``````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````

Hopefully this will be the last scan.

Please re-open Malwarebytes, click the Update tab, and click Check for Updates. Then, click the Scanner tab, select Perform Full Scan, and press Scan. Remove selected, and post the log in your next reply.

Malwarebytes' Anti-Malware 1.41
Database version: 2996
Windows 5.1.2600 Service Pack 3

10/20/2009 2:18:23 AM
mbam-log-2009-10-20 (02-18-23).txt

Scan type: Full Scan (C:\|)
Objects scanned: 139729
Time elapsed: 53 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WDefend (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Please re-run ComboFix and post a new log.

ComboFix 09-10-20.03 - user 10/21/2009 12:29.7.1 - NTFSx86
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2009-09-21 to 2009-10-21 )))))))))))))))))))))))))))))))
.

2009-10-18 07:25 . 2009-10-18 07:25 -------- d-----w- C:\0838201a89dcf32945
2009-10-18 07:24 . 2009-10-18 07:47 -------- d-----w- C:\07f8d7f905cfd708ef591972759c48cd
2009-10-18 07:21 . 2009-10-18 07:21 -------- d-sh--w- c:\documents and settings\user\IECompatCache
2009-10-18 07:21 . 2009-10-18 07:21 -------- d-sh--w- c:\documents and settings\user\PrivacIE
2009-10-18 07:18 . 2009-10-18 07:18 -------- d-sh--w- c:\documents and settings\user\IETldCache
2009-10-18 07:10 . 2009-08-29 08:08 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-10-18 07:10 . 2009-08-29 08:08 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-10-18 07:10 . 2009-10-19 05:00 -------- d-----w- c:\windows\ie8updates
2009-10-18 07:10 . 2009-08-07 08:48 100352 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-10-18 07:02 . 2009-10-18 07:09 -------- dc-h--w- c:\windows\ie8
2009-10-18 06:30 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-10-18 06:24 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-10-18 03:40 . 2009-10-17 23:46 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-10-17 23:46 . 2009-10-19 04:41 -------- d-----w- c:\documents and settings\user\.housecall6.6
2009-10-15 02:07 . 2009-10-15 02:07 578560 -c--a-w- c:\windows\system32\dllcache\user32.dll
2009-10-15 02:05 . 2009-10-15 02:05 -------- d-----w- c:\windows\ERUNT
2009-10-15 02:01 . 2009-10-15 02:17 -------- d-----w- C:\SDFix
2009-10-14 22:50 . 2009-10-14 22:50 -------- d-----w- c:\documents and settings\user\Application Data\Malwarebytes
2009-10-14 22:50 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-14 22:50 . 2009-10-14 22:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-14 22:50 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-14 22:50 . 2009-10-14 22:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-14 07:25 . 2009-10-14 07:25 -------- d-----w- c:\windows\srchasst

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-18 02:16 . 2009-02-16 15:01 -------- d-----w- c:\program files\Java
2009-10-14 20:29 . 2009-08-25 18:03 -------- d-----w- c:\program files\McAfee
2009-10-14 08:54 . 2009-08-24 06:25 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-10-14 08:21 . 2008-10-01 20:21 -------- d-----w- c:\program files\dl_Cats
2009-10-11 06:05 . 2009-08-24 18:55 664 ----a-w- c:\documents and settings\user\Local Settings\Application Data\d3d9caps.dat
2009-09-11 14:18 . 2004-08-04 10:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-05 04:24 . 2009-09-05 04:24 -------- d-----w- c:\documents and settings\All Users\Application Data\PopCap
2009-09-04 21:03 . 2004-08-04 10:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-03 07:47 . 2009-09-03 07:47 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-08-29 08:08 . 2006-03-04 03:33 916480 ------w- c:\windows\system32\wininet.dll
2009-08-27 01:48 . 2009-08-27 01:48 68256 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-26 21:46 . 2009-08-27 03:34 3185678 ----a-w- C:\ComboFix.exe
2009-08-26 08:00 . 2004-08-04 10:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-25 20:38 . 2009-08-25 17:32 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-08-25 18:07 . 2009-08-25 18:04 -------- d-----w- c:\program files\Common Files\McAfee
2009-08-25 18:05 . 2009-08-25 18:03 -------- d-----w- c:\program files\McAfee.com
2009-08-25 04:55 . 2009-08-25 04:55 -------- d-----w- c:\documents and settings\user\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-08-24 20:59 . 2009-08-24 20:59 -------- d-----w- c:\program files\Trend Micro
