Search Links Redirecting Me to Wrong Pages

[HollowNobody]

I know that there currently is another thread on this, but as most forums do no condone hijacking other people's threads I decided it was best to make my own.

Whenever I do a search on Google(or any other website for that matter) the link I click on leads me to the incorrect page. Most of the pages that I am redirected to are advertisements, but some of them have been harmful pages that AVG has blocked me from viewing.

I should probably mention that for some reason I can't get into Safe Mode, but that is for another thread, another time. Unless it's somehow related...

Anyway, I followed the directions on the first post, and here are the results.


Step 1: Add or Remove Programs
Nothing fishy looking in here.

Step 2: House Cleaning
Ran CCleaner.

Step 3: SUPERAntiSpyware

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/14/2009 at 10:56 PM

Application Version : 4.29.1002

Core Rules Database Version : 4162
Trace Rules Database Version: 2086

Scan type       : Complete Scan
Total Scan Time : 01:10:24

Memory items scanned      : 433
Memory threats detected   : 0
Registry items scanned    : 4737
Registry threats detected : 0
File items scanned        : 115778
File threats detected     : 0


Step 4: Malwarebytes Anti-Malware (MBAM)

Malwarebytes' Anti-Malware 1.41
Database version: 2949
Windows 5.1.2600 Service Pack 3

10/14/2009 10:05:58 pm
mbam-log-2009-10-14 (22-05-58).txt

Scan type: Quick Scan
Objects scanned: 91871
Time elapsed: 12 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Step 5: Update Your Java (JRE)
Updated Java and ran JavaRa.

Step 6: HijackThis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:10:20 pm, on 10/14/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Maxtor\Sync\SyncServices.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
E:\Program Files\RocketDock\RocketDock.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AVG\AVG9\Identity Protection\agent\bin\avgidsmonitor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SUPERAntiSpyware\caa73f0e-a377-4e7b-8a12-7099d1f02c89.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RocketDock] "E:\Program Files\RocketDock\RocketDock.exe"
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/Dcode/ActiveX/MSDcode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.7.109.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.12) - http://service.futuremark.com/virtualmark/tc/MSC3.cab
O16 - DPF: {E5ABEB00-B357-4884-9949-77B2C71A7EE3} (BoardCtl Class) - http://www.intel.com/design/motherbd/boardid/BoardID.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: AVG9IDSAgent (AVGIDSAgent) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 5852 bytes


So, how do I rid myself of this annoyance?

[geek hoodlum]

Hi HollowNobody, can you please go these following sites:
http://www.kaspersky.com/
http://www.eset.com/
http://www.avira.com/

Just a try. Check if you can access the above websites.

[geek hoodlum]

Your HijackThis report

[HollowNobody]

Thanks for the reply.
Yes, I am able to access the websites listed.

[harry 48]

Thanks for the reply.
Yes, I am able to access the websites listed.

please do not touch your hjt log report and wait for an EXPERT to help you , getting bad help could harm your pc

[HollowNobody]

please do not touch your hjt log report and wait for an EXPERT to help you , getting bad help could harm your pc

Alright...

[evilfantasy]

C:\Program Files\SUPERAntiSpyware\caa73f0e-a377-4e7b-8a12-7099d1f02c89.exe

Did you rename SUPERAntiSpyware with that name?

[HollowNobody]

Did you rename SUPERAntiSpyware with that name?

No, I didn't rename anything during installation nor afterward.

[evilfantasy]

Please go to VirSCAN.org FREE on-line scan service
(If more than one file needs scanned they must be done separately and logs posted for each one)

1. Copy and paste the following file path into the Suspicious files to scan box on the top of the page.

Code: [Select]

C:\Program Files\SUPERAntiSpyware\caa73f0e-a377-4e7b-8a12-7099d1f02c89.exe2. At the upload site, click once inside the window next to Browse.
3. Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
4. Click on the Upload button.
This will perform a scan across multiple different virus scanning engines.
Your file will possibly be entered into a queue which normally takes less than a minute to clear.
Important: Wait for all of the scanning engines to complete.
5. Once the Scan is completed scroll down and click on the Copy to Clipboard button. This will copy the link of the report into the Clipboard.
6. Paste the contents of the Clipboard in your next reply.

