Search Engine Redirect caused by virus, plz help me!

Y2CJ3600 · Joined: Jan 01, 2009 Posts: 23

hi not sure if i am doing this forum thing right. i am new to forum's and not sure to start them but i been having a prob with my net for days. when i use yahoo or google in either firefox or ie i keep getting redirected to all these strange sites. i have download several anitvirus programs and none of them have helped. i believe i have a vundo, or some type of cws or winlogon bug. i did noticed that this file wdmaud. i found it in my C:\WINDOWS\system32. i was just going to delete it but read online somewhere that it is bad to delete it. not sure if that site was truthworthy then i found this forum. so can someone plz try to help me, computer viruses arent fun and i been up for the past 4 nights trying to get rid of this thing. also this file keeps coming up and wont go away when i hit fix it on my hijackthis O18 - Filter hijack: text/html - {07851C6A-1C43-41d9-8319-BC89154A8C00} - (no file)
here r the rest of my logs

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:14:30 AM, on 1/1/2009
Platform: Windows XP SP2
MSIE: Internet Explorer v6.00 SP2
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl Class - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp .exe" /run
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O18 - Filter hijack: text/html - {07851C6A-1C43-41d9-8319-BC89154A8C00} - (no file)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 3541 bytes

greyknight17 · Joined: Feb 03, 2003 Posts: 5674 Location: Brooklyn, NY

Happy New Year and welcome to Lockergnome.

You may delete the wdmaud.sys file from the system32 folder if found. There is another file called wdmaud.drv in that system32 folder. That's the file you should not delete.

Please print the below instructions or copy them to Notepad. Make sure to work through the fixes in the order mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one:

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O18 - Filter hijack: text/html - {07851C6A-1C43-41d9-8319-BC89154A8C00} - (no file)

1. Download combofix at http://download.bleepingcomputer.com/sUBs/ComboFix.exe Save it to your Desktop before you run it.
2. Double-click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply.

Note:
Do not click on combofix's window while it's running. That may cause it to stall.

Y2CJ3600 · Joined: Jan 01, 2009 Posts: 23

happy new year to u too greyknight17, man i been working on getting rid of this virus thing for so long i forgot about the new year. before i run the combofix should i disconnect from the internet 1st?

Y2CJ3600 · Joined: Jan 01, 2009 Posts: 23

i ran combofix. here r the logs. i think it worked cuz so far i havent had a problem doing a search. THANK U SOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO MUCH UR THE COOLEST SMARTEST PERSON I KNOW. everyone else kept telling me to do this and that and it didnt work. so should i now delete combofix off my computer so it dont take up memory space?