2009-08-24 13:38 . 2009-08-24 13:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-24 13:24 . 2009-08-24 18:06 812344 ----a-w- C:\HJTInstall.exe
2009-08-24 13:10 . 2009-08-24 13:11 389120 ----a-w- c:\windows\system32\CF17216.exe
2009-08-24 06:25 . 2009-08-24 06:25 -------- d-----w- c:\documents and settings\user\Application Data\SUPERAntiSpyware.com
2009-08-24 05:59 . 2009-08-24 05:59 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-23 00:03 . 2008-07-17 16:01 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-05 09:01 . 2004-08-04 10:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 01:44 . 2005-03-30 01:23 2189184 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2005-03-30 01:01 2066048 ------w- c:\windows\system32\ntkrnlpa.exe
2009-07-31 20:23 . 2009-02-16 15:01 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-29 04:37 . 2004-08-04 10:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-07-29 04:37 . 2004-08-04 10:00 119808 ----a-w- c:\windows\system32\t2embed.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-02-09 133104]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\11d9db9c-3f06-4cd2-938f-dc7c338b093b.exe" [2009-08-05 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-11-11 344064]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-20 77824]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"DLBUCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\DLBUtime.dll" [2007-02-12 73728]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-31 149280]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 17:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dlbucoms.exe"=

R2 0092171255552200mcinstcleanup;McAfee Application Installer Cleanup (0092171255552200);c:\windows\TEMP\009217~1.EXE [x]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-08-05 7408]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-08-05 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-08-05 74480]
S3 OZSCR;O2Micro SmartCardBus Smartcard Reader;c:\windows\system32\DRIVERS\ozscr.sys [2008-01-17 92550]


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
BtwSrv
.
Contents of the 'Scheduled Tasks' folder

2009-09-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-790525478-688789844-1343024091-1004Core.job
- c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-09 20:21]

2009-10-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-790525478-688789844-1343024091-1004UA.job
- c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-09 20:21]

2009-10-18 c:\windows\Tasks\User_Feed_Synchronization-{089CE16D-8AB0-4B2A-A55B-2690FC67855D}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\user\Start Menu\Programs\IMVU\Run IMVU.lnk
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-21 12:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLBUCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\DLBUtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"Installed"="1"
"NoChange"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
@=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(696)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2028)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-10-21 12:41
ComboFix-quarantined-files.txt 2009-10-21 17:41
ComboFix2.txt 2009-10-20 18:23
ComboFix3.txt 2009-10-16 02:49
ComboFix4.txt 2009-10-14 22:27
ComboFix5.txt 2009-10-21 17:26

Pre-Run: 9,579,098,112 bytes free
Post-Run: 9,565,155,328 bytes free

- - End Of File - - 33F99F809658DFC868438A06A47899B4

Re-running ComboFix to remove infections:

1. Close any open browsers.
   
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   
3. Open notepad and copy/paste the text in the quotebox below into it:
   

   
   Registry::
   [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost]
   "BtwSrv"=-
   
   Netsvc::
   BtwSrv
   

4. Save this as CFScript.txt, in the same location as ComboFix.exe
   
   
   
   
5. Referring to the picture above, drag CFScript into ComboFix.exe
   
6. When finished, it shall produce a log for you at C:\ComboFix.txt
   
7. Please post the contents of the log in your next reply.

ComboFix 09-10-20.03 - user 10/21/2009 18:09.8.1 - NTFSx86
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\user\Desktop\CFScript..txt
.

((((((((((((((((((((((((( Files Created from 2009-09-21 to 2009-10-21 )))))))))))))))))))))))))))))))
.