[HollowNobody]

VirSCAN.org Scanned Report :
Scanned time   : 2009/10/15 20:24:33 (EDT)
Scanner results: 3% Scanner(1/37) found malware!
File Name      : caa73f0e-a377-4e7b-8a12-7099d1f02c89.exe
File Size      : 1998576 byte
File Type      : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5            : a295508c034f5d7ece57898be5532ff3
SHA1           : 87ce867daef0dcee47194e68e31bd71f67f08d3 b
Online report  : http://virscan.org/report/d87878bef16192b0c0e52a84664578ca.html

Scanner        Engine Ver      Sig Ver           Sig Date    Time   Scan result
a-squared      4.5.0.8         20091016043114    2009-10-16  4.14   -
AhnLab V3      2009.10.16.01   2009.10.16        2009-10-16  0.91   -
AntiVir        8.2.1.35        7.1.6.114         2009-10-15  0.23   -
Antiy          2.0.18          20091015.3008068  2009-10-15  0.12   -
Arcavir        2009            200910151548      2009-10-15  0.11   -
Authentium     5.1.1           200910151521      2009-10-15  9.40   -
AVAST!         4.7.4           091014-0          2009-10-14  0.09   -
AVG            8.5.288         270.14.20/2439    2009-10-16  0.39   -
BitDefender    7.81008.4353114 7.28351           2009-10-16  3.76   -
CA (VET)       9.0.0.143       35.1.7069         2009-10-16  2.64   -
ClamAV         0.95.2          9901              2009-10-15  0.27   -
Comodo         3.12            2614              2009-10-15  0.76   -
CP Secure      1.3.0.5         2009.10.16        2009-10-16  0.50   -
Dr.Web         4.44.0.9170     2009.10.15        2009-10-15  5.97   -
F-Prot         4.4.4.56        20091015          2009-10-15  9.04   -
F-Secure       7.02.73807      2009.10.16.01     2009-10-16  6.85   -
Fortinet       2.81-3.120      10.949            2009-10-15  0.44   -
GData          19.8419/19.512  20091016          2009-10-16  6.19   -
ViRobot        20091015        2009.10.15        2009-10-15  0.42   -
Ikarus         T3.1.01.72      2009.10.15.74138  2009-10-15  4.13   -
JiangMin       11.0.800        2009.10.15        2009-10-15  4.67   -
Kaspersky      5.5.10          2009.10.15        2009-10-15  0.10   -
KingSoft       2009.2.5.15     2009.10.15.19     2009-10-15  0.65   -
McAfee         5.3.00          5772              2009-10-15  3.38   -
Microsoft      1.5101          2009.10.16        2009-10-16  6.02   -
Norman         6.03.02         6.03.00           2009-10-15  4.01   -
Panda          9.05.01         2009.10.15        2009-10-15  1.86   -
Trend Micro    8.700-1004      6.546.02          2009-10-15  0.03   -
Quick Heal     10.00           2009.10.15        2009-10-15  1.70   -
Rising         20.0            21.51.34.00       2009-10-15  1.12   -
Sophos         3.00.1          4.46              2009-10-16  2.56   -
Sunbelt        5452            5452              2009-10-15  1.80   -
Symantec       1.3.0.24        20091015.003      2009-10-15  0.09   -
nProtect       20091014.02     5818832           2009-10-14  7.16   -
The Hacker     6.5.0.2         v00043            2009-10-15  0.72   -
VBA32          3.12.10.11      20091015.0850     2009-10-15  2.10   Win32 Shadow Service Install (suspicious)
VirusBuster    4.5.11.10       10.112.69/2007672 2009-10-15  2.99   -

[evilfantasy]

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note:  It is important that it is saved directly to your Desktop

DO NOT run it yet!

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

DirLook::
C:\Program Files\SUPERAntiSpyware


3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

[HollowNobody]

After I drag the .txt file to and click run two windows of AVG Identity Portection pop up saying that they've found malware. After quarantining both of them nothing happens: no reboot, no dialog boxes, nothing.

