Super stubborn google redirect virus

April 15, 2010 at 21:39:38
Specs: Windows Vista
Hi, thank you so much for helping us. I am semi-familiar with viruses...and been pretty careful myself in terms of protecting computer. Regularly using ad-ware, spybot, and AVG. But still got this virus for past 3 days. I have followed recommendation on these forums (thanks god I can still access them. I have flushed my DNS, used combofix, online scanning, spyware doctor, spyhunter, Hitman pro...but still failed to clear it.

Now I think my volmgrx.sys is infected because Hitman says so. And running combofix will crash the computer because it will cause the blue screen of mem dump...

Please help this poor soul. My exam is up in 2 weeks, and I can't google search for my school works.


See More: Super stubborn google redirect virus

Report •

#1
April 15, 2010 at 23:09:13
Here is my log file from combofix under safe mode: Thanks.

ComboFix 10-04-15.02 - wifey 04/15/2010 22:50:47.4.2 - x86 NETWORK
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3062.2631 [GMT -7:00]
Running from: c:\users\wifey\Desktop\ComboFix.exe
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2010-03-16 to 2010-04-16 )))))))))))))))))))))))))))))))
.

2010-04-16 05:58 . 2010-04-16 05:58 -------- d-----w- c:\users\wifey\AppData\Local\temp
2010-04-16 05:58 . 2010-04-16 05:58 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-04-16 05:58 . 2010-04-16 05:58 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-04-16 05:58 . 2010-04-16 05:58 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2010-04-16 05:48 . 2010-04-16 05:48 -------- d-----w- C:\32788R22FWJFW
2010-04-16 04:41 . 2010-04-16 04:41 52224 ----a-w- c:\users\wifey\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-16 04:41 . 2010-04-16 04:41 117760 ----a-w- c:\users\wifey\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-16 04:40 . 2010-04-16 04:40 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-04-16 04:34 . 2010-04-16 04:34 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-16 04:34 . 2010-04-16 04:34 -------- d-----w- c:\users\wifey\AppData\Roaming\SUPERAntiSpyware.com
2010-04-16 00:16 . 2010-04-16 00:19 -------- d-----w- c:\program files\Common Files\PC Tools
2010-04-16 00:16 . 2010-04-16 00:16 -------- d-----w- c:\users\wifey\AppData\Roaming\PC Tools
2010-04-16 00:04 . 2010-04-16 05:17 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-16 00:04 . 2010-04-16 05:17 -------- d-----w- c:\programdata\Hitman Pro
2010-04-16 00:04 . 2010-04-16 00:04 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-04-13 03:39 . 2010-04-13 03:39 -------- d-----w- c:\users\wifey\AppData\Roaming\Malwarebytes
2010-04-13 03:39 . 2010-03-30 07:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-13 03:38 . 2010-04-13 03:38 -------- d-----w- c:\programdata\Malwarebytes
2010-04-13 03:38 . 2010-04-13 03:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-13 03:38 . 2010-03-30 07:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-13 02:16 . 2010-04-13 02:16 -------- d-----w- c:\users\wifey\AppData\Roaming\AFF092EC7ED4D632DE9F2CB24D2A366F
2010-04-08 05:17 . 2010-04-11 22:22 -------- d-----w- c:\windows\system32\Adobe
2010-04-07 18:48 . 2004-05-18 18:16 39936 ----a-w- c:\windows\system32\huffyuv.dll
2010-04-07 18:48 . 2004-01-25 16:18 217088 ----a-w- c:\windows\system32\yv12vfw.dll
2010-04-07 18:48 . 1997-04-07 17:19 391680 ----a-w- c:\windows\system32\I263_32.drv
2010-04-07 18:48 . 2009-07-29 06:35 2378752 ----a-w- c:\windows\system32\x264vfw.dll
2010-04-07 18:48 . 2004-12-10 08:03 438272 ----a-w- c:\windows\system32\vp6vfw.dll
2010-04-07 18:48 . 2009-05-29 21:37 205824 ----a-w- c:\windows\system32\xvidvfw.dll
2010-04-07 18:48 . 2009-05-29 21:31 881664 ----a-w- c:\windows\system32\xvidcore.dll
2010-04-07 18:48 . 2009-07-14 00:15 90112 ----a-w- c:\windows\system32\dpl100.dll
2010-04-07 18:48 . 2009-07-14 00:15 685056 ----a-w- c:\windows\system32\divx.dll
2010-04-07 18:48 . 2008-11-06 16:37 3596288 ----a-w- c:\windows\system32\qt-dx331.dll
2010-04-07 18:47 . 2010-03-14 18:00 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2010-04-07 18:47 . 2010-04-07 18:49 -------- d-----w- c:\program files\K-Lite Codec Pack
2010-03-28 01:57 . 2010-04-09 04:43 -------- d-----w- C:\CL Video
2010-03-24 21:22 . 2010-03-24 21:22 -------- d-----w- c:\users\wifey\AppData\Roaming\dvdcss
2010-03-24 08:04 . 2010-03-24 18:17 952768 ----a-w- c:\programdata\Adobe\Reader\8.2\ARM\25371\AdobeARM.exe
2010-03-24 08:04 . 2010-03-24 18:17 70584 ----a-w- c:\programdata\Adobe\Reader\8.2\ARM\25371\AdobeExtractFiles.dll
2010-03-24 08:04 . 2010-03-24 18:17 326056 ----a-w- c:\programdata\Adobe\Reader\8.2\ARM\25371\ReaderUpdater.exe
2010-03-24 08:04 . 2010-03-24 18:17 326056 ----a-w- c:\programdata\Adobe\Reader\8.2\ARM\25371\AcrobatUpdater.exe
2010-03-22 21:56 . 2010-03-22 21:56 -------- d-----w- c:\program files\Dora The Explorer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-16 05:43 . 2010-04-16 00:16 -------- d-----w- c:\program files\Spyware Doctor
2010-04-16 04:34 . 2010-04-16 00:35 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-16 03:02 . 2009-06-17 02:34 -------- d-----w- c:\program files\Elementary Phonics
2010-04-16 01:05 . 2010-04-16 00:16 -------- d-----w- c:\programdata\PC Tools
