Help! winlogon.exe infected by ursnif.a

Unknown
edited July 2009 in Spyware & Virus Removal
I use Eset nod32 antivirus software, and since (around) 6/24 I keep getting warnings from it about winlogon.exe being infected by win32/ursnif.a. Eset could not remove or do anything about this file. I have also tried SUPERAntiSpyware, microsoft onecare online scan, and malwarebyte's anti-mareware, but none of them solved the problem.

Object:
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\termsrv.dll (this warning only happened twice)

Threat:
Win32/Spy.Ursnif.A virus

Is there any information that you could give for automatically/manually removing this virus? I have done lots of google searches, and this forum seems to be the only one that have actually given useful suggestions about this virus. Thanks in advance!

Comments

  • chiazchiaz
    edited June 2009
    Hello. :)

    Let's have you download ComboFix.exe. Please visit this webpage for downloading and instructions for running the tool:

    Go here ======> A guide and tutorial on using ComboFix <====== Go here

    Please ensure you read this guide carefully and install the Recovery Console first.This applies to XP Pro and XP Home users only.If you have SP3 installed you will need to use the download meant for SP2.

    The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

    Once installed, you should get a prompt that says:

    The Recovery Console was successfully installed.

    Please continue as follows:

    (1) Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    (2) Click Yes to allow ComboFix to continue scanning for malware.

    When the tool is finished, it will produce a report for you.


    Please include C:\ComboFix.txt for further review (copy and paste it), so that we may continue cleansing the system.


    Caution: Never run and remove files with Combofix unless supervised by a qualified security analyst who is experienced in the use of Combofix. Misuse can cause serious computer problems.
  • chance
    edited June 2009
    Hi,

    The windows xp on my laptop is the Traditional Chinese version, so I replaced the Chinese characters in the combofix log by English. There are still some Chinese characters in the file paths. Hope this won't cause any trouble for you to read. Thanks a lot for the help!

    ComboFix 09-06-26.02 - user /06/27 21:32.2 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.950.886.1028.18.1014.625 [GMT -5:00]
    Running from: c:\documents and settings\user\My Documents\Downloads\ComboFix.exe
    AV: Eset NOD32 antivirus system 2.50 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\system32\winlogon.exe . . . is infected !!

    .
    ((((((((((((((((((((((((( Files created from 2009-05-28 to 2009-06-28 )))))))))))))))))))))))))))))))
    .

    2009-06-27 17:07 . 2009-06-27 17:31
    d
    w- c:\program files\Exterminate It!
    2009-06-27 16:49 . 2009-06-27 16:53 92765 ----a-w- C:\MGlogs.zip
    2009-06-27 16:49 . 2009-06-27 16:53
    d
    w- C:\MGtools
    2009-06-27 12:30 . 2009-06-27 12:35
    d
    w- c:\program files\Windows Live Safety Center
    2009-06-27 12:28 . 2009-06-27 12:28
    d
    w- c:\program files\Microsoft Windows OneCare Live
    2009-06-27 12:11 . 2009-06-27 12:11
    d
    w- c:\windows\system32\dllcache\cache
    2009-06-27 11:12 . 2009-06-27 11:12 3561743 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
    2009-06-27 04:35 . 2009-06-27 23:45 117760 ----a-w- c:\documents and settings\user\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
    2009-06-27 04:34 . 2009-06-27 04:34
    d
    w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2009-06-27 04:34 . 2009-06-27 04:34
    d
    w- c:\program files\SUPERAntiSpyware
    2009-06-27 04:34 . 2009-06-27 04:34
    d
    w- c:\documents and settings\user\Application Data\SUPERAntiSpyware.com
    2009-06-27 04:31 . 2009-06-27 04:31 1343190 ----a-w- C:\MGtools.exe
    2009-06-27 04:10 . 2009-06-27 04:10 410984 ----a-w- c:\windows\system32\deploytk.dll
    2009-06-27 04:09 . 2009-06-27 04:09
    d
    w- c:\program files\Java
    2009-06-16 16:33 . 2009-06-16 16:33
    d
    w- c:\program files\Defraggler
    2009-06-16 16:14 . 2009-06-16 16:14
    d
    w- c:\program files\CCleaner
    2009-06-15 21:38 . 2009-06-15 21:38
    dc----w- c:\documents and settings\All Users\Application Data\{51019853-129C-4EDE-9030-D5FD7BBD9AD0}
    2009-06-15 21:33 . 2008-07-06 12:06 89088
    w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
    2009-06-15 21:33 . 2008-07-06 12:06 117760
    w- c:\windows\system32\prntvpt.dll
    2009-06-15 21:33 . 2008-07-06 12:06 575488
    w- c:\windows\system32\xpsshhdr.dll
    2009-06-15 21:33 . 2008-07-06 12:06 575488
    w- c:\windows\system32\dllcache\xpsshhdr.dll
    2009-06-15 21:33 . 2008-07-06 10:50 597504
    w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
    2009-06-15 21:33 . 2008-07-06 12:06 1676288
    w- c:\windows\system32\xpssvcs.dll
    2009-06-15 21:33 . 2008-07-06 12:06 1676288
    w- c:\windows\system32\dllcache\xpssvcs.dll
    2009-06-15 21:33 . 2009-06-15 21:36
    d
    w- C:\27ac75d7dad0740d106d2a7ecfb574d3
    2009-06-15 21:32 . 2009-06-16 04:08
    d
    w- c:\windows\SxsCaPendDel
    2009-06-15 21:23 . 2009-06-15 21:23
    d
    w- c:\program files\MSXML 6.0
    2009-06-15 21:17 . 2009-06-15 21:17
    d--h--r- C:\AHCache