Is that just AVG blocking ComboFix or is that what ComboFix does?

[evilfantasy]

After quarantining both of them nothing happens: no reboot, no dialog boxes, nothing.

You need to allow ComboFix to run, not quarantine it.

ComboFix is a repair/diagnostics tool. It works in the same way malware would which is why AVG is seeing it as suspicious. You can right click AVG in your task bar and disable it while using ComboFix.

[HollowNobody]

ComboFix 09-10-15.03 - Owner 10/15/2009 21:40.1.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.3070.2592 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: AVG Internet Security *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Downloaded Program Files\ODCTOOLS
c:\windows\Installer\2b9648.msi
c:\windows\Installer\48fd2.msp
c:\windows\system32\tmp.reg
E:\Autorun.inf
E:\install.exe

Infected copy of c:\windows\system32\drivers\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :^)
.
(((((((((((((((((((((((((   Files Created from 2009-09-16 to 2009-10-16  )))))))))))))))))))))))))))))))
.

2009-10-13 00:51 . 2009-09-10 18:54   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-13 00:51 . 2009-10-13 00:52   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2009-10-13 00:51 . 2009-09-10 18:53   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
2009-10-12 23:29 . 2009-10-12 23:29   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-10-12 23:29 . 2009-10-15 03:10   --------   d-----w-   c:\program files\SUPERAntiSpyware
2009-10-12 23:29 . 2009-10-12 23:29   --------   d-----w-   c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2009-10-12 23:28 . 2009-10-12 23:28   --------   d-----w-   c:\program files\Common Files\Wise Installation Wizard
2009-10-12 23:25 . 2009-10-12 23:25   --------   d-----w-   c:\program files\Trend Micro
2009-10-12 22:36 . 2009-10-12 22:36   --------   d-----w-   C:\$AVG
2009-10-12 22:35 . 2009-10-12 22:35   25608   ----a-w-   c:\windows\system32\drivers\AVGIDSxx.sys
2009-10-12 22:35 . 2009-10-12 22:35   12464   ----a-w-   c:\windows\system32\avgrsstx.dll
2009-10-12 22:35 . 2009-10-12 22:35   356616   ----a-w-   c:\windows\system32\drivers\avgtdix.sys
2009-10-12 22:35 . 2009-10-12 22:35   161672   ----a-w-   c:\windows\system32\drivers\avgrkx86.sys
2009-10-12 22:35 . 2009-10-12 22:35   333192   ----a-w-   c:\windows\system32\drivers\avgldx86.sys
2009-10-12 22:35 . 2009-10-12 22:35   28424   ----a-w-   c:\windows\system32\drivers\avgmfx86.sys
2009-10-12 22:35 . 2009-10-15 21:16   --------   d-----w-   c:\windows\system32\drivers\Avg
2009-10-12 22:35 . 2009-10-12 22:35   --------   d-----w-   c:\program files\AVG
2009-10-12 22:35 . 2009-10-12 22:35   --------   d-----w-   c:\documents and settings\All Users\Application Data\avg9
2009-10-11 22:21 . 2009-10-11 22:21   --------   d-----w-   c:\windows\system32\wbem\Repository
2009-10-11 21:38 . 2009-10-11 22:18   --------   d-----w-   c:\documents and settings\All Users\Application Data\Avg8(2)
2009-10-11 19:51 . 2009-10-11 22:18   --------   dc----w-   c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-10-11 19:51 . 2009-10-11 22:18   --------   d-----w-   c:\documents and settings\All Users\Application Data\Lavasoft
2009-10-09 22:52 . 2009-10-09 22:52   --------   d-----w-   c:\documents and settings\Owner\Application Data\Malwarebytes
2009-10-09 22:52 . 2009-10-09 22:52   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-03 00:11 . 2009-10-03 00:11   3293184   ----a-w-   c:\windows\system32\config\systemprofile\NTUSER(2).DAT
2009-09-19 22:07 . 2009-09-19 22:07   --------   d-----w-   c:\documents and settings\Owner\Local Settings\Application Data\gctmp
2009-09-19 22:07 . 2009-09-19 22:07   --------   d-----w-   c:\documents and settings\Owner\Local Settings\Application Data\Xenocode