2010-04-16 00:36 . 2010-04-16 00:36 -------- d-----w- c:\program files\Enigma Software Group
2010-04-15 21:56 . 2008-09-05 20:38 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-15 21:54 . 2008-09-06 08:11 -------- d-----w- c:\program files\Lavasoft
2010-04-15 21:47 . 2008-09-06 08:11 -------- d-----w- c:\programdata\Lavasoft
2010-04-15 18:55 . 2008-12-05 20:38 -------- d-----w- c:\users\wifey\AppData\Roaming\Azureus
2010-04-14 04:13 . 2008-12-05 20:37 -------- d-----w- c:\program files\Vuze
2010-04-04 23:47 . 2009-06-14 03:13 -------- d-----w- c:\users\wifey\AppData\Roaming\CopyToDvd
2010-04-04 23:47 . 2009-03-30 02:55 -------- d-----w- c:\users\wifey\AppData\Roaming\Vso
2010-03-24 22:24 . 2010-02-24 06:23 -------- d-----w- c:\users\wifey\AppData\Roaming\vlc
2010-03-11 17:12 . 2008-04-29 12:34 -------- d-----w- c:\programdata\Microsoft Help
2010-02-24 17:16 . 2009-10-03 19:57 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-20 23:06 . 2010-03-11 08:35 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:05 . 2010-03-11 08:35 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-02-20 20:53 . 2010-03-11 08:35 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-02-17 07:24 . 2008-03-31 18:07 -------- d-----w- c:\program files\Common Files\Adobe
2010-02-16 05:05 . 2009-06-17 05:51 -------- d-----w- c:\program files\Middle School Vocabulary
2010-02-10 17:13 . 2009-11-29 09:01 165376 ----a-w- c:\windows\system32\unrar.dll
2010-02-07 07:23 . 2008-09-02 06:01 80696 ----a-w- c:\users\wifey\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-07 04:58 . 2009-05-03 23:01 8673792 ----a-w- c:\programdata\atscie.msi
2010-02-05 16:25 . 2010-04-16 00:16 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-02-05 16:18 . 2010-04-16 00:16 100136 ----a-w- c:\windows\system32\drivers\pctwfpfilter.sys
2010-02-05 16:17 . 2010-04-16 00:16 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-02-02 17:13 . 2010-04-16 01:05 59664 --s---w- c:\windows\system32\drivers\TfSysMon.sys
2010-02-02 17:13 . 2010-04-16 01:05 51984 --s---w- c:\windows\system32\drivers\TfFsMon.sys
2010-02-02 17:13 . 2010-04-16 01:05 33552 --s---w- c:\windows\system32\drivers\TfNetMon.sys
2010-01-23 19:00 . 2010-01-23 19:00 10686001 ----a-w- c:\users\wifey\AppData\Roaming\Azureus\plugins\azump\mplayer.exe
2010-01-23 09:26 . 2010-03-05 19:38 2048 ----a-w- c:\windows\system32\tzres.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-04-15_04.06.24 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-04-16 00:16 . 2010-04-16 00:16 54272 c:\windows\winsxs\x86_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_none_ecdf8c290e547f39\vcomp90.dll
+ 2008-01-21 01:58 . 2010-04-16 05:35 63522 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2010-04-16 05:35 79908 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-09-02 06:02 . 2010-04-16 05:35 15906 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3845372723-740370850-32063010-1000_UserData.bin
+ 2010-04-16 00:16 . 2009-10-06 23:31 87784 c:\windows\System32\drivers\PCTAppEvent.sys
+ 2008-09-02 05:58 . 2010-04-16 05:45 49152 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-09-02 05:58 . 2010-04-15 03:42 49152 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-04-13 04:51 . 2010-04-16 04:49 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\index.dat
- 2010-04-13 04:51 . 2010-04-15 04:08 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\index.dat
+ 2010-04-15 10:04 . 2010-04-15 10:04 50545 c:\windows\System32\config\systemprofile\AppData\Roaming\Adobe\Acrobat\8.0\UserCache.bin
+ 2010-04-15 08:07 . 2010-04-15 15:48 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012010041520100416\index.dat
- 2010-04-14 18:43 . 2010-04-14 21:20 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012010041420100415\index.dat
+ 2010-04-14 18:43 . 2010-04-15 06:03 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012010041420100415\index.dat
- 2008-09-02 05:58 . 2010-04-15 03:42 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-09-02 05:58 . 2010-04-16 05:45 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-11-28 06:02 . 2010-04-16 05:34 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-11-28 06:02 . 2010-04-15 02:23 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-11-28 06:02 . 2010-04-15 02:23 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-11-28 06:02 . 2010-04-16 05:34 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-11-28 06:02 . 2010-04-16 05:34 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-11-28 06:02 . 2010-04-15 02:23 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-11-13 05:56 . 2010-04-15 02:22 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-11-13 05:56 . 2010-04-16 05:33 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-11-13 05:56 . 2010-04-16 05:33 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-11-13 05:56 . 2010-04-15 02:22 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-11-13 05:56 . 2010-04-16 05:33 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-11-13 05:56 . 2010-04-15 02:22 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-04-16 04:34 . 2010-04-16 04:34 65024 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2010-04-16 04:34 . 2010-04-16 04:34 18944 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2010-04-16 03:01 . 2010-04-16 03:01 27494 c:\windows\61D3AAE1D5214CD7939B37813DE8F955.TMP\WiseCustomCall.dll
