Vundo! Been fighting it for 4 days!

April 14, 2009 at 16:09:02
Specs: Windows XP
My computer has been infected with the Vundo trojan for the past few days. It's really annoying me... google doesn't work, numerous pop-ups, and my system is running quite slow.

I've been using Malwarebytes and PC Tools Spyware Doctor, both in free versions. I've run scans so many times already and the programs always find infections and "clean" them out.

But despite this, my computer is still infected! In fact, even when I run a scan right after finishing one, the program still comes up with, like 14 infections.

I also used CCleaner to check the registry for errors and it always finds at least one issue, which it describes as ActiveX/COM Issue. It always involves some .dll with odd names like puteskepi or varayihe. These strange .dll files also show up in the startup menu listing in CCleaner. Despite deleting them from the list using CCleaner, they still restore themselves on reboot.

Since nothing was working, I downloaded HijackThis. I would post the logfile, but apparently I am supposed to wait for a professional to ask for it...

Please help~! The semester is nearly over at my uni and I have papers to write~


See More: Vundo! Been fighting it for 4 days!

Report •


#1
April 14, 2009 at 16:52:16
Please post you Hijack This log.

Report •

#2
April 14, 2009 at 17:21:07
your infections may be in system restore. I would suggest turning it off and scanning in safe mode, that should rectify your problem.
Also here is a free vundo remover, it will save you lots of time:
http://www.symantec.com/security_re...

Some HELP in posting on Computing.net plus free progs and instructions Cheers


Report •

#3
April 14, 2009 at 17:51:25
If you purge system restore at this phase of the removal of the trojan you will not have a back-up of your system if a problem comes up. Purging system restore should be done after the baddies are removed and some other scans have been done to verify that they have been eradicated.

Report •

Related Solutions

#4
April 14, 2009 at 18:23:04
The reason I mentioned turning off system restore is because the problems re-occur after a reboot and that is usually a good sign of where the infection/s are located from my experiences.


Report •

#5
April 15, 2009 at 17:30:00
Thanks for the responses. Here is the logfile, after running Malwarebytes and CCleaner (again), SuperAntiSpyware, and Avast. Basically, I followed the eight-step plan from Techspot. (and yes, I disabled whatever programs were running real time to avoid conflicts.)
______

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:23:46 PM, on 4/15/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\Drivers\WTSRV.EXE
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WTClient.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
C:\Documents and Settings\Winter\Desktop\Start\yzdock83\YzDock.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?T...
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [Reminder] C:\Windows\CREATOR\Remind_XP.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [WTClient] WTClient.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [65c4b349] rundll32.exe "C:\WINDOWS\system32\jejuvusu.dll",b
O4 - HKLM\..\Run: [CPM66f780d5] Rundll32.exe "c:\windows\system32\gahehuje.dll",a
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [putesakapi] Rundll32.exe "C:\WINDOWS\system32\winuzigo.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [putesakapi] Rundll32.exe "C:\WINDOWS\system32\winuzigo.dll",s (User 'NETWORK SERVICE')
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: Shortcut to YzDock.lnk = C:\Documents and Settings\Winter\Desktop\Start\yzdock83\YzDock.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=presario&pf=laptop
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52...
O16 - DPF: {07E9CB47-7D1B-430A-B17C-A6B7459FCC5D} (SystemInfo Control) - http://global.lunia.com/lib/activex...
O16 - DPF: {0835BC90-6ABC-4F52-A103-4FC3A61F2C33} (A18X Control) - http://www.albatross18.com/season2/...
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqnbk/dow...
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/re...
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/Div...
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/g...
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/chnz/de...
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewo...
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/g...
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30155.www3.hp.com/ediags/hp...
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: c:\windows\system32\gahehuje.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\system32\IcdSptSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pharos Systems ComTaskMaster - Pharos Systems International - C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: WinTab Service (WinTabService) - Tablet Driver - C:\WINDOWS\System32\Drivers\WTSRV.EXE

--
End of file - 11560 bytes


Report •

#6
April 15, 2009 at 18:52:21
Please download ComboFix to the desktop from one of the following links:

Link1

Link 2

Link 3

Rename the setup file, combofix.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename combofix.exe to toolb.exe> click save.

Combofix is a powerful tool so follow the instructions exactly or you could damage your computer.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with Combofix and remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

In your case to run Combofix do the following:
1. Go offline turn off your Avast antivirus, Spyware Doctor and any other antispyware that you may have. This must happen or Combofix will not remove Vundo.
2. Run Combofix by double clicking the toolb.exe icon on your desktop and save its log.
3. Restart the computer to get the antivirus running again but leave the antispyware programs off until we get the computer cleaned.
4. Post the Combofix log.


Remember to re-enable the protection again afterwards before connecting to the Internet.


Report •

#7
April 15, 2009 at 19:21:43
Thanks for the response~!

Here's the log from Combofix:

ComboFix 09-04-15.08 - Winter 04/15/2009 22:12.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.758.372 [GMT -4:00]
Running from: c:\documents and settings\winter\Desktop\dl\toolb.exe
AV: avast! antivirus 4.8.1296 [VPS 090415-0] *On-access scanning disabled* (Updated)
FW: Norton Internet Worm Protection *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\_000003_.tmp.dll
c:\windows\system32\_000005_.tmp.dll
c:\windows\system32\_000006_.tmp.dll
c:\windows\system32\_000008_.tmp.dll
c:\windows\system32\_000009_.tmp.dll
c:\windows\system32\_000025_.tmp.dll
c:\windows\system32\edijupal.ini
c:\windows\system32\usuvujej.ini
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-03-16 to 2009-04-16 )))))))))))))))))))))))))))))))
.

2009-04-15 22:51 . 2009-04-15 22:51 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-15 22:49 . 2009-04-15 22:49 -------- d-----w c:\program files\SUPERAntiSpyware
2009-04-15 22:49 . 2009-04-15 22:49 -------- d-----w c:\documents and settings\Winter\Application Data\SUPERAntiSpyware.com
2009-04-15 22:48 . 2009-04-15 22:48 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-14 22:18 . 2009-04-14 22:18 -------- d-----w c:\program files\Trend Micro
2009-04-14 14:31 . 2009-04-14 14:31 -------- d-sh--w c:\documents and settings\NetworkService\History
2009-04-14 14:31 . 2009-04-14 14:31 -------- d-sh--w c:\documents and settings\NetworkService\Temporary Internet Files
2009-04-11 23:07 . 2009-04-11 23:24 66952 ----a-w c:\windows\system32\drivers\iksysflt.sys
2009-04-11 23:07 . 2009-04-11 23:23 81288 ----a-w c:\windows\system32\drivers\iksyssec.sys
2009-04-11 23:07 . 2009-04-11 23:23 40840 ----a-w c:\windows\system32\drivers\ikfilesec.sys
2009-04-11 23:07 . 2008-06-02 19:19 29576 ----a-w c:\windows\system32\drivers\kcom.sys
2009-04-11 23:06 . 2009-04-15 10:48 -------- d-----w c:\program files\Spyware Doctor
2009-04-10 00:18 . 2009-04-10 00:18 -------- d-----w c:\windows\Internet Logs
2009-04-10 00:18 . 2008-03-29 21:36 106768 ----a-w c:\windows\system32\dneinobj.dll
2009-04-10 00:18 . 2008-03-29 21:36 125328 ----a-w c:\windows\system32\drivers\dne2000.sys
2009-04-10 00:17 . 2009-04-10 00:17 -------- d-----w c:\program files\Common Files\Deterministic Networks
2009-04-10 00:17 . 2009-04-10 00:17 -------- d-----w c:\program files\Cisco Systems
2009-04-10 00:17 . 2009-04-10 00:18 1594 ----a-w c:\windows\VPNInstall.MIF
2009-04-08 22:52 . 2009-04-08 22:52 -------- d-----w c:\documents and settings\Winter\Local Settings\Application Data\vdownloader
2009-04-08 22:51 . 2009-04-08 22:51 -------- d-----w c:\program files\VDOWNLOADER