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-15 03:04 . 2008-11-27 22:10   --------   d-----w-   c:\program files\Java
2009-10-11 22:20 . 2008-11-26 20:04   --------   d-----w-   c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-19 20:27 . 2008-11-28 21:28   107888   ----a-w-   c:\windows\system32\CmdLineExt.dll
2009-08-07 23:51 . 2009-08-07 23:51   15308424   ----a-w-   c:\windows\system32\xlive.dll
2009-08-07 23:51 . 2009-08-07 23:51   13642888   ----a-w-   c:\windows\system32\xlivefnt.dll
2009-08-06 23:24 . 2008-11-26 18:19   327896   ----a-w-   c:\windows\system32\wucltui.dll
2009-08-06 23:24 . 2008-11-26 18:19   209632   ----a-w-   c:\windows\system32\wuweb.dll
2009-08-06 23:24 . 2008-11-26 18:19   35552   ----a-w-   c:\windows\system32\wups.dll
2009-08-06 23:24 . 2008-11-26 18:19   35552   ----a-w-   c:\windows\system32\wups(2)(2).dll
2009-08-06 23:24 . 2008-10-16 19:09   44768   ----a-w-   c:\windows\system32\wups2.dll
2009-08-06 23:24 . 2008-10-16 19:09   44768   ----a-w-   c:\windows\system32\wups2(2)(2).dll
2009-08-06 23:24 . 2008-11-26 18:19   53472   ----a-w-   c:\windows\system32\wuauclt.exe
2009-08-06 23:24 . 2004-08-04 10:00   96480   ----a-w-   c:\windows\system32\cdm.dll
2009-08-06 23:23 . 2008-11-26 18:19   575704   ----a-w-   c:\windows\system32\wuapi.dll
2009-08-06 23:23 . 2008-11-26 18:19   1929952   ----a-w-   c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2004-08-04 10:00   204800   ----a-w-   c:\windows\system32\mswebdvd.dll
2009-08-03 17:52 . 2009-07-10 16:00   43520   ----a-w-   c:\windows\system32\CmdLineExt03.dll
2009-07-31 19:23 . 2008-11-28 19:46   411368   ----a-w-   c:\windows\system32\deploytk.dll
2009-07-19 21:26 . 2008-11-26 20:21   22656   ----a-w-   c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-06-30 18:44 . 2008-12-04 21:09   324976   ----a-w-   c:\program files\mozilla firefox\components\coFFPlgn.dll
.

((((((((((((((((((((((((((((((((((((((((((((   Look   )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\program files\SUPERAntiSpyware ----