+ 2010-04-16 05:45 . 2010-04-16 05:45 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2010-04-15 02:21 . 2010-04-15 02:21 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2010-04-16 05:45 . 2010-04-16 05:45 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2010-04-15 02:21 . 2010-04-15 02:21 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2010-04-16 04:34 . 2010-04-16 04:34 5120 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF16.exe
+ 2008-03-31 19:57 . 2010-04-15 05:14 301692 c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
- 2006-11-02 10:33 . 2010-04-15 03:48 623744 c:\windows\System32\perfh009.dat
+ 2006-11-02 10:33 . 2010-04-16 05:39 623744 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2010-04-15 03:48 108712 c:\windows\System32\perfc009.dat
+ 2006-11-02 10:33 . 2010-04-16 05:39 108712 c:\windows\System32\perfc009.dat
+ 2010-04-16 00:16 . 2009-09-23 23:10 207280 c:\windows\System32\drivers\PCTCore.sys
+ 2010-04-16 00:16 . 2010-04-16 00:16 228352 c:\windows\Installer\6e55a4.msi
+ 2010-04-16 03:01 . 2010-04-16 03:01 130193 c:\windows\61D3AAE1D5214CD7939B37813DE8F955.TMP\WiseCustomCalla4.dll
+ 2010-04-16 03:01 . 2010-04-16 03:01 130755 c:\windows\61D3AAE1D5214CD7939B37813DE8F955.TMP\WiseCustomCalla3.dll
+ 2010-04-16 03:01 . 2010-04-16 03:01 130112 c:\windows\61D3AAE1D5214CD7939B37813DE8F955.TMP\WiseCustomCalla2.dll
+ 2010-04-16 00:35 . 2010-04-16 00:35 131991 c:\windows\61D3AAE1D5214CD7939B37813DE8F955.TMP\WiseCustomCalla11.exe
+ 2010-04-16 03:01 . 2010-04-16 03:01 131991 c:\windows\61D3AAE1D5214CD7939B37813DE8F955.TMP\WiseCustomCalla11.dll
+ 2010-04-16 03:01 . 2010-04-16 03:01 131039 c:\windows\61D3AAE1D5214CD7939B37813DE8F955.TMP\WiseCustomCalla.exe
+ 2006-11-02 10:22 . 2010-04-16 02:54 6553600 c:\windows\System32\SMI\Store\Machine\schema.dat
- 2006-11-02 10:22 . 2010-03-12 09:02 6553600 c:\windows\System32\SMI\Store\Machine\schema.dat
+ 2008-09-02 05:58 . 2010-04-16 05:45 1114112 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2010-04-16 04:34 . 2010-04-16 04:34 1583616 c:\windows\Installer\2b6654.msi
+ 2009-05-04 10:00 . 2010-04-16 00:16 244561557 c:\windows\winsxs\ManifestCache\6.0.6002.18005_001c11ba_blobs.bin
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AOLOverlayIcon]
@="{AB0C8BE3-041C-47d6-8195-E089D32B38DD}"
[HKEY_CLASSES_ROOT\CLSID\{AB0C8BE3-041C-47d6-8195-E089D32B38DD}]
2008-02-03 00:27 303104 ------w- c:\ddi\OverIcon.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-21 213936]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-04-01 2010864]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-23 4718592]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2008-02-23 122880]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-12-13 642856]
"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2010-02-07 467240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2007-08-15 03:05 98304 ------w- c:\windows\System32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^AOLDDI.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\AOLDDI.lnk
backup=c:\windows\pss\AOLDDI.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^wifey^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\users\wifey\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-03-24 18:17 952768 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-02 18:05 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
2005-06-04 14:57 456192 ----a-w- c:\program files\SlySoft\AnyDVD\AnyDVD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2009-05-21 05:01 177472 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-21 02:25 125952 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2008-02-05 00:08 154136 ------w- c:\windows\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2008-02-05 00:09 141848 ------w- c:\windows\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISBMgr.exe]
2007-11-21 19:38 311296 ----a-w- c:\program files\Sony\ISB Utility\ISBMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2006-03-21 00:34 213936 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-07-13 22:03 292128 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 17:50 155648 ----a-w- c:\windows\System32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2008-02-05 00:08 137752 ------w- c:\windows\System32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-27 00:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIO Help and Support Demo]
2007-08-28 00:54 290816 ----a-w- c:\program files\Sony\VAIO Help and Support Demo\LaunchVHSD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VWLASU]
2008-02-19 18:25 24576 ----a-w- c:\program files\Sony\VAIO Wireless Wizard\AutoLaunchWLASU.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-21 02:23 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-21 02:25 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):19,aa,ed,64,24,40,ca,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3845372723-740370850-32063010-1000]
"EnableNotifications"=dword:00000001
"EnableNotificationsRef"=dword:00000002