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-16 02:00 . 2007-04-05 22:37 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-16 00:22 . 2006-05-09 10:35 -------- d-----w c:\program files\Java
2009-04-16 00:08 . 2006-05-09 12:59 313 ----a-w C:\hpqp.ini
2009-04-16 00:08 . 2006-05-09 12:59 39 ----a-w C:\XP_TV.ini
2009-04-15 12:14 . 2008-09-07 21:55 -------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-04-14 08:18 . 2009-01-14 08:18 65024 --sha-w c:\windows\system32\zikewapo.exe
2009-04-14 08:18 . 2009-01-14 08:18 65024 --sha-w c:\windows\system32\zikewapo.exe
2009-04-14 01:04 . 2009-04-14 01:04 674 ----a-w C:\odee.txt
2009-04-13 11:38 . 2006-11-04 20:23 -------- d-----w c:\program files\CCleaner
2009-04-13 08:18 . 2009-01-13 08:17 63488 --sha-w c:\windows\system32\kewuziga.exe
2009-04-13 08:18 . 2009-01-13 08:17 63488 --sha-w c:\windows\system32\kewuziga.exe
2009-04-13 03:40 . 2009-04-13 03:40 318 ----a-w c:\program files\dvjqmiz.txt
2009-04-12 23:54 . 2009-04-12 23:54 1038 ----a-w c:\program files\mtitncp.txt
2009-04-12 20:17 . 2009-01-12 20:17 64000 --sha-w c:\windows\system32\suzeyiji.exe
2009-04-12 20:17 . 2009-01-12 20:17 64000 --sha-w c:\windows\system32\suzeyiji.exe
2009-04-12 16:19 . 2009-04-12 16:19 1302 ----a-w C:\ganwbqmh.txt
2009-04-12 15:28 . 2008-09-08 03:02 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-12 08:17 . 2009-01-12 08:17 62976 --sha-w c:\windows\system32\pupamawe.exe
2009-04-12 08:17 . 2009-01-12 08:17 62976 --sha-w c:\windows\system32\pupamawe.exe
2009-04-11 20:17 . 2009-01-11 20:17 62976 --sha-w c:\windows\system32\tuzakamu.exe
2009-04-11 20:17 . 2009-01-11 20:17 62976 --sha-w c:\windows\system32\tuzakamu.exe
2009-04-11 08:16 . 2009-01-11 08:16 64512 --sha-w c:\windows\system32\luwevubi.exe
2009-04-11 08:16 . 2009-01-11 08:16 64512 --sha-w c:\windows\system32\luwevubi.exe
2009-04-06 19:32 . 2008-09-08 03:02 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 19:32 . 2008-09-08 03:02 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-27 07:45 . 2006-09-04 03:04 166936 ----a-w c:\documents and settings\Winter\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-15 18:28 . 2009-01-18 20:15 -------- d-----w c:\program files\Opera
2009-03-09 09:19 . 2008-11-28 05:59 410984 ----a-w c:\windows\system32\deploytk.dll
2009-02-21 04:37 . 2009-01-17 19:07 -------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-02-15 07:00 . 2008-02-03 17:59 -------- d-----w c:\program files\Acro Software
2009-02-15 06:55 . 2008-10-27 04:06 -------- d-----w c:\program files\FlashGet
2009-02-15 06:55 . 2008-08-31 18:44 -------- d-----w c:\program files\Mozilla Sunbird
2009-02-15 06:50 . 2009-01-08 03:32 -------- d-----w c:\program files\Cave Story Deluxe
2009-02-15 06:45 . 2006-05-09 10:35 -------- d--h--w c:\program files\InstallShield Installation Information
2009-02-15 06:33 . 2009-01-04 07:38 -------- d-----w c:\program files\Unity
2009-01-17 19:18 . 2009-01-17 19:18 10752 ----a-w c:\windows\system32\PSS62FB5.DLL
2007-06-05 21:06 . 2007-02-03 05:27 1116 ----a-w c:\documents and settings\Winter\Application Data\wklnhst.dat
2006-09-28 21:19 . 2006-09-10 13:41 28672 ----a-w c:\documents and settings\Winter\atwbxdet.dll
2006-09-04 03:06 . 2006-09-04 03:04 137 ----a-w c:\documents and settings\Winter\Local Settings\Application Data\fusioncache.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 2321600]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-03-23 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-15 454656]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-04 761948]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-04-12 102400]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-03-07 131072]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2006-02-22 40960]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"Reminder"="c:\windows\CREATOR\Remind_XP.exe" [2006-02-09 643072]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-11-03 282624]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-01-13 131072]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-01-13 163840]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-01-13 135168]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd.exe" [2003-08-04 49152]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" - c:\windows\system32\CHDAudPropShortcut.exe [2006-04-18 61952]
"WTClient"="WTClient.exe" - c:\windows\system32\WTClient.exe [2007-04-11 40960]

c:\documents and settings\Winter\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]
Shortcut to YzDock.lnk - c:\documents and settings\Winter\Desktop\Start\yzdock83\YzDock.exe [2003-6-3 386560]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\Hp\Digital Imaging\bin\hpqtra08.exe [2003-9-16 237568]
VPN Client.lnk - c:\windows\Installer\{A7091E1D-36A4-47F1-A739-173CC341414F}\Icon3E5562ED7.ico [2009-4-9 6144]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= c:\windows\system32\gahehuje.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv41"= ir41_32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-27 05:47 31016 ----a-w c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mshta.exe"=
"c:\\Program Files\\Pharos\\bin\\PSNotify.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 ajcv;ajcv; [x]
R0 bzlubri;bzlubri; [x]
R0 cevuoc;cevuoc; [x]
R0 crts;crts; [x]
R0 eggfbh;eggfbh; [x]
R0 hfib;hfib; [x]
R0 skiqlfsj;skiqlfsj; [x]
R3 ICDUSB2;Sony IC Recorder (P);c:\windows\system32\Drivers\ICDUSB2.sys [2002-11-29 39048]
R3 PLUsbbc2;USB 2.0 Networking/Data Transfer Cable;c:\windows\system32\Drivers\usbbc2.sys [2003-05-07 8960]
R3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-06-13 356920]
R3 XDva158;XDva158; [x]
S1 aswSP;avast! Self Protection; [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-23 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-03-23 72944]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-11-26 20560]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - JAVAQUICKSTARTERSERVICE
*Deregistered* - mchInjDrv
.
Contents of the 'Scheduled Tasks' folder

2009-04-16 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-09-07 05:42]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-65c4b349 - c:\windows\system32\jejuvusu.dll
HKLM-Run-CPM66f780d5 - c:\windows\system32\gahehuje.dll
HKLM-Run-DXDllRegExe - dxdllreg.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=presario&pf=laptop
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
Trusted Zone: aol.com\aimexpress
Trusted Zone: aol.com\my.screenname
Trusted Zone: aol.com\www
DPF: {07E9CB47-7D1B-430A-B17C-A6B7459FCC5D} - hxxp://global.lunia.com/lib/activex/SystemInfo_1_0_0_47.cab
FF - ProfilePath - c:\documents and settings\Winter\Application Data\Mozilla\Firefox\Profiles\inhf4ijv.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-15 22:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe?????? ???@???????????????@? ???xc??????(?@???????@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mchInjDrv]
"ImagePath"="\??\c:\windows\TEMP\mc21.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1232)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2009-04-16 22:17
ComboFix-quarantined-files.txt 2009-04-16 02:16

Pre-Run: 17,204,645,888 bytes free
Post-Run: 17,227,096,064 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

227 --- E O F --- 2008-12-19 08:00


Report •

#8
April 15, 2009 at 20:18:10
Open Notepad and copy/paste everything between the X's into it and make sure the first word (such as KILLALL, File, Folder, Registry etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
KILLALL::
File::
c:\windows\system32\dneinobj.dll
C:\hpqp.ini
c:\windows\system32\zikewapo.exe
c:\windows\system32\kewuziga.exe
c:\program files\dvjqmiz.txt
c:\program files\mtitncp.txt
c:\windows\system32\suzeyiji.exe
C:\ganwbqmh.txt
c:\windows\system32\pupamawe.exe
c:\windows\system32\tuzakamu.exe
c:\windows\system32\luwevubi.exe
c:\windows\system32\gahehuje.dll

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mchInjDrv]
"ImagePath"=-

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".

Please post the log that is produced.

Post a new Combofix log following the previous directions.

Please go to Virus Total and upload the following files one at the time for analysis:

C:\odee.txt

c:\windows\system32\PSS62FB5.DLL

Use the browse button at the site to find the file, once you find the file double click it and it should appear in the empty space to the left of the browse button> click "send file".

Post the results in your reply along with a new Hijack This log.

I will read your response tomorrow.