ComboFix 08-12-31.01 - CJ 2009-01-02 1:02:18.1 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.447.257 [GMT -6:00]
Running from: c:\documents and settings\CJ\Desktop\ComboFix.exe
FW: Norton AntiVirus *enabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\afopbnxi.ini
c:\windows\system32\bcvwoeny.ini
c:\windows\system32\bmhpoavn.ini
c:\windows\system32\btewihtm.ini
c:\windows\system32\cfgksywe.ini
c:\windows\system32\ckfdgwin.ini
c:\windows\system32\cofedgtp.ini
c:\windows\system32\cposaarf.ini
c:\windows\system32\dfhnpnro.ini
c:\windows\system32\dghtxvpf.ini
c:\windows\system32\donlyphp.ini
c:\windows\system32\doxjoltj.ini
c:\windows\system32\eaponboa.ini
c:\windows\system32\fuwkyjsp.ini
c:\windows\system32\fyivfajq.ini
c:\windows\system32\gaynwxfy.ini
c:\windows\system32\geamkrla.ini
c:\windows\system32\gtvkhfom.ini
c:\windows\system32\hiqoagps.ini
c:\windows\system32\hkebhxfh.ini
c:\windows\system32\iagebryl.ini
c:\windows\system32\ifteusjm.ini
c:\windows\system32\ivuymfxb.ini
c:\windows\system32\jcwkyjch.ini
c:\windows\system32\jomhpqhe.ini
c:\windows\system32\jtnxbnal.ini
c:\windows\system32\jxgydakc.ini
c:\windows\system32\krqbyoeb.ini
c:\windows\system32\ktsroldu.ini
c:\windows\system32\kyjujbho.ini
c:\windows\system32\lciqjbxp.ini
c:\windows\system32\ldhyrkiq.ini
c:\windows\system32\lfoyqpax.ini
c:\windows\system32\ncnetcyy.ini
c:\windows\system32\nddhoajh.ini
c:\windows\system32\nficqhyv.ini
c:\windows\system32\ohghuwej.ini
c:\windows\system32\orwfwtyi.ini
c:\windows\system32\prlcqguc.ini
c:\windows\system32\qbqydaph.ini
c:\windows\system32\qclvwriy.ini
c:\windows\system32\qianhmtd.ini
c:\windows\system32\qnqdxllf.ini
c:\windows\system32\qpcikxcx.ini
c:\windows\system32\qyiqhpib.ini
c:\windows\system32\rfhnykuj.ini
c:\windows\system32\rkwmvxpy.ini
c:\windows\system32\rtexindb.ini
c:\windows\system32\rudnwwcy.ini
c:\windows\system32\rwnvbipd.ini
c:\windows\system32\spxmildf.ini
c:\windows\system32\swfilnlm.ini
c:\windows\system32\tjqulcjn.ini
c:\windows\system32\tnadtqmj.ini
c:\windows\system32\ukooyomp.ini
c:\windows\system32\upnwoouk.ini
c:\windows\system32\ushjjhjo.ini
c:\windows\system32\utnlrpvm.ini
c:\windows\system32\vhvxnyoy.ini
c:\windows\system32\wabkcydn.ini
c:\windows\system32\wcyhdhck.ini
c:\windows\system32\whmhuxqc.ini
c:\windows\system32\whsnvynn.ini
c:\windows\system32\xeveknap.ini
c:\windows\system32\xkcqvmbt.ini
c:\windows\system32\xsgwilvp.ini
c:\windows\system32\xyhgrndh.ini
c:\windows\system32\yekxetbo.ini
c:\windows\system32\ygdtvtbd.ini
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DOMAINSERVICE
-------\Legacy_TDSSSERV

((((((((((((((((((((((((( Files Created from 2008-12-02 to 2009-01-02 )))))))))))))))))))))))))))))))
.