R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2010-02-02 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2010-02-02 59664]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-02-17 66632]
R3 pctplsg;pctplsg;c:\windows\System32\drivers\pctplsg.sys [2010-02-05 70408]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2010-02-17 12872]
R3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-12-09 365280]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2010-02-02 33552]
R3 ThreatFire;ThreatFire;c:\program files\Spyware Doctor\TFEngine\TFService.exe service [x]
R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2007-06-06 812544]
S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-09-23 207280]
S1 CloneCD;CloneCD I/O Driver; [x]
S1 pctgntdi;pctgntdi;c:\windows\System32\drivers\pctgntdi.sys [2010-02-05 233136]
S3 SFEP;Sony Firmware Extension Parser;c:\windows\system32\DRIVERS\SFEP.sys [2007-12-17 9344]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - ECACHE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.cnn.com/
uInternet Settings,ProxyOverride = *.local
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
FF - ProfilePath - c:\users\wifey\AppData\Roaming\Mozilla\Firefox\Profiles\kt8masj4.default\
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fmail.google.com%2Fmail%2F%3Fui%3Dhtml%26zy%3Dl&bsv=zpwhtygjntrz&scc=1<mpl=default<mplcache=2
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

HKLM-RunOnce-<NO NAME> - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-15 22:58
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys PCTCore.sys acpi.sys hal.dll >>UNKNOWN [0x8555CAC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x8a7abd24
\Driver\ACPI -> acpi.sys @ 0x828c8d68
\Driver\atapi -> ataport.SYS @ 0x82ad4a2c
\Driver\iaStor -> iaStor.sys @ 0x82a13c1a
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3845372723-740370850-32063010-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\. 1 2 2 @ N+Y»YP[
Nè•›OºN©sPN\OpenWithList]
@Class="Shell"