Report •

#9
April 16, 2009 at 13:32:33
Thank you~

Here is the ComboFix Log:

ComboFix 09-04-16.02 - Winter 04/16/2009 7:31.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.758.365 [GMT -4:00]
Running from: c:\documents and settings\Winter\Desktop\dl\toolb.exe
Command switches used :: c:\documents and settings\Winter\Desktop\dl\CFScript.txt
AV: avast! antivirus 4.8.1296 [VPS 090415-0] *On-access scanning disabled* (Updated)
FW: Norton Internet Worm Protection *disabled*
* Created a new restore point

FILE ::
C:\ganwbqmh.txt
C:\hpqp.ini
c:\program files\dvjqmiz.txt
c:\program files\mtitncp.txt
c:\windows\system32\dneinobj.dll
c:\windows\system32\gahehuje.dll
c:\windows\system32\kewuziga.exe
c:\windows\system32\luwevubi.exe
c:\windows\system32\pupamawe.exe
c:\windows\system32\suzeyiji.exe
c:\windows\system32\tuzakamu.exe
c:\windows\system32\zikewapo.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\ganwbqmh.txt
C:\hpqp.ini
c:\program files\dvjqmiz.txt
c:\program files\mtitncp.txt
c:\windows\system32\dneinobj.dll
c:\windows\system32\kewuziga.exe
c:\windows\system32\luwevubi.exe
c:\windows\system32\pupamawe.exe
c:\windows\system32\suzeyiji.exe
c:\windows\system32\tuzakamu.exe
c:\windows\system32\zikewapo.exe

.
((((((((((((((((((((((((( Files Created from 2009-03-16 to 2009-04-16 )))))))))))))))))))))))))))))))
.

2009-04-16 02:30 . 2009-04-16 07:01 1374 ----a-w c:\windows\imsins.BAK
2009-04-15 22:51 . 2009-04-15 22:51 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-15 22:49 . 2009-04-15 22:49 -------- d-----w c:\program files\SUPERAntiSpyware
2009-04-15 22:49 . 2009-04-15 22:49 -------- d-----w c:\documents and settings\Winter\Application Data\SUPERAntiSpyware.com
2009-04-15 22:48 . 2009-04-15 22:48 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-14 22:18 . 2009-04-14 22:18 -------- d-----w c:\program files\Trend Micro
2009-04-14 14:31 . 2009-04-14 14:31 -------- d-sh--w c:\documents and settings\NetworkService\History
2009-04-14 14:31 . 2009-04-14 14:31 -------- d-sh--w c:\documents and settings\NetworkService\Temporary Internet Files
2009-04-11 23:07 . 2009-04-11 23:24 66952 ----a-w c:\windows\system32\drivers\iksysflt.sys
2009-04-11 23:07 . 2009-04-11 23:23 81288 ----a-w c:\windows\system32\drivers\iksyssec.sys
2009-04-11 23:07 . 2009-04-11 23:23 40840 ----a-w c:\windows\system32\drivers\ikfilesec.sys
2009-04-11 23:07 . 2008-06-02 19:19 29576 ----a-w c:\windows\system32\drivers\kcom.sys
2009-04-11 23:06 . 2009-04-15 10:48 -------- d-----w c:\program files\Spyware Doctor
2009-04-10 00:18 . 2009-04-10 00:18 -------- d-----w c:\windows\Internet Logs
2009-04-10 00:18 . 2008-03-29 21:36 125328 ----a-w c:\windows\system32\drivers\dne2000.sys
2009-04-10 00:17 . 2009-04-10 00:17 -------- d-----w c:\program files\Common Files\Deterministic Networks
2009-04-10 00:17 . 2009-04-10 00:17 -------- d-----w c:\program files\Cisco Systems
2009-04-10 00:17 . 2009-04-10 00:18 1594 ----a-w c:\windows\VPNInstall.MIF
2009-04-08 22:52 . 2009-04-08 22:52 -------- d-----w c:\documents and settings\Winter\Local Settings\Application Data\vdownloader