2009-10-15 03:10 . 2009-10-15 01:44   2000112   ----a-w-   c:\program files\SUPERAntiSpyware\e0fc707a-1079-4851-b23d-75b94b5e9cec.exe
2009-10-15 01:44 . 2009-10-15 01:44   29863   ----a-w-   c:\program files\SUPERAntiSpyware\Language\ARABIC.LNG
2009-10-15 01:44 . 2009-10-15 01:44   35576   ----a-w-   c:\program files\SUPERAntiSpyware\Language\BULGARIAN (BG).LNG
2009-10-15 01:44 . 2009-09-15 15:42   1998576   ----a-w-   c:\program files\SUPERAntiSpyware\caa73f0e-a377-4e7b-8a12-7099d1f02c89.exe
2009-09-15 15:42 . 2009-09-15 15:42   7408   ----a-r-   c:\program files\SUPERAntiSpyware\SASENUM.SYS
2009-09-15 15:42 . 2009-09-15 15:42   9968   ----a-w-   c:\program files\SUPERAntiSpyware\sasdifsv.sys
2009-09-15 15:42 . 2009-09-15 15:42   74480   ----a-w-   c:\program files\SUPERAntiSpyware\SASKUTIL.SYS
2009-09-15 15:42 . 2009-10-15 01:44   2000112   ----a-w-   c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
2009-09-15 15:42 . 2009-09-15 15:42   158960   ----a-w-   c:\program files\SUPERAntiSpyware\SSUpdate.exe
2009-09-15 14:47 . 2009-09-15 14:47   20608955   ----a-w-   c:\program files\SUPERAntiSpyware\PROCESSLIST.DB
2009-09-15 14:46 . 2009-09-15 14:46   1226937   ----a-w-   c:\program files\SUPERAntiSpyware\PROCESSLISTRELATED.DB
2009-09-03 19:21 . 2009-09-03 19:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.dll
2009-09-02 02:56 . 2009-10-15 01:44   37812   ----a-w-   c:\program files\SUPERAntiSpyware\Language\DUTCH (NL).LNG
2009-08-05 17:03 . 2009-08-05 17:03   35985   ----a-w-   c:\program files\SUPERAntiSpyware\Language\Swedish (SE).lng
2009-08-05 16:26 . 2009-08-05 16:26   32627   ----a-w-   c:\program files\SUPERAntiSpyware\Language\Hungarian (HU).lng
2009-08-05 16:24 . 2009-08-05 16:24   34855   ----a-w-   c:\program files\SUPERAntiSpyware\Language\Estonian (EST).lng
2009-01-15 15:44 . 2009-01-15 15:44   34251   ----a-w-   c:\program files\SUPERAntiSpyware\Language\DANISH (DK).LNG
2009-01-15 15:43 . 2009-01-15 15:43   36425   ----a-w-   c:\program files\SUPERAntiSpyware\Language\Norwegian (NO).lng
2009-01-15 15:31 . 2009-01-15 15:31   36581   ----a-w-   c:\program files\SUPERAntiSpyware\Language\Polish (PL).lng
2009-01-15 15:28 . 2009-01-15 15:28   40572   ----a-w-   c:\program files\SUPERAntiSpyware\Language\Macedonian (MK).lng
2008-11-04 22:37 . 2008-11-04 22:37   39269   ----a-w-   c:\program files\SUPERAntiSpyware\Language\Portuguese (BR).lng
2008-11-03 17:49 . 2008-11-03 17:49   47912   ----a-w-   c:\program files\SUPERAntiSpyware\RUNSAS.EXE
2008-11-03 17:30 . 2008-11-03 17:30   40888   ----a-w-   c:\program files\SUPERAntiSpyware\Language\German (DE).lng
2008-11-03 17:28 . 2008-11-03 17:28   41152   ----a-w-   c:\program files\SUPERAntiSpyware\Language\Italian (IT).lng
2008-11-03 15:37 . 2008-11-03 15:37   40562   ----a-w-   c:\program files\SUPERAntiSpyware\Language\Spanish (ES).lng
2008-11-03 15:36 . 2008-11-03 15:36   42687   ----a-w-   c:\program files\SUPERAntiSpyware\Language\French (FR).lng
2008-10-06 18:20 . 2008-10-06 18:20   35739   ----a-w-   c:\program files\SUPERAntiSpyware\Language\English (US).lng
2008-07-28 15:10 . 2008-07-28 15:10   411136   ----a-w-   c:\program files\SUPERAntiSpyware\SASREPAIRS.STG
2008-05-13 14:13 . 2008-05-13 14:13   77824   ----a-w-   c:\program files\SUPERAntiSpyware\SASSEH.DLL
2008-03-12 15:29 . 2008-03-12 15:29   24576   ----a-r-   c:\program files\SUPERAntiSpyware\SASINST.EXE
2007-11-27 17:12 . 2007-11-27 17:12   1088725   ----a-w-   c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.chm
2007-10-02 18:08 . 2007-10-02 18:08   122168   ----a-r-   c:\program files\SUPERAntiSpyware\BootSafe.exe
2007-02-27 16:39 . 2007-02-27 16:39   61440   ----a-w-   c:\program files\SUPERAntiSpyware\SASCTXMN.DLL
2006-09-19 19:55 . 2006-09-19 19:55   360448   ----a-r-   c:\program files\SUPERAntiSpyware\deupx.dll
2004-06-03 13:24 . 2004-06-03 13:24   69632   ----a-w-   c:\program files\SUPERAntiSpyware\Plugins\sab_incr.dll
2004-05-20 17:28 . 2004-05-20 17:28   2048   ----a-w-   c:\program files\SUPERAntiSpyware\detect.wav
2004-05-07 19:31 . 2004-05-07 19:31   348160   ----a-w-   c:\program files\SUPERAntiSpyware\msvcr71.dll
2004-05-07 19:31 . 2004-05-07 19:31   40960   ----a-w-   c:\program files\SUPERAntiSpyware\Plugins\sab_mapi.dll
2004-05-07 19:31 . 2004-05-07 19:31   61440   ----a-w-   c:\program files\SUPERAntiSpyware\Plugins\sab_wab.dll