[HKEY_USERS\S-1-5-21-3845372723-740370850-32063010-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*1*7*8*@*ëmqNŒN÷SR—q\U0d0M0]
@Class="Shell"
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-3845372723-740370850-32063010-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*1*7*8*@*ëmqNŒN÷SR—q\U0d0M0\OpenWithList]
@Class="Shell"

[HKEY_USERS\S-1-5-21-3845372723-740370850-32063010-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*1*7*8*@*R‘•Na0j00\OpenWithList]
@Class="Shell"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(1580)
c:\ddi\overicon.dll
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
c:\program files\Pure Networks\Network Magic\nmrsrc.dll
.
Completion time: 2010-04-15 23:01:19
ComboFix-quarantined-files.txt 2010-04-16 06:01
ComboFix2.txt 2010-04-15 22:12
ComboFix3.txt 2010-04-15 04:12

Pre-Run: 68,335,673,344 bytes free
Post-Run: 68,232,130,560 bytes free

- - End Of File - - 71B266B14547F8C1F04401047E5FCC6D


Report •

#2
April 15, 2010 at 23:36:50
Somehow the combofix does not crash now in normal mode. here is the file. thanks.

ComboFix 10-04-15.02 - wifey 04/15/2010 23:16:32.5.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3062.2087 [GMT -7:00]
Running from: c:\users\wifey\Desktop\ComboFix.exe
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2010-03-16 to 2010-04-16 )))))))))))))))))))))))))))))))
.