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-16 11:37 . 2006-05-09 12:59 39 ----a-w C:\XP_TV.ini
2009-04-16 02:00 . 2007-04-05 22:37 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-16 00:22 . 2006-05-09 10:35 -------- d-----w c:\program files\Java
2009-04-15 12:14 . 2008-09-07 21:55 -------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-04-14 01:04 . 2009-04-14 01:04 674 ----a-w C:\odee.txt
2009-04-13 11:38 . 2006-11-04 20:23 -------- d-----w c:\program files\CCleaner
2009-04-12 15:28 . 2008-09-08 03:02 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-06 19:32 . 2008-09-08 03:02 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 19:32 . 2008-09-08 03:02 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-27 07:45 . 2006-09-04 03:04 166936 ----a-w c:\documents and settings\Winter\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-15 18:28 . 2009-01-18 20:15 -------- d-----w c:\program files\Opera
2009-03-09 09:19 . 2008-11-28 05:59 410984 ----a-w c:\windows\system32\deploytk.dll
2009-02-21 04:37 . 2009-01-17 19:07 -------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-02-09 10:19 . 2007-03-08 13:47 1846272 ------w c:\windows\system32\dllcache\win32k.sys
2009-02-09 10:19 . 2006-09-03 23:59 1846272 ----a-w c:\windows\system32\win32k.sys
2009-01-17 19:18 . 2009-01-17 19:18 10752 ----a-w c:\windows\system32\PSS62FB5.DLL
2009-01-17 01:35 . 2006-11-08 02:03 3594752 ------w c:\windows\system32\dllcache\mshtml.dll
2007-06-05 21:06 . 2007-02-03 05:27 1116 ----a-w c:\documents and settings\Winter\Application Data\wklnhst.dat
2006-09-28 21:19 . 2006-09-10 13:41 28672 ----a-w c:\documents and settings\Winter\atwbxdet.dll
2006-09-04 03:06 . 2006-09-04 03:04 137 ----a-w c:\documents and settings\Winter\Local Settings\Application Data\fusioncache.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-04-16_02.15.13 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-16 11:35 . 2009-04-16 11:35 16384 c:\windows\temp\Perflib_Perfdata_f8.dat
+ 2009-04-16 11:35 . 2009-04-16 11:35 16384 c:\windows\temp\Perflib_Perfdata_374.dat
+ 2005-06-29 01:21 . 2007-07-27 13:41 26488 c:\windows\system32\spupdsvc.exe
+ 2006-12-08 03:28 . 2007-11-30 11:18 17272 c:\windows\system32\spmsg.dll
+ 2005-07-03 10:11 . 2008-12-20 23:15 44544 c:\windows\system32\pngfilt.dll
- 2005-07-03 10:11 . 2008-10-16 20:38 44544 c:\windows\system32\pngfilt.dll
- 2006-03-27 16:07 . 2009-04-16 00:11 65326 c:\windows\system32\perfc009.dat
+ 2006-03-27 16:07 . 2009-04-16 11:23 65326 c:\windows\system32\perfc009.dat
- 2006-11-08 02:03 . 2008-10-16 20:38 52224 c:\windows\system32\msfeedsbs.dll
+ 2006-11-08 02:03 . 2008-12-20 23:15 52224 c:\windows\system32\msfeedsbs.dll
- 2004-08-04 21:00 . 2008-10-16 20:38 27648 c:\windows\system32\jsproxy.dll
+ 2004-08-04 21:00 . 2008-12-20 23:15 27648 c:\windows\system32\jsproxy.dll
- 2006-08-23 04:13 . 2008-10-16 13:11 13824 c:\windows\system32\ieudinit.exe
+ 2006-08-23 04:13 . 2008-12-19 09:10 13824 c:\windows\system32\ieudinit.exe
- 2004-08-04 21:00 . 2008-10-16 20:38 44544 c:\windows\system32\iernonce.dll
+ 2004-08-04 21:00 . 2008-12-20 23:15 44544 c:\windows\system32\iernonce.dll
+ 2004-08-04 21:00 . 2008-12-19 09:10 70656 c:\windows\system32\ie4uinit.exe
- 2004-08-04 21:00 . 2008-10-16 13:11 70656 c:\windows\system32\ie4uinit.exe
- 2006-10-17 16:58 . 2008-10-16 20:38 63488 c:\windows\system32\icardie.dll
+ 2006-10-17 16:58 . 2008-12-20 23:15 63488 c:\windows\system32\icardie.dll
- 2006-10-17 16:58 . 2008-10-16 20:38 44544 c:\windows\system32\dllcache\pngfilt.dll
+ 2006-10-17 16:58 . 2008-12-20 23:15 44544 c:\windows\system32\dllcache\pngfilt.dll
- 2007-05-08 22:15 . 2008-10-16 20:38 52224 c:\windows\system32\dllcache\msfeedsbs.dll
+ 2007-05-08 22:15 . 2008-12-20 23:15 52224 c:\windows\system32\dllcache\msfeedsbs.dll
+ 2006-11-08 02:03 . 2008-12-20 23:15 27648 c:\windows\system32\dllcache\jsproxy.dll
- 2006-11-08 02:03 . 2008-10-16 20:38 27648 c:\windows\system32\dllcache\jsproxy.dll
+ 2007-05-08 22:15 . 2008-12-19 09:10 13824 c:\windows\system32\dllcache\ieudinit.exe
- 2007-05-08 22:15 . 2008-10-16 13:11 13824 c:\windows\system32\dllcache\ieudinit.exe
- 2006-11-07 08:26 . 2008-10-16 20:38 44544 c:\windows\system32\dllcache\iernonce.dll
+ 2006-11-07 08:26 . 2008-12-20 23:15 44544 c:\windows\system32\dllcache\iernonce.dll
+ 2006-11-07 08:26 . 2008-12-19 09:10 70656 c:\windows\system32\dllcache\ie4uinit.exe
- 2006-11-07 08:26 . 2008-10-16 13:11 70656 c:\windows\system32\dllcache\ie4uinit.exe
+ 2007-08-20 10:04 . 2008-12-20 23:15 63488 c:\windows\system32\dllcache\icardie.dll
- 2007-08-20 10:04 . 2008-10-16 20:38 63488 c:\windows\system32\dllcache\icardie.dll
+ 2009-04-16 02:30 . 2008-10-16 20:38 44544 c:\windows\ie7updates\KB961260-IE7\pngfilt.dll
+ 2009-04-16 02:30 . 2008-10-16 20:38 52224 c:\windows\ie7updates\KB961260-IE7\msfeedsbs.dll
+ 2009-04-16 02:30 . 2008-10-16 20:38 27648 c:\windows\ie7updates\KB961260-IE7\jsproxy.dll
+ 2009-04-16 02:30 . 2008-10-16 13:11 13824 c:\windows\ie7updates\KB961260-IE7\ieudinit.exe
+ 2009-04-16 02:30 . 2008-10-16 20:38 44544 c:\windows\ie7updates\KB961260-IE7\iernonce.dll
+ 2009-04-16 02:30 . 2008-10-16 13:11 70656 c:\windows\ie7updates\KB961260-IE7\ie4uinit.exe
+ 2009-04-16 02:30 . 2008-10-16 20:38 63488 c:\windows\ie7updates\KB961260-IE7\icardie.dll
+ 2006-05-09 12:59 . 2008-02-15 09:06 351744 c:\windows\system32\xpsp3res.dll
- 2004-08-04 21:00 . 2008-10-16 20:38 826368 c:\windows\system32\wininet.dll
+ 2004-08-04 21:00 . 2008-12-20 23:15 826368 c:\windows\system32\wininet.dll
- 2004-08-04 21:00 . 2008-10-16 20:38 233472 c:\windows\system32\webcheck.dll
+ 2004-08-04 21:00 . 2008-12-20 23:15 233472 c:\windows\system32\webcheck.dll
- 2004-08-04 21:00 . 2008-10-16 20:38 105984 c:\windows\system32\url.dll
+ 2004-08-04 21:00 . 2008-12-20 23:15 105984 c:\windows\system32\url.dll
+ 2004-08-04 21:00 . 2008-12-05 07:12 144896 c:\windows\system32\schannel.dll
- 2004-08-04 21:00 . 2007-04-25 14:21 144896 c:\windows\system32\schannel.dll
+ 2006-03-27 16:07 . 2009-04-16 11:23 410676 c:\windows\system32\perfh009.dat
- 2006-03-27 16:07 . 2009-04-16 00:11 410676 c:\windows\system32\perfh009.dat
+ 2004-08-04 21:00 . 2008-12-20 23:15 102912 c:\windows\system32\occache.dll
- 2004-08-04 21:00 . 2008-10-16 20:38 102912 c:\windows\system32\occache.dll
+ 2004-08-04 21:00 . 2008-12-20 23:15 671232 c:\windows\system32\mstime.dll
- 2004-08-04 21:00 . 2008-10-16 20:38 671232 c:\windows\system32\mstime.dll
- 2005-07-03 10:11 . 2008-10-16 20:38 193024 c:\windows\system32\msrating.dll
+ 2005-07-03 10:11 . 2008-12-20 23:15 193024 c:\windows\system32\msrating.dll
+ 2005-07-03 10:11 . 2008-12-20 23:15 477696 c:\windows\system32\mshtmled.dll
- 2005-07-03 10:11 . 2008-10-16 20:38 477696 c:\windows\system32\mshtmled.dll
- 2006-11-08 02:03 . 2008-10-16 20:38 459264 c:\windows\system32\msfeeds.dll
+ 2006-11-08 02:03 . 2008-12-20 23:15 459264 c:\windows\system32\msfeeds.dll
+ 2006-10-17 16:57 . 2008-12-20 23:15 267776 c:\windows\system32\iertutil.dll
- 2006-10-17 16:57 . 2008-10-16 20:38 267776 c:\windows\system32\iertutil.dll
- 2004-08-04 21:00 . 2008-10-16 20:38 384512 c:\windows\system32\iedkcs32.dll
+ 2004-08-04 21:00 . 2008-12-20 23:15 384512 c:\windows\system32\iedkcs32.dll
+ 2006-10-17 16:27 . 2008-12-20 23:15 383488 c:\windows\system32\ieapfltr.dll
- 2006-10-17 16:27 . 2008-10-16 20:38 383488 c:\windows\system32\ieapfltr.dll
- 2004-08-04 21:00 . 2008-10-15 07:04 161792 c:\windows\system32\ieakui.dll
+ 2004-08-04 21:00 . 2008-12-19 05:23 161792 c:\windows\system32\ieakui.dll
+ 2004-08-04 21:00 . 2008-12-20 23:15 230400 c:\windows\system32\ieaksie.dll
- 2004-08-04 21:00 . 2008-10-16 20:38 230400 c:\windows\system32\ieaksie.dll
+ 2004-08-04 21:00 . 2008-12-20 23:15 153088 c:\windows\system32\ieakeng.dll
- 2004-08-04 21:00 . 2008-10-16 20:38 153088 c:\windows\system32\ieakeng.dll
- 2006-03-27 16:03 . 2009-03-30 05:19 520616 c:\windows\system32\FNTCACHE.DAT
+ 2006-03-27 16:03 . 2009-04-16 07:07 520616 c:\windows\system32\FNTCACHE.DAT
- 2004-08-04 21:00 . 2008-10-16 20:38 133120 c:\windows\system32\extmgr.dll
+ 2004-08-04 21:00 . 2008-12-20 23:15 133120 c:\windows\system32\extmgr.dll
- 2004-08-04 21:00 . 2008-10-16 20:38 214528 c:\windows\system32\dxtrans.dll
+ 2004-08-04 21:00 . 2008-12-20 23:15 214528 c:\windows\system32\dxtrans.dll
+ 2004-08-04 21:00 . 2008-12-20 23:15 347136 c:\windows\system32\dxtmsft.dll
- 2004-08-04 21:00 . 2008-10-16 20:38 347136 c:\windows\system32\dxtmsft.dll
+ 2005-05-10 08:17 . 2008-12-11 11:57 333184 c:\windows\system32\drivers\srv.sys
- 2006-11-08 02:03 . 2008-10-16 20:38 826368 c:\windows\system32\dllcache\wininet.dll
+ 2006-11-08 02:03 . 2008-12-20 23:15 826368 c:\windows\system32\dllcache\wininet.dll
- 2006-11-08 02:03 . 2008-10-16 20:38 233472 c:\windows\system32\dllcache\webcheck.dll
+ 2006-11-08 02:03 . 2008-12-20 23:15 233472 c:\windows\system32\dllcache\webcheck.dll
+ 2006-10-17 17:05 . 2008-12-20 23:15 105984 c:\windows\system32\dllcache\url.dll
- 2006-10-17 17:05 . 2008-10-16 20:38 105984 c:\windows\system32\dllcache\url.dll
+ 2006-04-21 06:12 . 2008-12-11 11:57 333184 c:\windows\system32\dllcache\srv.sys
+ 2007-04-25 14:21 . 2008-12-05 07:12 144896 c:\windows\system32\dllcache\schannel.dll
- 2007-04-25 14:21 . 2007-04-25 14:21 144896 c:\windows\system32\dllcache\schannel.dll
- 2006-10-17 17:04 . 2008-10-16 20:38 102912 c:\windows\system32\dllcache\occache.dll
+ 2006-10-17 17:04 . 2008-12-20 23:15 102912 c:\windows\system32\dllcache\occache.dll
+ 2006-11-08 02:03 . 2008-12-20 23:15 671232 c:\windows\system32\dllcache\mstime.dll
- 2006-11-08 02:03 . 2008-10-16 20:38 671232 c:\windows\system32\dllcache\mstime.dll
+ 2006-10-17 17:05 . 2008-12-20 23:15 193024 c:\windows\system32\dllcache\msrating.dll
- 2006-10-17 17:05 . 2008-10-16 20:38 193024 c:\windows\system32\dllcache\msrating.dll
- 2006-11-08 02:03 . 2008-10-16 20:38 477696 c:\windows\system32\dllcache\mshtmled.dll
+ 2006-11-08 02:03 . 2008-12-20 23:15 477696 c:\windows\system32\dllcache\mshtmled.dll
- 2007-05-08 22:15 . 2008-10-16 20:38 459264 c:\windows\system32\dllcache\msfeeds.dll
+ 2007-05-08 22:15 . 2008-12-20 23:15 459264 c:\windows\system32\dllcache\msfeeds.dll
+ 2006-10-17 17:04 . 2008-12-19 05:25 634024 c:\windows\system32\dllcache\iexplore.exe
+ 2007-05-08 22:15 . 2008-12-20 23:15 267776 c:\windows\system32\dllcache\iertutil.dll
- 2007-05-08 22:15 . 2008-10-16 20:38 267776 c:\windows\system32\dllcache\iertutil.dll
- 2006-11-07 08:27 . 2008-10-16 20:38 384512 c:\windows\system32\dllcache\iedkcs32.dll
+ 2006-11-07 08:27 . 2008-12-20 23:15 384512 c:\windows\system32\dllcache\iedkcs32.dll
+ 2007-05-08 22:15 . 2008-12-20 23:15 383488 c:\windows\system32\dllcache\ieapfltr.dll
- 2007-05-08 22:15 . 2008-10-16 20:38 383488 c:\windows\system32\dllcache\ieapfltr.dll
+ 2006-11-07 08:25 . 2008-12-19 05:23 161792 c:\windows\system32\dllcache\ieakui.dll
- 2006-11-07 08:25 . 2008-10-15 07:04 161792 c:\windows\system32\dllcache\ieakui.dll
+ 2006-11-07 08:27 . 2008-12-20 23:15 230400 c:\windows\system32\dllcache\ieaksie.dll
- 2006-11-07 08:27 . 2008-10-16 20:38 230400 c:\windows\system32\dllcache\ieaksie.dll
+ 2006-11-07 08:26 . 2008-12-20 23:15 153088 c:\windows\system32\dllcache\ieakeng.dll
- 2006-11-07 08:26 . 2008-10-16 20:38 153088 c:\windows\system32\dllcache\ieakeng.dll
- 2006-11-08 02:03 . 2008-10-16 20:38 133120 c:\windows\system32\dllcache\extmgr.dll
+ 2006-11-08 02:03 . 2008-12-20 23:15 133120 c:\windows\system32\dllcache\extmgr.dll
+ 2006-10-17 16:57 . 2008-12-20 23:15 214528 c:\windows\system32\dllcache\dxtrans.dll
- 2006-10-17 16:57 . 2008-10-16 20:38 214528 c:\windows\system32\dllcache\dxtrans.dll
+ 2006-10-17 16:58 . 2008-12-20 23:15 347136 c:\windows\system32\dllcache\dxtmsft.dll
- 2006-10-17 16:58 . 2008-10-16 20:38 347136 c:\windows\system32\dllcache\dxtmsft.dll
+ 2006-11-07 08:26 . 2008-12-20 23:15 124928 c:\windows\system32\dllcache\advpack.dll
- 2006-11-07 08:26 . 2008-10-16 20:38 124928 c:\windows\system32\dllcache\advpack.dll
- 2004-08-04 21:00 . 2008-10-16 20:38 124928 c:\windows\system32\advpack.dll
+ 2004-08-04 21:00 . 2008-12-20 23:15 124928 c:\windows\system32\advpack.dll
+ 2009-04-16 02:30 . 2008-10-16 20:38 826368 c:\windows\ie7updates\KB961260-IE7\wininet.dll
+ 2009-04-16 02:30 . 2008-10-16 20:38 233472 c:\windows\ie7updates\KB961260-IE7\webcheck.dll
+ 2009-04-16 02:30 . 2008-10-16 20:38 105984 c:\windows\ie7updates\KB961260-IE7\url.dll
+ 2009-04-16 02:30 . 2007-03-06 01:23 371424 c:\windows\ie7updates\KB961260-IE7\spuninst\updspapi.dll
+ 2009-04-16 02:30 . 2007-03-06 01:22 213216 c:\windows\ie7updates\KB961260-IE7\spuninst\spuninst.exe
+ 2009-04-16 02:30 . 2008-10-16 20:38 102912 c:\windows\ie7updates\KB961260-IE7\occache.dll
+ 2009-04-16 02:30 . 2008-10-16 20:38 671232 c:\windows\ie7updates\KB961260-IE7\mstime.dll
+ 2009-04-16 02:30 . 2008-10-16 20:38 193024 c:\windows\ie7updates\KB961260-IE7\msrating.dll
+ 2009-04-16 02:30 . 2008-10-16 20:38 477696 c:\windows\ie7updates\KB961260-IE7\mshtmled.dll
+ 2009-04-16 02:30 . 2008-10-16 20:38 459264 c:\windows\ie7updates\KB961260-IE7\msfeeds.dll
+ 2009-04-16 02:30 . 2008-10-15 07:06 633632 c:\windows\ie7updates\KB961260-IE7\iexplore.exe
+ 2009-04-16 02:30 . 2008-10-16 20:38 267776 c:\windows\ie7updates\KB961260-IE7\iertutil.dll
+ 2009-04-16 02:30 . 2008-10-16 20:38 384512 c:\windows\ie7updates\KB961260-IE7\iedkcs32.dll
+ 2009-04-16 02:30 . 2008-10-16 20:38 383488 c:\windows\ie7updates\KB961260-IE7\ieapfltr.dll
+ 2009-04-16 02:30 . 2008-10-15 07:04 161792 c:\windows\ie7updates\KB961260-IE7\ieakui.dll
+ 2009-04-16 02:30 . 2008-10-16 20:38 230400 c:\windows\ie7updates\KB961260-IE7\ieaksie.dll
+ 2009-04-16 02:30 . 2008-10-16 20:38 153088 c:\windows\ie7updates\KB961260-IE7\ieakeng.dll
+ 2009-04-16 02:30 . 2008-10-16 20:38 133120 c:\windows\ie7updates\KB961260-IE7\extmgr.dll
+ 2009-04-16 02:30 . 2008-10-16 20:38 214528 c:\windows\ie7updates\KB961260-IE7\dxtrans.dll
+ 2009-04-16 02:30 . 2008-10-16 20:38 347136 c:\windows\ie7updates\KB961260-IE7\dxtmsft.dll
+ 2009-04-16 02:30 . 2008-10-16 20:38 124928 c:\windows\ie7updates\KB961260-IE7\advpack.dll
+ 2006-09-03 23:59 . 2009-02-09 10:19 1846272 c:\windows\system32\win32k.sys
- 2004-08-04 21:00 . 2008-10-16 20:38 1160192 c:\windows\system32\urlmon.dll
+ 2004-08-04 21:00 . 2008-12-20 23:15 1160192 c:\windows\system32\urlmon.dll
+ 2004-08-04 21:00 . 2008-07-03 13:03 8460800 c:\windows\system32\shell32.dll
+ 2004-08-04 21:00 . 2009-01-17 01:35 3594752 c:\windows\system32\mshtml.dll
+ 2006-11-08 02:03 . 2008-12-20 23:15 6066688 c:\windows\system32\ieframe.dll
+ 2007-03-08 13:47 . 2009-02-09 10:19 1846272 c:\windows\system32\dllcache\win32k.sys
+ 2006-11-08 02:03 . 2008-12-20 23:15 1160192 c:\windows\system32\dllcache\urlmon.dll
- 2006-11-08 02:03 . 2008-10-16 20:38 1160192 c:\windows\system32\dllcache\urlmon.dll
+ 2006-07-13 13:33 . 2008-07-03 13:03 8460800 c:\windows\system32\dllcache\shell32.dll
+ 2006-11-08 02:03 . 2009-01-17 01:35 3594752 c:\windows\system32\dllcache\mshtml.dll
+ 2007-05-08 22:15 . 2008-12-20 23:15 6066688 c:\windows\system32\dllcache\ieframe.dll
+ 2009-04-16 02:30 . 2008-10-16 20:38 1160192 c:\windows\ie7updates\KB961260-IE7\urlmon.dll
+ 2009-04-16 02:30 . 2008-12-13 06:40 3593216 c:\windows\ie7updates\KB961260-IE7\mshtml.dll
+ 2009-04-16 02:30 . 2008-10-16 20:38 6066176 c:\windows\ie7updates\KB961260-IE7\ieframe.dll
+ 2004-08-11 17:45 . 2008-11-11 22:34 10838016 c:\windows\system32\wmp.dll
+ 2009-04-16 02:31 . 2009-02-25 16:55 24768960 c:\windows\system32\MRT.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-15 454656]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-04 761948]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-04-12 102400]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-03-07 131072]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2006-02-22 40960]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"Reminder"="c:\windows\CREATOR\Remind_XP.exe" [2006-02-09 643072]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-11-03 282624]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-01-13 131072]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-01-13 163840]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-01-13 135168]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd.exe" [2003-08-04 49152]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" - c:\windows\system32\CHDAudPropShortcut.exe [2006-04-18 61952]
"WTClient"="WTClient.exe" - c:\windows\system32\WTClient.exe [2007-04-11 40960]