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-06-27 16:34 . 2005-09-21 20:59 35472 ----a-w- c:\documents and settings\user\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2009-06-27 11:13 . 2008-09-03 04:42
    d
    w- c:\program files\Malwarebytes' Anti-Malware
    2009-06-27 11:04 . 2005-09-11 12:02
    d
    w- c:\program files\ALiBaBar
    2009-06-27 04:32 . 2005-06-29 15:13
    d
    w- c:\program files\Common Files\Wise Installation Wizard
    2009-06-27 04:16 . 2005-09-11 12:47
    d
    w- c:\documents and settings\user\Application Data\AdobeUM
    2009-06-17 16:27 . 2008-09-03 04:42 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2009-06-17 16:27 . 2008-09-03 04:42 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
    2009-06-16 17:03 . 2005-06-29 15:09
    d--h--w- c:\program files\InstallShield Installation Information
    2009-06-16 15:29 . 1979-12-31 16:00 292524 ----a-w- c:\windows\system32\prfh0404.dat
    2009-06-16 15:29 . 1979-12-31 16:00 106078 ----a-w- c:\windows\system32\prfc0404.dat
    2009-06-16 14:17 . 2005-09-11 12:30
    d
    w- c:\program files\Common Files\Adobe
    2009-06-07 20:30 . 2008-12-18 17:13
    d
    w- c:\documents and settings\user\Application Data\PlayFirst
    2009-06-07 20:30 . 2008-12-18 17:13
    d
    w- c:\documents and settings\All Users\Application Data\PlayFirst
    2009-05-07 15:42 . 1979-12-31 16:00 339456 ----a-w- c:\windows\system32\localspl.dll
    2009-05-05 02:43 . 2007-01-24 02:22
    d--h--w- c:\documents and settings\user\Application Data\Move Networks
    2009-04-29 04:42 . 1979-12-31 16:00 827392 ----a-w- c:\windows\system32\wininet.dll
    2009-04-29 04:41 . 1979-12-31 16:00 78336 ----a-w- c:\windows\system32\ieencode.dll
    2009-04-19 19:55 . 1979-12-31 16:00 1847552 ----a-w- c:\windows\system32\win32k.sys
    2009-04-15 15:11 . 1979-12-31 16:00 584192 ----a-w- c:\windows\system32\rpcrt4.dll
    2009-04-14 04:08 . 2008-10-02 00:45 34062 ----a-w- c:\documents and settings\user\Application Data\Move Networks\ie_bin\Uninst.exe
    2009-04-14 04:08 . 2009-04-14 04:07 1047072 ----a-w- c:\documents and settings\user\Application Data\Move Networks\MoveMediaPlayer_071303000006.exe
    .
    Sigcheck

    [-] 2008-04-14 16:31 14336 B703AEE8722CED0F0FD804EA844D8DE6 c:\windows\SoftwareDistribution\Download\955997d3b16bb107db5044b5727c8498\svchost.exe
    [7] 2004-08-04 13:00 14336 723BA2EFE4A16774E98F53D7AC6C71FD c:\windows\system32\svchost.exe