2010-04-16 06:26 . 2010-04-16 06:26 -------- d-----w- c:\users\wifey\AppData\Local\temp
2010-04-16 06:26 . 2010-04-16 06:26 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-04-16 06:26 . 2010-04-16 06:26 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-04-16 06:26 . 2010-04-16 06:26 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2010-04-16 04:41 . 2010-04-16 04:41 52224 ----a-w- c:\users\wifey\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-16 04:41 . 2010-04-16 04:41 117760 ----a-w- c:\users\wifey\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-16 04:40 . 2010-04-16 04:40 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-04-16 04:34 . 2010-04-16 04:34 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-16 04:34 . 2010-04-16 04:34 -------- d-----w- c:\users\wifey\AppData\Roaming\SUPERAntiSpyware.com
2010-04-16 00:16 . 2010-04-16 00:19 -------- d-----w- c:\program files\Common Files\PC Tools
2010-04-16 00:16 . 2010-04-16 00:16 -------- d-----w- c:\users\wifey\AppData\Roaming\PC Tools
2010-04-16 00:04 . 2010-04-16 06:04 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-16 00:04 . 2010-04-16 05:17 -------- d-----w- c:\programdata\Hitman Pro
2010-04-16 00:04 . 2010-04-16 00:04 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-04-13 03:39 . 2010-04-13 03:39 -------- d-----w- c:\users\wifey\AppData\Roaming\Malwarebytes
2010-04-13 03:39 . 2010-03-30 07:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-13 03:38 . 2010-04-13 03:38 -------- d-----w- c:\programdata\Malwarebytes
2010-04-13 03:38 . 2010-04-13 03:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-13 03:38 . 2010-03-30 07:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-13 02:16 . 2010-04-13 02:16 -------- d-----w- c:\users\wifey\AppData\Roaming\AFF092EC7ED4D632DE9F2CB24D2A366F
2010-04-08 05:17 . 2010-04-11 22:22 -------- d-----w- c:\windows\system32\Adobe
2010-04-07 18:48 . 2004-05-18 18:16 39936 ----a-w- c:\windows\system32\huffyuv.dll
2010-04-07 18:48 . 2004-01-25 16:18 217088 ----a-w- c:\windows\system32\yv12vfw.dll
2010-04-07 18:48 . 1997-04-07 17:19 391680 ----a-w- c:\windows\system32\I263_32.drv
2010-04-07 18:48 . 2009-07-29 06:35 2378752 ----a-w- c:\windows\system32\x264vfw.dll
2010-04-07 18:48 . 2004-12-10 08:03 438272 ----a-w- c:\windows\system32\vp6vfw.dll
2010-04-07 18:48 . 2009-05-29 21:37 205824 ----a-w- c:\windows\system32\xvidvfw.dll
2010-04-07 18:48 . 2009-05-29 21:31 881664 ----a-w- c:\windows\system32\xvidcore.dll
2010-04-07 18:48 . 2009-07-14 00:15 90112 ----a-w- c:\windows\system32\dpl100.dll
2010-04-07 18:48 . 2009-07-14 00:15 685056 ----a-w- c:\windows\system32\divx.dll
2010-04-07 18:48 . 2008-11-06 16:37 3596288 ----a-w- c:\windows\system32\qt-dx331.dll
2010-04-07 18:47 . 2010-03-14 18:00 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2010-04-07 18:47 . 2010-04-07 18:49 -------- d-----w- c:\program files\K-Lite Codec Pack
2010-03-28 01:57 . 2010-04-09 04:43 -------- d-----w- C:\CL Video
2010-03-24 21:22 . 2010-03-24 21:22 -------- d-----w- c:\users\wifey\AppData\Roaming\dvdcss
2010-03-24 08:04 . 2010-03-24 18:17 952768 ----a-w- c:\programdata\Adobe\Reader\8.2\ARM\25371\AdobeARM.exe
2010-03-24 08:04 . 2010-03-24 18:17 70584 ----a-w- c:\programdata\Adobe\Reader\8.2\ARM\25371\AdobeExtractFiles.dll
2010-03-24 08:04 . 2010-03-24 18:17 326056 ----a-w- c:\programdata\Adobe\Reader\8.2\ARM\25371\ReaderUpdater.exe
2010-03-24 08:04 . 2010-03-24 18:17 326056 ----a-w- c:\programdata\Adobe\Reader\8.2\ARM\25371\AcrobatUpdater.exe
2010-03-22 21:56 . 2010-03-22 21:56 -------- d-----w- c:\program files\Dora The Explorer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-16 05:43 . 2010-04-16 00:16 -------- d-----w- c:\program files\Spyware Doctor
2010-04-16 04:34 . 2010-04-16 00:35 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-16 03:02 . 2009-06-17 02:34 -------- d-----w- c:\program files\Elementary Phonics
2010-04-16 01:05 . 2010-04-16 00:16 -------- d-----w- c:\programdata\PC Tools
2010-04-16 00:36 . 2010-04-16 00:36 -------- d-----w- c:\program files\Enigma Software Group
2010-04-15 21:56 . 2008-09-05 20:38 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-15 21:54 . 2008-09-06 08:11 -------- d-----w- c:\program files\Lavasoft
2010-04-15 21:47 . 2008-09-06 08:11 -------- d-----w- c:\programdata\Lavasoft
2010-04-15 18:55 . 2008-12-05 20:38 -------- d-----w- c:\users\wifey\AppData\Roaming\Azureus
2010-04-14 04:13 . 2008-12-05 20:37 -------- d-----w- c:\program files\Vuze
2010-04-04 23:47 . 2009-06-14 03:13 -------- d-----w- c:\users\wifey\AppData\Roaming\CopyToDvd