c:\documents and settings\Winter\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]
Shortcut to YzDock.lnk - c:\documents and settings\Winter\Desktop\Start\yzdock83\YzDock.exe [2003-6-3 386560]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\Hp\Digital Imaging\bin\hpqtra08.exe [2003-9-16 237568]
VPN Client.lnk - c:\windows\Installer\{A7091E1D-36A4-47F1-A739-173CC341414F}\Icon3E5562ED7.ico [2009-4-9 6144]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv41"= ir41_32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-27 05:47 31016 ----a-w c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2009-03-23 18:07 1830128 ----a-w c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mshta.exe"=
"c:\\Program Files\\Pharos\\bin\\PSNotify.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 ajcv;ajcv; [x]
R0 bzlubri;bzlubri; [x]
R0 cevuoc;cevuoc; [x]
R0 crts;crts; [x]
R0 eggfbh;eggfbh; [x]
R0 hfib;hfib; [x]
R0 skiqlfsj;skiqlfsj; [x]
R3 ICDUSB2;Sony IC Recorder (P);c:\windows\system32\Drivers\ICDUSB2.sys [2002-11-29 39048]
R3 PLUsbbc2;USB 2.0 Networking/Data Transfer Cable;c:\windows\system32\Drivers\usbbc2.sys [2003-05-07 8960]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]
R3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-06-13 356920]
R3 XDva158;XDva158; [x]
S1 aswSP;avast! Self Protection; [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-23 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-03-23 72944]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-11-26 20560]