2009-01-02 00:52 . 2009-01-02 00:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avg7
2009-01-02 00:52 . 2009-01-02 00:52 262,144 --a------ c:\documents and settings\CJCB2~12.YOU
2009-01-02 00:51 . 2009-01-02 00:51 262,144 --a------ c:\documents and settings\CJCB2~11.YOU
2009-01-01 07:54 . 2009-01-01 07:57 <DIR> d-------- C:\hjt
2009-01-01 01:38 . 2009-01-01 01:40 8,192 --a------ c:\documents and settings\CJCB2~10.YOU
2008-12-31 03:33 . 2008-12-31 03:33 <DIR> d-------- c:\documents and settings\CJ\Application Data\AD ON Multimedia
2008-12-31 02:33 . 2008-12-31 02:33 <DIR> d-------- c:\program files\Lavasoft
2008-12-31 01:59 . 2008-12-31 01:59 262,144 --a------ c:\documents and settings\CJCB23~9.YOU
2008-12-31 01:56 . 2008-12-31 01:59 8,192 --a------ c:\documents and settings\CJCB23~8.YOU
2008-12-31 01:50 . 2008-12-31 01:55 262,144 --a------ c:\documents and settings\CJCB23~7.YOU
2008-12-30 03:01 . 2008-12-30 03:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-30 03:00 . 2008-12-31 12:35 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-12-30 03:00 . 2008-12-31 12:35 <DIR> d-------- c:\documents and settings\CJ\Application Data\SUPERAntiSpyware.com
2008-12-29 01:06 . 2008-12-29 01:06 <DIR> d-------- c:\program files\Trend Micro
2008-12-28 22:41 . 2008-12-30 03:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-28 22:21 . 2008-12-29 20:00 <DIR> d-------- c:\windows\system32\CatRoot_bak
2008-12-28 11:44 . 2008-12-31 02:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-12-28 11:44 . 2008-12-28 11:46 8,192 --a------ c:\documents and settings\CJCB23~6.YOU
2008-12-28 11:41 . 2008-12-28 11:41 262,144 --a------ c:\documents and settings\CJCB23~5.YOU
2008-12-28 11:40 . 2008-12-28 11:40 262,144 --a------ c:\documents and settings\CJCB23~4.YOU
2008-12-28 11:38 . 2008-12-28 11:38 262,144 --a------ c:\documents and settings\CJCB23~3.YOU
2008-12-28 08:02 . 2008-12-28 08:02 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2008-12-28 07:14 . 2008-12-31 12:22 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-26 14:56 . 2001-08-17 13:48 12,160 --a------ c:\windows\system32\drivers\mouhid.sys
2008-12-26 14:56 . 2001-08-17 13:48 12,160 --a------ c:\windows\system32\dllcache\mouhid.sys
2008-12-26 14:56 . 2008-04-13 12:45 10,368 --a------ c:\windows\system32\drivers\hidusb.sys
2008-12-26 14:56 . 2008-04-13 12:45 10,368 --a------ c:\windows\system32\dllcache\hidusb.sys
2008-12-23 00:23 . 2005-01-08 01:07 138,752 --a------ c:\windows\system32\drivers\hdaudbus.sys
2008-12-23 00:23 . 2004-08-09 22:00 67,584 --a------ c:\windows\system32\drivers\sdbus.sys
2008-12-23 00:23 . 2004-08-10 05:00 37,376 --a------ c:\windows\system32\drivers\amdk7.sys
2008-12-23 00:23 . 2004-08-10 05:00 15,488 --a------ c:\windows\system32\drivers\mssmbios.sys
2008-12-23 00:23 . 2004-08-10 05:00 12,416 --a------ c:\windows\system32\drivers\tunmp.sys
2008-12-23 00:23 . 2004-08-09 22:00 11,136 --a------ c:\windows\system32\drivers\sffdisk.sys
2008-12-23 00:23 . 2004-08-09 22:00 10,240 --a------ c:\windows\system32\drivers\sffp_sd.sys
2008-12-23 00:21 . 2004-08-09 22:00 4,190,352 --a------ c:\windows\system32\dllcache\luna.mst
2008-12-23 00:20 . 2007-10-25 21:34 8,460,288 --a------ c:\windows\system32\dllcache\shell32.dll
2008-12-23 00:19 . 2008-09-15 05:57 1,846,016 --a------ c:\windows\system32\win32k.sys
2008-12-23 00:18 . 2008-08-14 04:00 2,180,352 --a------ c:\windows\system32\ntoskrnl.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-02 06:56 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-31 18:23 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-31 08:53 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-12-31 03:24 --------- d-----w c:\documents and settings\All Users\Application Data\yahoo!
2008-12-31 03:21 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2008-12-30 23:59 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-12-30 10:28 --------- d-----w c:\program files\Yahoo!
2008-12-30 08:25 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-30 02:48 --------- d-----w c:\program files\Common Files\Real
2008-12-28 13:38 --------- d-----w c:\program files\SpywareBlaster
2008-12-04 01:52 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-04 01:52 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-11-30 01:07 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-29 23:51 --------- d-----w c:\documents and settings\Compaq_Administrator\Application Data\Malwarebytes
2008-11-28 16:59 --------- d-----w c:\program files\Java
2008-11-10 17:03 --------- d-----w c:\documents and settings\All Users\Application Data\NOS
2008-11-10 03:28 --------- d-----w c:\program files\Common Files\Adobe AIR
2008-11-02 20:42 25,740,144 ----a-w c:\program files\wmp11-windowsxp-x86-enu.exe
2008-11-02 12:04 --------- d-----w c:\documents and settings\Compaq_Administrator\Application Data\AT&T
2008-11-02 03:03 --------- d-----w c:\program files\Common Files\Motive
2008-11-02 03:03 --------- d-----w c:\documents and settings\CJ\Application Data\AT&T
2008-11-02 03:03 --------- d-----w c:\documents and settings\All Users\Application Data\AT&T
2008-11-02 02:53 --------- d-----w c:\program files\ATT
2008-11-02 02:51 --------- d-----w c:\documents and settings\All Users\Application Data\Motive
2008-08-21 03:18 82 ----a-w c:\documents and settings\All Users\Application Data\SUMQU0C1-FE20-APII-YE7M-BEDSDWMY5R6A.dat
2008-06-24 14:32 2,516 --sha-w c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2008-06-24 12:57 88 --sh--r c:\documents and settings\All Users\Application Data\1ECFDB038D.sys
2007-12-30 08:47 963 ----a-w c:\program files\Spybot - Search & Destroy (for blind users).lnk
2007-12-30 08:39 7,467,056 ----a-w c:\program files\spybotsd15.exe
2006-12-15 23:38 0 ----a-w c:\documents and settings\Compaq_Administrator\Application Data\wklnhst.dat
2006-12-15 17:16 809 ----a-w c:\program files\Shortcut to SpybotSD.lnk
2006-12-15 05:21 5,900,416 ----a-w c:\program files\Firefox Setup 2.0.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-12-22 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-24 136600]
"ftutil2"="ftutil2.dll" [2004-06-07 c:\windows\system32\ftutil2.dll]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 c:\windows\arpwrmsg.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-10-25 c:\windows\RTHDCPL.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-04-17 9117696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-12-15 282624]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.mjpg"= mcmjpg32.dll
"msacm.ac3filter"= ac3filter.acm
"aux2"= wdmaud.sys