2010-04-04 23:47 . 2009-03-30 02:55 -------- d-----w- c:\users\wifey\AppData\Roaming\Vso
2010-03-24 22:24 . 2010-02-24 06:23 -------- d-----w- c:\users\wifey\AppData\Roaming\vlc
2010-03-11 17:12 . 2008-04-29 12:34 -------- d-----w- c:\programdata\Microsoft Help
2010-02-24 17:16 . 2009-10-03 19:57 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-20 23:06 . 2010-03-11 08:35 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:05 . 2010-03-11 08:35 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-02-20 20:53 . 2010-03-11 08:35 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-02-17 07:24 . 2008-03-31 18:07 -------- d-----w- c:\program files\Common Files\Adobe
2010-02-16 05:05 . 2009-06-17 05:51 -------- d-----w- c:\program files\Middle School Vocabulary
2010-02-10 17:13 . 2009-11-29 09:01 165376 ----a-w- c:\windows\system32\unrar.dll
2010-02-07 07:23 . 2008-09-02 06:01 80696 ----a-w- c:\users\wifey\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-07 04:58 . 2009-05-03 23:01 8673792 ----a-w- c:\programdata\atscie.msi
2010-02-05 16:25 . 2010-04-16 00:16 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-02-05 16:18 . 2010-04-16 00:16 100136 ----a-w- c:\windows\system32\drivers\pctwfpfilter.sys
2010-02-05 16:17 . 2010-04-16 00:16 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-02-02 17:13 . 2010-04-16 01:05 59664 --s---w- c:\windows\system32\drivers\TfSysMon.sys
2010-02-02 17:13 . 2010-04-16 01:05 51984 --s---w- c:\windows\system32\drivers\TfFsMon.sys
2010-02-02 17:13 . 2010-04-16 01:05 33552 --s---w- c:\windows\system32\drivers\TfNetMon.sys
2010-01-23 19:00 . 2010-01-23 19:00 10686001 ----a-w- c:\users\wifey\AppData\Roaming\Azureus\plugins\azump\mplayer.exe
2010-01-23 09:26 . 2010-03-05 19:38 2048 ----a-w- c:\windows\system32\tzres.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AOLOverlayIcon]
@="{AB0C8BE3-041C-47d6-8195-E089D32B38DD}"
[HKEY_CLASSES_ROOT\CLSID\{AB0C8BE3-041C-47d6-8195-E089D32B38DD}]
2008-02-03 00:27 303104 ------w- c:\ddi\OverIcon.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-21 213936]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-04-01 2010864]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-23 4718592]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2008-02-23 122880]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-12-13 642856]
"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2010-02-07 467240]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2007-08-15 03:05 98304 ------w- c:\windows\System32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^AOLDDI.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\AOLDDI.lnk
backup=c:\windows\pss\AOLDDI.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^wifey^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\users\wifey\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-03-24 18:17 952768 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-02 18:05 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
2005-06-04 14:57 456192 ----a-w- c:\program files\SlySoft\AnyDVD\AnyDVD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2009-05-21 05:01 177472 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-21 02:25 125952 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2008-02-05 00:08 154136 ------w- c:\windows\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2008-02-05 00:09 141848 ------w- c:\windows\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISBMgr.exe]
2007-11-21 19:38 311296 ----a-w- c:\program files\Sony\ISB Utility\ISBMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2006-03-21 00:34 213936 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-07-13 22:03 292128 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 17:50 155648 ----a-w- c:\windows\System32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2008-02-05 00:08 137752 ------w- c:\windows\System32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-27 00:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIO Help and Support Demo]
2007-08-28 00:54 290816 ----a-w- c:\program files\Sony\VAIO Help and Support Demo\LaunchVHSD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VWLASU]
2008-02-19 18:25 24576 ----a-w- c:\program files\Sony\VAIO Wireless Wizard\AutoLaunchWLASU.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-21 02:23 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-21 02:25 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):19,aa,ed,64,24,40,ca,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3845372723-740370850-32063010-1000]
"EnableNotifications"=dword:00000001
"EnableNotificationsRef"=dword:00000002