--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv
.
Contents of the 'Scheduled Tasks' folder

2009-04-16 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-09-07 05:42]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=presario&pf=laptop
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
Trusted Zone: aol.com\aimexpress
Trusted Zone: aol.com\my.screenname
Trusted Zone: aol.com\www
DPF: {07E9CB47-7D1B-430A-B17C-A6B7459FCC5D} - hxxp://global.lunia.com/lib/activex/SystemInfo_1_0_0_47.cab
FF - ProfilePath - c:\documents and settings\Winter\Application Data\Mozilla\Firefox\Profiles\inhf4ijv.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-16 07:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe?????? ???@???????????????@? ???xc??????(?@???????@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}\InprocServer32]
@DACL=(02 0000)
@="c:\\windows\\system32\\gahehuje.dll"
"ThreadingModel"="Both"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1236)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(2484)
c:\progra~1\PHAROS~1\Core\PRNTRACK.DLL
c:\documents and settings\Winter\Desktop\Start\yzdock83\YzDock.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\progra~1\PHAROS~1\Core\CTskMstr.exe
c:\windows\system32\drivers\WTSrv.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\HPQ\Shared\HPQTOA~1.EXE
c:\windows\system32\WISPTIS.EXE
.
**************************************************************************
.
Completion time: 2009-04-16 7:40 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-16 11:40
ComboFix2.txt 2009-04-16 02:17

Pre-Run: 16,978,804,736 bytes free
Post-Run: 16,959,107,072 bytes free

404 --- E O F --- 2009-04-16 07:01


Report •

#10
April 16, 2009 at 13:37:21
VirusTotal Results
for odee.txt

Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.04.16 -
AhnLab-V3 5.0.0.2 2009.04.16 -
AntiVir 7.9.0.143 2009.04.16 -
Antiy-AVL 2.0.3.1 2009.04.16 -
Authentium 5.1.2.4 2009.04.16 -
Avast 4.8.1335.0 2009.04.15 -
AVG 8.5.0.287 2009.04.16 -
BitDefender 7.2 2009.04.16 -
CAT-QuickHeal 10.00 2009.04.16 -
ClamAV 0.94.1 2009.04.16 -
Comodo 1116 2009.04.16 -
DrWeb 4.44.0.09170 2009.04.16 -
eSafe 7.0.17.0 2009.04.13 -
eTrust-Vet 31.6.6455 2009.04.14 -
F-Prot 4.4.4.56 2009.04.15 -
F-Secure 8.0.14470.0 2009.04.16 -
Fortinet 3.117.0.0 2009.04.16 -
GData 19 2009.04.16 -
Ikarus T3.1.1.49.0 2009.04.16 -
K7AntiVirus 7.10.704 2009.04.15 -
Kaspersky 7.0.0.125 2009.04.16 -
McAfee 5585 2009.04.15 -
McAfee+Artemis 5585 2009.04.15 -
McAfee-GW-Edition 6.7.6 2009.04.16 -
Microsoft 1.4502 2009.04.16 -
NOD32 4013 2009.04.16 -
Norman 6.00.06 2009.04.15 -
nProtect 2009.1.8.0 2009.04.16 -
Panda 10.0.0.14 2009.04.15 -
PCTools 4.4.2.0 2009.04.15 -
Prevx1 V2 2009.04.16 -
Rising 21.25.32.00 2009.04.16 -
Sophos 4.40.0 2009.04.16 -
Sunbelt 3.2.1858.2 2009.04.15 -
Symantec 1.4.4.12 2009.04.16 -
TheHacker 6.3.4.0.309 2009.04.16 -
TrendMicro 8.700.0.1004 2009.04.16 -
VBA32 3.12.10.2 2009.04.12 -
ViRobot 2009.4.16.1696 2009.04.16 -
VirusBuster 4.6.5.0 2009.04.15 -
Additional information
File size: 674 bytes
MD5...: e5161fc850fadf623c02b4a7dfd9a7f7
SHA1..: 2edd55e119c2df51c03d659b3e3247753d53ee4d
SHA256: a0cb5d50cd60a028e3d1c47669c77145e72f2e9685722411b050590e595ee201
SHA512: b4e8161a19989cb65e63731350d4adb8dab7d107b37271388bed7c839b2140bd
207f995a3775d72d166e8741d2d5cb88757624fede14bc5f4608a8acbc4e2880
ssdeep: 12:NMlh+eAxDZaW+ANLwqIPe0XwloKY5AlAuC+eAxDZna+eAxDZ4hlLvefJnvefJ
k:NkIessANLwqwexlC5AAuNesPesabefJf
PEiD..: -
TrID..: File type identification
Lumena CEL bitmap (60.5%)
Corel Photo Paint (39.4%)
PEInfo: -
RDS...: NSRL Reference Data Set
-