2009-10-18 07:25 . 2009-10-18 07:25 -------- d-----w- C:\0838201a89dcf32945
2009-10-18 07:24 . 2009-10-18 07:47 -------- d-----w- C:\07f8d7f905cfd708ef591972759c48cd
2009-10-18 07:21 . 2009-10-18 07:21 -------- d-sh--w- c:\documents and settings\user\IECompatCache
2009-10-18 07:21 . 2009-10-18 07:21 -------- d-sh--w- c:\documents and settings\user\PrivacIE
2009-10-18 07:18 . 2009-10-18 07:18 -------- d-sh--w- c:\documents and settings\user\IETldCache
2009-10-18 07:10 . 2009-08-29 08:08 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-10-18 07:10 . 2009-08-29 08:08 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-10-18 07:10 . 2009-10-19 05:00 -------- d-----w- c:\windows\ie8updates
2009-10-18 07:10 . 2009-08-07 08:48 100352 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-10-18 07:02 . 2009-10-18 07:09 -------- dc-h--w- c:\windows\ie8
2009-10-18 06:30 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-10-18 06:24 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-10-18 03:40 . 2009-10-17 23:46 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-10-17 23:46 . 2009-10-19 04:41 -------- d-----w- c:\documents and settings\user\.housecall6.6
2009-10-15 02:07 . 2009-10-15 02:07 578560 -c--a-w- c:\windows\system32\dllcache\user32.dll
2009-10-15 02:05 . 2009-10-15 02:05 -------- d-----w- c:\windows\ERUNT
2009-10-15 02:01 . 2009-10-15 02:17 -------- d-----w- C:\SDFix
2009-10-14 22:50 . 2009-10-14 22:50 -------- d-----w- c:\documents and settings\user\Application Data\Malwarebytes
2009-10-14 22:50 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-14 22:50 . 2009-10-14 22:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-14 22:50 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-14 22:50 . 2009-10-14 22:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-14 07:25 . 2009-10-14 07:25 -------- d-----w- c:\windows\srchasst

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-18 02:16 . 2009-02-16 15:01 -------- d-----w- c:\program files\Java
2009-10-14 20:29 . 2009-08-25 18:03 -------- d-----w- c:\program files\McAfee
2009-10-14 08:54 . 2009-08-24 06:25 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-10-14 08:21 . 2008-10-01 20:21 -------- d-----w- c:\program files\dl_Cats
2009-10-11 06:05 . 2009-08-24 18:55 664 ----a-w- c:\documents and settings\user\Local Settings\Application Data\d3d9caps.dat
2009-09-11 14:18 . 2004-08-04 10:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-05 04:24 . 2009-09-05 04:24 -------- d-----w- c:\documents and settings\All Users\Application Data\PopCap
2009-09-04 21:03 . 2004-08-04 10:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-03 07:47 . 2009-09-03 07:47 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-08-29 08:08 . 2006-03-04 03:33 916480 ------w- c:\windows\system32\wininet.dll
2009-08-27 01:48 . 2009-08-27 01:48 68256 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-26 21:46 . 2009-08-27 03:34 3185678 ----a-w- C:\ComboFix.exe
2009-08-26 08:00 . 2004-08-04 10:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-25 20:38 . 2009-08-25 17:32 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-08-25 18:07 . 2009-08-25 18:04 -------- d-----w- c:\program files\Common Files\McAfee
2009-08-25 18:05 . 2009-08-25 18:03 -------- d-----w- c:\program files\McAfee.com
2009-08-25 04:55 . 2009-08-25 04:55 -------- d-----w- c:\documents and settings\user\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-08-24 20:59 . 2009-08-24 20:59 -------- d-----w- c:\program files\Trend Micro
2009-08-24 13:38 . 2009-08-24 13:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-24 13:24 . 2009-08-24 18:06 812344 ----a-w- C:\HJTInstall.exe
2009-08-24 13:10 . 2009-08-24 13:11 389120 ----a-w- c:\windows\system32\CF17216.exe
2009-08-24 06:25 . 2009-08-24 06:25 -------- d-----w- c:\documents and settings\user\Application Data\SUPERAntiSpyware.com
2009-08-24 05:59 . 2009-08-24 05:59 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-23 00:03 . 2008-07-17 16:01 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-05 09:01 . 2004-08-04 10:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 01:44 . 2005-03-30 01:23 2189184 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2005-03-30 01:01 2066048 ------w- c:\windows\system32\ntkrnlpa.exe
2009-07-31 20:23 . 2009-02-16 15:01 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-29 04:37 . 2004-08-04 10:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-07-29 04:37 . 2004-08-04 10:00 119808 ----a-w- c:\windows\system32\t2embed.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-02-09 133104]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\11d9db9c-3f06-4cd2-938f-dc7c338b093b.exe" [2009-08-05 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-11-11 344064]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-20 77824]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"DLBUCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\DLBUtime.dll" [2007-02-12 73728]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-31 149280]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 17:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dlbucoms.exe"=

R2 0092171255552200mcinstcleanup;McAfee Application Installer Cleanup (0092171255552200);c:\windows\TEMP\009217~1.EXE [x]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-08-05 7408]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-08-05 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-08-05 74480]
S3 OZSCR;O2Micro SmartCardBus Smartcard Reader;c:\windows\system32\DRIVERS\ozscr.sys [2008-01-17 92550]

.