R3 pctplsg;pctplsg;c:\windows\System32\drivers\pctplsg.sys [2010-02-05 70408]
R3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-12-09 365280]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2010-02-02 33552]
R3 ThreatFire;ThreatFire;c:\program files\Spyware Doctor\TFEngine\TFService.exe service [x]
S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-09-23 207280]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2010-02-02 51984]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2010-02-02 59664]
S1 CloneCD;CloneCD I/O Driver; [x]
S1 pctgntdi;pctgntdi;c:\windows\System32\drivers\pctgntdi.sys [2010-02-05 233136]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-02-17 66632]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2010-02-17 12872]
S3 SFEP;Sony Firmware Extension Parser;c:\windows\system32\DRIVERS\SFEP.sys [2007-12-17 9344]
S3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2007-06-06 812544]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-04-16 c:\windows\Tasks\Hitman Pro 3.5 Boot Task.job
- c:\program files\Hitman Pro 3.5\HitmanPro35.exe [2010-04-16 00:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.cnn.com/
uInternet Settings,ProxyOverride = *.local
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
FF - ProfilePath - c:\users\wifey\AppData\Roaming\Mozilla\Firefox\Profiles\kt8masj4.default\
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fmail.google.com%2Fmail%2F%3Fui%3Dhtml%26zy%3Dl&bsv=zpwhtygjntrz&scc=1<mpl=default<mplcache=2
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-15 23:26
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys PCTCore.sys acpi.sys hal.dll >>UNKNOWN [0x85557AC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x8a7abd24
\Driver\ACPI -> acpi.sys @ 0x828cfd68
\Driver\atapi -> ataport.SYS @ 0x82ad9a2c
\Driver\iaStor -> iaStor.sys @ 0x82a18c1a
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3845372723-740370850-32063010-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\. 1 2 2 @ N+Y»YP[
Nè•›OºN©sPN\OpenWithList]
@Class="Shell"

[HKEY_USERS\S-1-5-21-3845372723-740370850-32063010-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*1*7*8*@*ëmqNŒN÷SR—q\U0d0M0]
@Class="Shell"
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-3845372723-740370850-32063010-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*1*7*8*@*ëmqNŒN÷SR—q\U0d0M0\OpenWithList]
@Class="Shell"

[HKEY_USERS\S-1-5-21-3845372723-740370850-32063010-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*1*7*8*@*R‘•Na0j00\OpenWithList]
@Class="Shell"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(2812)
c:\ddi\overicon.dll
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
c:\program files\Pure Networks\Network Magic\nmrsrc.dll
.
Completion time: 2010-04-15 23:30:47
ComboFix-quarantined-files.txt 2010-04-16 06:30
ComboFix2.txt 2010-04-16 06:01
ComboFix3.txt 2010-04-15 22:12
ComboFix4.txt 2010-04-15 04:12

Pre-Run: 65,135,931,392 bytes free
Post-Run: 65,091,391,488 bytes free

- - End Of File - - D7D8B779F48CC58AC1F9390B013B4971


Report •
Related Solutions


Ask Question