for c:\windows\system32\PSS62FB5.DLL

Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.04.16 -
AhnLab-V3 5.0.0.2 2009.04.16 -
AntiVir 7.9.0.143 2009.04.16 -
Antiy-AVL 2.0.3.1 2009.04.16 -
Authentium 5.1.2.4 2009.04.16 -
Avast 4.8.1335.0 2009.04.15 -
AVG 8.5.0.287 2009.04.16 -
BitDefender 7.2 2009.04.16 -
CAT-QuickHeal 10.00 2009.04.16 -
ClamAV 0.94.1 2009.04.16 -
Comodo 1116 2009.04.16 -
eSafe 7.0.17.0 2009.04.13 -
eTrust-Vet 31.6.6455 2009.04.14 -
F-Prot 4.4.4.56 2009.04.15 -
F-Secure 8.0.14470.0 2009.04.16 -
Fortinet 3.117.0.0 2009.04.16 -
GData 19 2009.04.16 -
Ikarus T3.1.1.49.0 2009.04.16 -
K7AntiVirus 7.10.704 2009.04.15 -
Kaspersky 7.0.0.125 2009.04.16 -
McAfee 5585 2009.04.15 -
McAfee+Artemis 5585 2009.04.15 -
McAfee-GW-Edition 6.7.6 2009.04.16 -
Microsoft 1.4502 2009.04.16 -
NOD32 4013 2009.04.16 -
Norman 6.00.06 2009.04.15 -
nProtect 2009.1.8.0 2009.04.16 -
Panda 10.0.0.14 2009.04.15 -
PCTools 4.4.2.0 2009.04.15 -
Prevx1 V2 2009.04.16 -
Rising 21.25.32.00 2009.04.16 -
Sophos 4.40.0 2009.04.16 -
Sunbelt 3.2.1858.2 2009.04.15 -
Symantec 1.4.4.12 2009.04.16 -
TheHacker 6.3.4.0.309 2009.04.16 -
TrendMicro 8.700.0.1004 2009.04.16 -
ViRobot 2009.4.16.1696 2009.04.16 -
VirusBuster 4.6.5.0 2009.04.15 -
Additional information
File size: 10752 bytes
MD5...: a7599a2671aba01e8065573acdbab65c
SHA1..: ed2bdf34e25531ffde5dcf56bfae211d9dc78f15
SHA256: 636b346f42c02953051b6bc09c59cf0fad9df99c9caf88371a2153b5f4ed3e9e
SHA512: efdc54a034d4a321283fb646154a8ecad17fd5ff14774167f72492d77c683097
91c9d4a24bb5610ff5a93c37a6f5d0f516292d31b1990c675165aa7158e5f72f
ssdeep: 192:CKIHJe0WOichsUozbXZ7GanFqxx37bIZNwgAACE:CKqLicDeXNGanFqxh7bI
ZNAAC
PEiD..: -
TrID..: File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1ad3
timedatestamp.....: 0x43fe5e4f (Fri Feb 24 01:15:59 2006)
machinetype.......: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xc99 0xe00 5.34 777a8cc981faeef670ce349b83489bf0
.rdata 0x2000 0xda7 0xe00 4.04 5b225ed7409365556119b06e2b6f2a95
.data 0x3000 0x210 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rsrc 0x4000 0x5c8 0x600 3.23 73521af57f4d61ab2e8870cb5e4e0555
.reloc 0x5000 0x22c 0x400 3.94 5a00650b6a506871a4bac5d9e9174dbf

( 3 imports )
> KERNEL32.dll: OutputDebugStringW, GetCurrentProcessId, GetCurrentThreadId, GetModuleFileNameW, FormatMessageW, GetProcAddress, LoadLibraryExW, SetLastError, GetLocalTime, GetLastError
> USER32.dll: wvsprintfW, LoadStringW, wsprintfW
> ADVAPI32.dll: RegQueryValueExW, RegOpenKeyExW, RegCloseKey

( 22 exports )
AddPort_, ClosePor_, ClosePrintProcessor, ConfigurePort_, ControlPrintProcessor, DeletePort_, EndDocPor_, EnumPorts_, EnumPrintProcessorDatatypesW, GetPrintProcessorCapabilitie_, InitializeMonito_, InitializeMonitorE_, InitializePrintMonito_, InitializePrintMonitor2, InitializePrintProvidor, InstallPrintProcesso_, OpenPor_, OpenPrintProcessor, PrintDocumentOnPrintProcessor, ReadPor_, StartDocPor_, WritePor_
RDS...: NSRL Reference Data Set


Report •

#11
April 16, 2009 at 13:38:17
HijackThis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:19:50 PM, on 4/16/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\Drivers\WTSRV.EXE
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WTClient.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
C:\Documents and Settings\Winter\Desktop\Start\yzdock83\YzDock.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?T...
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [Reminder] C:\Windows\CREATOR\Remind_XP.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [WTClient] WTClient.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: Shortcut to YzDock.lnk = C:\Documents and Settings\Winter\Desktop\Start\yzdock83\YzDock.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=presario&pf=laptop
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52...
O16 - DPF: {07E9CB47-7D1B-430A-B17C-A6B7459FCC5D} (SystemInfo Control) - http://global.lunia.com/lib/activex...
O16 - DPF: {0835BC90-6ABC-4F52-A103-4FC3A61F2C33} (A18X Control) - http://www.albatross18.com/season2/...
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqnbk/dow...
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/re...
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/Div...
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/g...
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/chnz/de...
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewo...
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/g...
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30155.www3.hp.com/ediags/hp...
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\system32\IcdSptSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pharos Systems ComTaskMaster - Pharos Systems International - C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: WinTab Service (WinTabService) - Tablet Driver - C:\WINDOWS\System32\Drivers\WTSRV.EXE

--
End of file - 10981 bytes


Report •

#12
April 16, 2009 at 14:23:29
Your system looks much better, can you use google and has there been any improvements in the computers functions?

Open Notepad and copy/paste everything between the X's into it and make sure the first word (such as KILLALL, File, Folder, Registry etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Registry::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}\InprocServer32]
@=-
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".

Please post the log that is produced.

Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.


Download ATF Cleaner from this link:
http://www.majorgeeks.com/ATF_Cleaner_d4949.html
Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

The following Kaspersky scan takes 3 to 4 hrs. to run but is worth it. Run an online scan with Kaspersky from the following link:
Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

1. Click Accept, when prompted to download and install the program files and database of malware definitions.
2. Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
3.Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
4. Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
5. Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
6. Click View scan report at the bottom.
7. Click the Save Report As... button.
8. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.
**Note**

To optimize scanning time and produce a more sensible report for review:
Close any open programs.
Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.


Report •

#13
April 16, 2009 at 14:46:31
Yeah, I can use Google again and I haven't had any pop-ups, even when I left my computer running (i.e. did not put it into sleep mode) for 2 days. (usually I let the scanners run while I'm at school or overnight -- malwarebytes can take forever to finish...)

Thank you so much for your help~!! I'll post the new logs as they are completed.


Report •

#14
April 16, 2009 at 14:56:39
Here's the new Combofix log:

ComboFix 09-04-16.02 - Winter 04/16/2009 17:49.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.758.334 [GMT -4:00]
Running from: c:\documents and settings\Winter\Desktop\dl\toolb.exe
Command switches used :: c:\documents and settings\Winter\Desktop\dl\CFScript.txt
AV: avast! antivirus 4.8.1296 [VPS 090416-0] *On-access scanning disabled* (Updated)
FW: Norton Internet Worm Protection *disabled*
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-03-16 to 2009-04-16 )))))))))))))))))))))))))))))))
.

2009-04-16 02:30 . 2009-04-16 07:01 1374 ----a-w c:\windows\imsins.BAK
2009-04-15 22:51 . 2009-04-15 22:51 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-15 22:49 . 2009-04-15 22:49 -------- d-----w c:\program files\SUPERAntiSpyware
2009-04-15 22:49 . 2009-04-15 22:49 -------- d-----w c:\documents and settings\Winter\Application Data\SUPERAntiSpyware.com
2009-04-15 22:48 . 2009-04-15 22:48 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-14 22:18 . 2009-04-14 22:18 -------- d-----w c:\program files\Trend Micro
2009-04-14 14:31 . 2009-04-14 14:31 -------- d-sh--w c:\documents and settings\NetworkService\History
2009-04-14 14:31 . 2009-04-14 14:31 -------- d-sh--w c:\documents and settings\NetworkService\Temporary Internet Files
2009-04-11 23:07 . 2009-04-11 23:24 66952 ----a-w c:\windows\system32\drivers\iksysflt.sys
2009-04-11 23:07 . 2009-04-11 23:23 81288 ----a-w c:\windows\system32\drivers\iksyssec.sys
2009-04-11 23:07 . 2009-04-11 23:23 40840 ----a-w c:\windows\system32\drivers\ikfilesec.sys
2009-04-11 23:07 . 2008-06-02 19:19 29576 ----a-w c:\windows\system32\drivers\kcom.sys
2009-04-11 23:06 . 2009-04-15 10:48 -------- d-----w c:\program files\Spyware Doctor
2009-04-10 00:18 . 2009-04-10 00:18 -------- d-----w c:\windows\Internet Logs
2009-04-10 00:18 . 2008-03-29 21:36 125328 ----a-w c:\windows\system32\drivers\dne2000.sys
2009-04-10 00:17 . 2009-04-10 00:17 -------- d-----w c:\program files\Common Files\Deterministic Networks
2009-04-10 00:17 . 2009-04-10 00:17 -------- d-----w c:\program files\Cisco Systems
2009-04-10 00:17 . 2009-04-10 00:18 1594 ----a-w c:\windows\VPNInstall.MIF
2009-04-08 22:52 . 2009-04-08 22:52 -------- d-----w c:\documents and settings\Winter\Local Settings\Application Data\vdownloader