    [7] 2004-08-04 13:00 572416 9F3229AB5F73AD8381277F4D77650233 c:\windows\$NtUninstallKB890859$\user32.dll
    [7] 2005-03-02 18:20 572416 9848C48F99238C5224E68E335D0C0EB6 c:\windows\$NtUninstallKB925902$\user32.dll
    [-] 2008-04-14 16:30 573952 851097CE6C6F42C40045F22626706C60 c:\windows\SoftwareDistribution\Download\955997d3b16bb107db5044b5727c8498\user32.dll
    [7] 2007-03-08 15:48 573440 FDEF087C4231D694376835423612A3AD c:\windows\system32\user32.dll
    [7] 2007-03-08 15:48 573440 FDEF087C4231D694376835423612A3AD c:\windows\system32\dllcache\user32.dll

    [-] 2008-04-14 16:30 82432 4602B35614F87881C88F503F9E95AE28 c:\windows\SoftwareDistribution\Download\955997d3b16bb107db5044b5727c8498\ws2_32.dll
    [7] 2004-08-04 13:00 82944 8A39164F7884644723CD7ACC913260AF c:\windows\system32\ws2_32.dll

    [7] 2004-09-29 18:45 642560 7AC2B596DE157747E0F19512E8972B38 c:\windows\$hf_mig$\KB834707\SP2QFE\wininet.dll
    [7] 2005-07-03 02:10 645120 86EDD83821D3CFF74192CC3E39EF8C6B c:\windows\$hf_mig$\KB896727\SP2QFE\wininet.dll
    [7] 2007-10-10 23:20 825344 2EC13B3BDDC4D69233EC674A1D0FB271 c:\windows\$hf_mig$\KB942615-IE7\SP2QFE\wininet.dll
    [7] 2007-12-07 01:40 825344 351982A6A235377F2818294C2D192CBC c:\windows\$hf_mig$\KB944533-IE7\SP2QFE\wininet.dll
    [7] 2008-03-01 12:33 827392 EFADC3837A5E130BF4B84136A215D4D5 c:\windows\$hf_mig$\KB947864-IE7\SP2QFE\wininet.dll
    [7] 2008-04-23 07:17 827392 0F14DD8C15CDF5039DB43D51E3DFCBAC c:\windows\$hf_mig$\KB950759-IE7\SP2QFE\wininet.dll
    [7] 2008-06-23 15:37 827904 EB6E9CE93FC92948F8521165EDD46EDA c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\wininet.dll
    [7] 2008-08-26 09:08 827904 B24FC17EF69350FCEED88396A677C9A3 c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\wininet.dll
    [7] 2008-10-16 19:31 827904 74C46161A733122DC438452279A9088C c:\windows\$hf_mig$\KB958215-IE7\SP2QFE\wininet.dll
    [7] 2008-12-20 23:46 827904 66E56EE1AAB0CFE10EFBE2F7208374CF c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\wininet.dll
    [7] 2009-03-03 00:14 828416 B558A9AD2BB1C30EA3350D85115BCA86 c:\windows\$hf_mig$\KB963027-IE7\SP3QFE\wininet.dll
    [7] 2009-04-29 04:36 828928 339B937393F91D30CF1E9DD3F7206F52 c:\windows\$hf_mig$\KB969897-IE7\SP3QFE\wininet.dll
    [7] 2005-07-03 02:15 644096 1983B2FB4522AD61A8B4B1EB8710D654 c:\windows\$NtUninstallKB896688$\wininet.dll
    [7] 2004-09-29 18:48 642560 7B3CDFF42FD74668954A06171DB7ED9B c:\windows\$NtUninstallKB896727$\wininet.dll
    [7] 2005-09-02 23:53 646144 B1053F8F0DD849F2A0B7A8F32EF92914 c:\windows\$NtUninstallKB905915$\wininet.dll
    [7] 2005-10-21 03:39 647168 6805448BF263A1834FA8E28BFFCC9C6C c:\windows\$NtUninstallKB912812$\wininet.dll
    [7] 2006-03-04 03:58 649216 8A1A843AF1B394831D41FA1E6C9D179E c:\windows\$NtUninstallKB916281$\wininet.dll
    [7] 2006-05-10 05:26 649216 7562D70615F600ABDA08F6B5DB723564 c:\windows\$NtUninstallKB918899$\wininet.dll