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0lsdelete

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1165782479\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

S1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-12-22 8944]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-12-22 55024]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys [2008-09-04 38496]
S3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-22 7408]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0d43c0c6-d38e-11dd-867e-00192125b11b}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL http://www.mgae.com/keylauncher/?code=3654406585264683

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{25ef7ba7-7c1f-11db-8a36-806d6172696f}]
\Shell\AutoRun\command - D:\setupSNK.exe
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-HPBootOp - c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp .exe
HKLM-Run-QuickTime Task - c:\program files\QuickTime\qttask .exe
HKLM-Run-YSearchProtection - c:\program files\Yahoo!\Search Protection\SearchProtection.exe
HKLM-Run-avast! - c:\progra~1\ALWILS~1\Avast4\ashDisp.exe
HKLM-Run-ISW.exe - c:\program files\AT&T\Internet Security Wizard\ISW.exe
HKLM-Run-Symantec PIF AlertEng - c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
HKLM-Run-PCDrProfiler - (no file)
Notify-avgrsstarter - (no file)

.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\documents and settings\CJ\Application Data\Mozilla\Firefox\Profiles\tnvts9u1.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\program files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-02 01:06:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\h*NULL*a*NULL*u*NULL*s*NULL*a*NULL*u*NULL*f*NULL*g*NULL*a*NULL*b*NULL*e*NULL*n*NULL*â*NULL*¬ r*NULL*e*NULL*f*NULL*e*NULL*r*NULL*a*NULL*t*NULL*e*NULL*.*NULL*d*NULL*e*NULL*]
@Owner=S-1-5-21-541197926-1096324747-2482870781-1012
"*"=dword:00000004

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\h*NULL*a*NULL*u*NULL*s*NULL*a*NULL*u*NULL*f*NULL*g*NULL*a*NULL*b*NULL*e*NULL*n*NULL* r*NULL*e*NULL*f*NULL*e*NULL*r*NULL*a*NULL*t*NULL*e*NULL*.*NULL*d*NULL*e*NULL*]
@Owner=Administrator
"*"=dword:00000004

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\h*NULL*a*NULL*u*NULL*s*NULL*a*NULL*u*NULL*f*NULL*g*NULL*a*NULL*b*NULL*e*NULL*n*NULL*â*NULL*¬ r*NULL*e*NULL*f*NULL*e*NULL*r*NULL*a*NULL*t*NULL*e*NULL*.*NULL*d*NULL*e*NULL*]
@Security="Inherited"
"*"=dword:00000004

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\h*NULL*a*NULL*u*NULL*s*NULL*a*NULL*u*NULL*f*NULL*g*NULL*a*NULL*b*NULL*e*NULL*n*NULL* r*NULL*e*NULL*f*NULL*e*NULL*r*NULL*a*NULL*t*NULL*e*NULL*.*NULL*d*NULL*e*NULL*]
@Security="Inherited"
"*"=dword:00000004

[HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\h*NULL*a*NULL*u*NULL*s*NULL*a*NULL*u*NULL*f*NULL*g*NULL*a*NULL*b*NULL*e*NULL*n*NULL* r*NULL*e*NULL*f*NULL*e*NULL*r*NULL*a*NULL*t*NULL*e*NULL*.*NULL*d*NULL*e*NULL*]
@Security=(SE_DACL_PRESENT SE_SELF_RELATIVE (@Owner @Group @DACL)
@Owner=Administrator
@Allowed: (Full) (S-1-5-19)
@Allowed: (Full) (S-1-5-19)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (Administrators)
@Allowed: (Full) (Administrators)
@Allowed: (Read) (S-1-5-12)
@Allowed: (Read) (S-1-5-12)
"*"=dword:00000004

[HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\h*NULL*a*NULL*u*NULL*s*NULL*a*NULL*u*NULL*f*NULL*g*NULL*a*NULL*b*NULL*e*NULL*n*NULL* r*NULL*e*NULL*f*NULL*e*NULL*r*NULL*a*NULL*t*NULL*e*NULL*.*NULL*d*NULL*e*NULL*]
@Security=(SE_DACL_PRESENT SE_SELF_RELATIVE (@Owner @Group @DACL)
@Owner=Administrator
@Allowed: (Full) (S-1-5-20)
@Allowed: (Full) (S-1-5-20)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (Administrators)
@Allowed: (Full) (Administrators)
@Allowed: (Read) (S-1-5-12)
@Allowed: (Read) (S-1-5-12)
"*"=dword:00000004

[HKEY_USERS\S-1-5-21-541197926-1096324747-2482870781-1012\Software\Microsoft\SystemCertificates\AddressBook*NULL*]
@Security=(SE_DACL_PRESENT SE_SELF_RELATIVE (@Owner @Group @DACL)
@Owner=S-1-5-21-541197926-1096324747-2482870781-1012
@Allowed: (Full) (S-1-5-21-541197926-1096324747-2482870781-1012)
@Allowed: (Full) (S-1-5-21-541197926-1096324747-2482870781-1012)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (Administrators)
@Allowed: (Full) (Administrators)
@Allowed: (Read) (S-1-5-12)
@Allowed: (Read) (S-1-5-12)

[HKEY_USERS\S-1-5-21-541197926-1096324747-2482870781-1012\Software\Microsoft\SystemCertificates\AddressBook*NULL*\Certificates]
@Security="Inherited"

[HKEY_USERS\S-1-5-21-541197926-1096324747-2482870781-1012\Software\Microsoft\SystemCertificates\AddressBook*NULL*\CRLs]
@Security="Inherited"

[HKEY_USERS\S-1-5-21-541197926-1096324747-2482870781-1012\Software\Microsoft\SystemCertificates\AddressBook*NULL*\CTLs]
@Security="Inherited"

[HKEY_USERS\S-1-5-21-541197926-1096324747-2482870781-1012\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\h*NULL*a*NULL*u*NULL*s*NULL*a*NULL*u*NULL*f*NULL*g*NULL*a*NULL*b*NULL*e*NULL*n*NULL*â*NULL*¬ r*NULL*e*NULL*f*NULL*e*NULL*r*NULL*a*NULL*t*NULL*e*NULL*.*NULL*d*NULL*e*NULL*]
@Security=(SE_DACL_PRESENT SE_SELF_RELATIVE (@Owner @Group @DACL)
@Owner=S-1-5-21-541197926-1096324747-2482870781-1012
@Allowed: (Full) (S-1-5-21-541197926-1096324747-2482870781-1012)
@Allowed: (Full) (S-1-5-21-541197926-1096324747-2482870781-1012)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (Administrators)
@Allowed: (Full) (Administrators)
@Allowed: (Read) (S-1-5-12)
@Allowed: (Read) (S-1-5-12)
"*"=dword:00000004

[HKEY_USERS\S-1-5-21-541197926-1096324747-2482870781-1012\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\h*NULL*a*NULL*u*NULL*s*NULL*a*NULL*u*NULL*f*NULL*g*NULL*a*NULL*b*NULL*e*NULL*n*NULL* r*NULL*e*NULL*f*NULL*e*NULL*r*NULL*a*NULL*t*NULL*e*NULL*.*NULL*d*NULL*e*NULL*]
@Security=(SE_DACL_PRESENT SE_SELF_RELATIVE (@Owner @Group @DACL)
@Owner=S-1-5-21-541197926-1096324747-2482870781-1012
@Allowed: (Full) (S-1-5-21-541197926-1096324747-2482870781-1012)
@Allowed: (Full) (S-1-5-21-541197926-1096324747-2482870781-1012)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (Administrators)
@Allowed: (Full) (Administrators)
@Allowed: (Read) (S-1-5-12)
@Allowed: (Read) (S-1-5-12)
"*"=dword:00000004

[HKEY_USERS\S-1-5-21-541197926-1096324747-2482870781-1012\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\h*NULL*a*NULL*u*NULL*s*NULL*a*NULL*u*NULL*f*NULL*g*NULL*a*NULL*b*NULL*e*NULL*n*NULL*â*NULL*¬ r*NULL*e*NULL*f*NULL*e*NULL*r*NULL*a*NULL*t*NULL*e*NULL*.*NULL*d*NULL*e*NULL*]
@Security="Inherited"
"*"=dword:00000004