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-16 13:15 . 2008-09-07 21:55 -------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-04-16 11:37 . 2006-05-09 12:59 39 ----a-w C:\XP_TV.ini
2009-04-16 02:00 . 2007-04-05 22:37 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-16 00:22 . 2006-05-09 10:35 -------- d-----w c:\program files\Java
2009-04-14 01:04 . 2009-04-14 01:04 674 ----a-w C:\odee.txt
2009-04-13 11:38 . 2006-11-04 20:23 -------- d-----w c:\program files\CCleaner
2009-04-12 15:28 . 2008-09-08 03:02 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-06 19:32 . 2008-09-08 03:02 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 19:32 . 2008-09-08 03:02 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-27 07:45 . 2006-09-04 03:04 166936 ----a-w c:\documents and settings\Winter\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-15 18:28 . 2009-01-18 20:15 -------- d-----w c:\program files\Opera
2009-03-09 09:19 . 2008-11-28 05:59 410984 ----a-w c:\windows\system32\deploytk.dll
2009-02-21 04:37 . 2009-01-17 19:07 -------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-02-09 10:19 . 2007-03-08 13:47 1846272 ------w c:\windows\system32\dllcache\win32k.sys
2009-02-09 10:19 . 2006-09-03 23:59 1846272 ----a-w c:\windows\system32\win32k.sys
2009-01-17 19:18 . 2009-01-17 19:18 10752 ----a-w c:\windows\system32\PSS62FB5.DLL
2009-01-17 01:35 . 2006-11-08 02:03 3594752 ------w c:\windows\system32\dllcache\mshtml.dll
2007-06-05 21:06 . 2007-02-03 05:27 1116 ----a-w c:\documents and settings\Winter\Application Data\wklnhst.dat
2006-09-28 21:19 . 2006-09-10 13:41 28672 ----a-w c:\documents and settings\Winter\atwbxdet.dll
2006-09-04 03:06 . 2006-09-04 03:04 137 ----a-w c:\documents and settings\Winter\Local Settings\Application Data\fusioncache.dat
.

((((((((((((((((((((((((((((( SnapShot_2009-04-16_11.37.47 )))))))))))))))))))))))))))))))))))))))))
.
- 2006-03-27 16:07 . 2009-04-16 11:23 65326 c:\windows\system32\perfc009.dat
+ 2006-03-27 16:07 . 2009-04-16 11:39 65326 c:\windows\system32\perfc009.dat
+ 2006-03-27 16:07 . 2009-04-16 11:39 410676 c:\windows\system32\perfh009.dat
- 2006-03-27 16:07 . 2009-04-16 11:23 410676 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-15 454656]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-04 761948]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-04-12 102400]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-03-07 131072]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2006-02-22 40960]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"Reminder"="c:\windows\CREATOR\Remind_XP.exe" [2006-02-09 643072]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-11-03 282624]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-01-13 131072]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-01-13 163840]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-01-13 135168]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd.exe" [2003-08-04 49152]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" - c:\windows\system32\CHDAudPropShortcut.exe [2006-04-18 61952]
"WTClient"="WTClient.exe" - c:\windows\system32\WTClient.exe [2007-04-11 40960]

c:\documents and settings\Winter\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]
Shortcut to YzDock.lnk - c:\documents and settings\Winter\Desktop\Start\yzdock83\YzDock.exe [2003-6-3 386560]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\Hp\Digital Imaging\bin\hpqtra08.exe [2003-9-16 237568]
VPN Client.lnk - c:\windows\Installer\{A7091E1D-36A4-47F1-A739-173CC341414F}\Icon3E5562ED7.ico [2009-4-9 6144]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv41"= ir41_32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-27 05:47 31016 ----a-w c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2009-03-23 18:07 1830128 ----a-w c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mshta.exe"=
"c:\\Program Files\\Pharos\\bin\\PSNotify.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 ajcv;ajcv; [x]
R0 bzlubri;bzlubri; [x]
R0 cevuoc;cevuoc; [x]
R0 crts;crts; [x]
R0 eggfbh;eggfbh; [x]
R0 hfib;hfib; [x]
R0 skiqlfsj;skiqlfsj; [x]
R3 ICDUSB2;Sony IC Recorder (P);c:\windows\system32\Drivers\ICDUSB2.sys [2002-11-29 39048]
R3 PLUsbbc2;USB 2.0 Networking/Data Transfer Cable;c:\windows\system32\Drivers\usbbc2.sys [2003-05-07 8960]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]
R3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-06-13 356920]
R3 XDva158;XDva158; [x]
S1 aswSP;avast! Self Protection; [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-23 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-03-23 72944]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-11-26 20560]


--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv
.
Contents of the 'Scheduled Tasks' folder

2009-04-16 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-09-07 05:42]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=presario&pf=laptop
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
Trusted Zone: aol.com\aimexpress
Trusted Zone: aol.com\my.screenname
Trusted Zone: aol.com\www
DPF: {07E9CB47-7D1B-430A-B17C-A6B7459FCC5D} - hxxp://global.lunia.com/lib/activex/SystemInfo_1_0_0_47.cab
FF - ProfilePath - c:\documents and settings\Winter\Application Data\Mozilla\Firefox\Profiles\inhf4ijv.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-16 17:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe?????? ???@???????????????@? ???xc??????(?@???????@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}\InprocServer32]
@DACL=(02 0000)
@="c:\\windows\\system32\\gahehuje.dll"
"ThreadingModel"="Both"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1236)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\igfxdev.dll

- - - - - - - > 'explorer.exe'(2928)
c:\progra~1\PHAROS~1\Core\PRNTRACK.DLL
c:\documents and settings\Winter\Desktop\Start\yzdock83\YzDock.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-04-16 17:54
ComboFix-quarantined-files.txt 2009-04-16 21:53
ComboFix2.txt 2009-04-16 11:40
ComboFix3.txt 2009-04-16 02:17

Pre-Run: 16,952,434,688 bytes free
Post-Run: 16,935,739,392 bytes free

202 --- E O F --- 2009-04-16 07:01


Report •

#15
April 16, 2009 at 20:23:53
I ran the Kapersky scan, which did take quite a while. It came up with no results and did nothing when I clicked the "save scan results" button.


Report •

#16
April 16, 2009 at 20:25:28
(Also, I ran ATF Cleaner and cleared out System Restore, before Kapersky.)

Report •

#17
April 17, 2009 at 14:01:02
There is one item remaining it your registry that will not be a problem so we will leave that alone.

Your computer appears to be clean


Go to start> run> type in combofix /u (note the space after combofix) then press enter> run. This will uninstall combofix so give the uninstaller a minute to run.

Go to start> control panel> add/remove programs and uninstall these programs:

Hijack This

Malwarebytes

Kaspersky

You should keep AFT Cleaner and run it weekly.


You should consider adding "Spywareblaster" to your arsenol of antispyware tools, you can download it from this link Spywareblaster

Just download it,install it, and update it. Its free and runs in the background, so you don't actually run it, and re-writes malicious script before it can install on your computer. Look for updates weekly as there is no auto-update on the free version.

Glad we could help.


Report •

#18
April 17, 2009 at 21:54:27
you may try manual removal guide to get ride of vundo
http://darfuns.com/remove-vundo-tro...

Report •

#19
April 18, 2009 at 19:26:46
I can't thank you enough, jabuck~! My computer is so much better now, You're really good at this~~!

Now I can get to work on all that piled up homework @___@


Report •

#20
April 18, 2009 at 19:40:15
Glad we could help.

Best of luck with your education.


Report •


Ask Question