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RocketDock"="e:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-06-25 13529088]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-06-25 86016]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-31 149280]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" - c:\windows\system32\HdAShCut.exe [2005-01-07 61952]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-06-25 1630208]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2005-09-21 86016]
"AlcWzrd"="ALCWZRD.EXE" - c:\windows\ALCWZRD.EXE [2005-09-21 2807808]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-10-12 22:35   12464   ----a-w-   c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^OpenOffice.org 3.0.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk
backup=c:\windows\pss\OpenOffice.org 3.0.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"e:\\Program Files\\Bethesda Softworks\\Fallout 3\\Fallout3.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"e:\\Program Files\\Firefly Studios\\CivCity Rome\\CivCity Rome.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [10/12/2009 6:35 pm 25608]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [10/12/2009 6:35 pm 161672]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/12/2009 6:35 pm 333192]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/12/2009 6:35 pm 356616]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [9/15/2009 11:42 am 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/15/2009 11:42 am 74480]
R2 avg9emc;AVG E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [10/12/2009 6:35 pm 906520]
R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [10/12/2009 6:35 pm 285392]
R2 AVGIDSAgent;AVG9IDSAgent;c:\program files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe [10/12/2009 6:35 pm 5830152]
R3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSDriver.sys [10/12/2009 6:35 pm 122376]
R3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSFilter.sys [10/12/2009 6:35 pm 30216]
R3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys [10/12/2009 6:35 pm 25736]
S3 pfsvgae;pfsvgae;\??\c:\docume~1\Owner\LOCALS~1\Temp\pfsvgae.sys --> c:\docume~1\Owner\LOCALS~1\Temp\pfsvgae.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/15/2009 11:42 am 7408]
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
DPF: {E5ABEB00-B357-4884-9949-77B2C71A7EE3} - hxxp://www.intel.com/design/motherbd/boardid/BoardID.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ohark9ju.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: e:\program files\Adobe\Reader 8.0\Reader\browser\nppdf32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-15 21:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-117609710-1592454029-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{84EF2146-A462-2D01-9B75-8E8D6E60D380}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"janggkjbgabndcfdaeli"=hex:6a,61,6d,6c,66,6a,63,66,6f,69,62,70,68,61,66,6b,67,
   61,65,66,00,f2
"iadgmocoiacmmhbmgp"=hex:6a,61,6d,6c,66,6a,63,66,6f,69,62,70,68,61,66,6b,67,61,
   65,66,00,02
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(764)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3980)
c:\windows\system32\WININET.dll
e:\program files\RocketDock\RocketDock.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Maxtor\Sync\SyncServices.exe
c:\program files\AVG\AVG9\avgam.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\system32\nvsvc32.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-10-16 21:52 - machine was rebooted
ComboFix-quarantined-files.txt  2009-10-16 01:52

Pre-Run: 69,737,598,976 bytes free
Post-Run: 69,972,209,664 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /numproc=2

246

[evilfantasy]

Download OTM by OldTimer to your desktop.

Note: If you are running on Vista, right-click on OTM.exe and choose Run As Administrator.

* Save it to your Desktop.
* Double-click OTM.exe to run it.
* Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy)

Code: [Select]

:Processes
explorer.exe

:services
pfsvgae

:reg
[-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

[-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

:files
c:\docume~1\Owner\LOCALS~1\Temp\pfsvgae.sys

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

* Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
* Click the red Moveit! button.
* Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.

* Close OTM

Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. If not, reboot anyway.

----------