[HKEY_USERS\S-1-5-21-541197926-1096324747-2482870781-1012\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\h*NULL*a*NULL*u*NULL*s*NULL*a*NULL*u*NULL*f*NULL*g*NULL*a*NULL*b*NULL*e*NULL*n*NULL* r*NULL*e*NULL*f*NULL*e*NULL*r*NULL*a*NULL*t*NULL*e*NULL*.*NULL*d*NULL*e*NULL*]
@Security="Inherited"
"*"=dword:00000004

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\h*NULL*a*NULL*u*NULL*s*NULL*a*NULL*u*NULL*f*NULL*g*NULL*a*NULL*b*NULL*e*NULL*n*NULL*â*NULL*¬ r*NULL*e*NULL*f*NULL*e*NULL*r*NULL*a*NULL*t*NULL*e*NULL*.*NULL*d*NULL*e*NULL*]
@Owner=S-1-5-21-541197926-1096324747-2482870781-1012
"*"=dword:00000004

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\h*NULL*a*NULL*u*NULL*s*NULL*a*NULL*u*NULL*f*NULL*g*NULL*a*NULL*b*NULL*e*NULL*n*NULL* r*NULL*e*NULL*f*NULL*e*NULL*r*NULL*a*NULL*t*NULL*e*NULL*.*NULL*d*NULL*e*NULL*]
@Owner=Administrator
"*"=dword:00000004

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\h*NULL*a*NULL*u*NULL*s*NULL*a*NULL*u*NULL*f*NULL*g*NULL*a*NULL*b*NULL*e*NULL*n*NULL*â*NULL*¬ r*NULL*e*NULL*f*NULL*e*NULL*r*NULL*a*NULL*t*NULL*e*NULL*.*NULL*d*NULL*e*NULL*]
@Security="Inherited"
"*"=dword:00000004

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\h*NULL*a*NULL*u*NULL*s*NULL*a*NULL*u*NULL*f*NULL*g*NULL*a*NULL*b*NULL*e*NULL*n*NULL* r*NULL*e*NULL*f*NULL*e*NULL*r*NULL*a*NULL*t*NULL*e*NULL*.*NULL*d*NULL*e*NULL*]
@Security="Inherited"
"*"=dword:00000004
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(460)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
.
**************************************************************************
.
Completion time: 2009-01-02 1:11:09 - machine was rebooted [CJ]
ComboFix-quarantined-files.txt 2009-01-02 07:11:06

Pre-Run: 57,415,581,696 bytes free
Post-Run: 57,327,235,072 bytes free

367 --- E O F --- 2009-01-01 12:58:21

Y2CJ3600 · Joined: Jan 01, 2009 Posts: 23

hi after the combofix fixed my computer, i restarted my computer i noticed i dont have sound no more on the computer. i went to device manager and there is a yellow ! where it says winmm wdm audio

greyknight17 · Joined: Feb 03, 2003 Posts: 5674 Location: Brooklyn, NY

Did you delete the wdmaud.sys file in the system32 folder? You might have deleted wdmaud.drv by mistake which is a legitimate file.

You can restore that wdmaud.drv file if it's still in your Recycle Bin, otherwise, you will need to reinstall the audio drivers. That should fix the problem. If you know what audio card you have or motherboard (if it's built in) you can get the drivers from the manufacturer's website.

Good job. Your log is clean.

To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If none, go to Start->Run, copy/paste in combofix /u and hit OK to remove it. You should be set to go.

Y2CJ3600 · Joined: Jan 01, 2009 Posts: 23

hey i did delete that one file u said but i delete a few more that had it's name. i thought i might of deleted the sound as well. but i went to my drivers and just uninstalled the one driver, rebooted and got my sound back. thanks again for helping me

alfheim · Joined: Jan 04, 2009 Posts: 4

GreyKnight: A word of thanks for your tutorial. I was experiencing the same problems Y2CJ3600 was having and followed your instructions. They worked like a charm. Thank you very very much for your dedication to those of us who are helpless!

greyknight17 · Joined: Feb 03, 2003 Posts: 5674 Location: Brooklyn, NY

No problem, I'm glad that this resolved the issues for both of you.

alfheim, welcome to Lockergnome. I usually recommend opening up a new topic and posting your log here for review as well. Just in case something else slipped through the cracks and is hiding in your computer Wink

Topic locked since issue is resolved.