Contents of the 'Scheduled Tasks' folder

2009-09-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-790525478-688789844-1343024091-1004Core.job
- c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-09 20:21]

2009-10-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-790525478-688789844-1343024091-1004UA.job
- c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-09 20:21]

2009-10-18 c:\windows\Tasks\User_Feed_Synchronization-{089CE16D-8AB0-4B2A-A55B-2690FC67855D}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\user\Start Menu\Programs\IMVU\Run IMVU.lnk
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-21 18:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLBUCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\DLBUtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"Installed"="1"
"NoChange"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
@=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(696)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3140)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-10-21 18:22
ComboFix-quarantined-files.txt 2009-10-21 23:21
ComboFix2.txt 2009-10-21 17:41
ComboFix3.txt 2009-10-20 18:23
ComboFix4.txt 2009-10-16 02:49
ComboFix5.txt 2009-10-21 23:06

Pre-Run: 9,590,427,648 bytes free
Post-Run: 9,557,635,072 bytes free

- - End Of File - - 9D4DFEA755E0B1369E62BEE540F99B4C

Please read the following information that I have provided, which will help you prevent malicious software in the future. Please keep in mind, malware is a continuous danger on the Internet. It is highly important to stay safe while browsing, to prevent re-infection.

Software recommendations

Antivirus/Antispyware

• Microsoft Security Essentials: this is Microsoft's free antivirus/antispyware program. It equips you with protection against viruses, spyware, trojans, rootkits, and worms. It is also light on the computer's performance. Note: when installing this, you have both an antivirus and antispyware. Make sure you also get a firewall.
  
• AVG Free: this is one of the most powerful, and easiest to use security software. The free version equips you with protection against viruses, spyware, trojans, rootkits, worms, and rogue software. Note: when installing this, you have both an antivirus and antispyware. Make sure you also get a firewall.

Firewall

• Tallemu Online Armor: the free version is just as good as the premium. I have linked you to the free version.
  
• Comodo Firewall: the free version is just as good as the premium. I have linked you to the free version. The optional security suite enhances the firewall by 40% increase. If you would like to install the suite that includes antivirus, then remove your old antivirus first.
  
• PC Tools Firewall Plus: free and excellent firewall.

Note: Please keep ALL of these programs up-to-date and run them whenever you suspect a problem to prevent malware problems.

Resident Protection help
A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall, and scanning anti-spyware program at a time. Passive protectors such as SpywareBlaster can be run with any of them.

Rogue programs help
There are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here:
http://www.spywarewarrior.com/rogue_anti-spyware.htm

Securing your computer

• Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  
• hpHosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. This prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is your local computer's loopback address, meaning it will be difficult to infect your computer in the future.
  

Please consider using an alternate browser
Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScript, can make it even more secure. Opera is another good option.

If you are interested:

• Firefox may be downloaded from here: http://www.getfirefox.com
  
• Opera is available here: http://www.opera.com/download/
  

Thank you for choosing GeekPolice. Please see this page if you would like to leave feedback or contribute to our site. Do you have any more questions?

Is it safe for me to install Microsoft 07 now? It says that I don't have Microsoft on here; from the start menu shows that Microsoft is empty.
Also I can download McAfee free from Comcast, should I do that as well?

Would that be Microsoft Office 2007? Or Microsoft Security Essentials (MSE)?

If you would like to use McAfee, rather, go ahead. I recommend AVG or MSE!

That would be Microsoft Office 2007 and I will download AVG now!

I downloaded AVG and TallEMU Online Armor. I was a bit confused as to what I was to do once I opened the HPhost file.

I can't say it enough how much I appreciate your help. Because of your kindness I have been able to stay in school, and send out resumes. I NOW have a job, and I promise that I am going to make a sizable contribution to your site once I receive a paycheck.
I am most grateful to you and those that serve with you! Your assistance and patience will never be forgotten or unappreciated!

THANK YOU!!! I will await your instructions pertaining to Window 07 and should I add the free McAfee from Comcast atop the AVG, Tallemu, that I downloaded.

Microsoft Security Center is saying that I have a firewall and automatic updates on, but is not detecting an antivirus. I download the free AVG. Did I do something wrong?

Click on the Security Center, and click Recommendations under Antivirus. Then click You have an Antivirus you will monitor yourself.