    [7] 2006-06-23 11:25 650240 3200AA0AD25D89A616D98E4D39EFFF90 c:\windows\$NtUninstallKB922760$\wininet.dll
    [7] 2006-09-14 08:35 650240 354663FB4D2B2AC10123B29AF8DB19E3 c:\windows\$NtUninstallKB925454$\wininet.dll
    [7] 2006-10-23 15:34 650240 1C405A3632852728D755EB2DE7A5FCF0 c:\windows\$NtUninstallKB928090$\wininet.dll
    [7] 2007-01-04 14:00 650752 822F08EA771A83942B182E517658B4DF c:\windows\$NtUninstallKB931768$\wininet.dll
    [7] 2007-02-19 15:22 651264 985DC43CF46EFB019275E16C72428BE2 c:\windows\$NtUninstallKB933566$\wininet.dll
    [7] 2007-04-18 12:44 651264 4408F99DD19E05C2FD5FD5869918BBCA c:\windows\$NtUninstallKB937143$\wininet.dll
    [7] 2007-06-26 14:39 651264 8B2C80922031E36F866BAB8804598E71 c:\windows\$NtUninstallKB939653$\wininet.dll
    [7] 2007-08-22 12:56 651264 F21105396ADF8B2F1C24C715386F5AB8 c:\windows\$NtUninstallKB942615$\wininet.dll
    [7] 2007-10-11 06:10 651776 488A41CBEC14120FD2316ED79DB8745E c:\windows\ie7\wininet.dll
    [7] 2007-08-14 00:54 818688 A4A0FC92358F39538A6494C42EF99FE9 c:\windows\ie7updates\KB942615-IE7\wininet.dll
    [7] 2007-10-10 23:46 824832 BC55C8AC0AD717DF70AACFC199331AE3 c:\windows\ie7updates\KB944533-IE7\wininet.dll
    [7] 2007-12-07 02:04 824832 E2FA37656CC23B34D36BAF0BFA0420EC c:\windows\ie7updates\KB947864-IE7\wininet.dll
    [7] 2008-03-01 12:54 826368 1A2842CE9FCEF9063468D86D56603317 c:\windows\ie7updates\KB950759-IE7\wininet.dll
    [7] 2008-04-23 04:16 826368 86B05F3E2AA46B3E9CBFAA2ED6B6E078 c:\windows\ie7updates\KB953838-IE7\wininet.dll
    [7] 2008-06-23 16:15 826368 0E5A7B96DE1A9B33BF24316D05B3B15D c:\windows\ie7updates\KB956390-IE7\wininet.dll
    [7] 2008-08-26 07:57 826368 E73910D16B8A25CC8ECF2961EF4A9AED c:\windows\ie7updates\KB958215-IE7\wininet.dll
    [7] 2008-10-16 20:04 826368 6C2025E2D982E1543352E3F4938A4B5A c:\windows\ie7updates\KB961260-IE7\wininet.dll
    [7] 2008-12-20 22:31 826368 CAE9E2C7917CE47726BB429CEBA963BF c:\windows\ie7updates\KB963027-IE7\wininet.dll
    [7] 2009-03-03 00:03 826368 20C61A7BF16E2499F670ED4C4EF72CA6 c:\windows\ie7updates\KB969897-IE7\wininet.dll
    [-] 2008-04-14 16:30 651776 47DDC4BC6C3B837C817E8FD3A10F16B8 c:\windows\SoftwareDistribution\Download\955997d3b16bb107db5044b5727c8498\wininet.dll
    [7] 2009-04-29 04:42 827392 6C818813CB429DF7880E3564EA263A84 c:\windows\system32\wininet.dll
    [7] 2009-04-29 04:42 827392 6C818813CB429DF7880E3564EA263A84 c:\windows\system32\dllcache\wininet.dll

    [7] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
    [7] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
    [7] 2004-08-13 22:50 359040 4092C56967175F009DC8458DC434358E c:\windows\$NtUninstallKB893066$\tcpip.sys
    [7] 2005-05-25 19:07 359936 63FDFEA54EB53DE2D863EE454937CE1E c:\windows\$NtUninstallKB913446$\tcpip.sys
    [7] 2006-01-13 17:07 360448 5562CC0A47B2AEF06D3417B733F3C195 c:\windows\$NtUninstallKB917953$\tcpip.sys
    [7] 2006-04-20 12:18 360576 B2220C618B42A2212A59D91EBD6FC4B4 c:\windows\$NtUninstallKB941644$\tcpip.sys
    [7] 2007-10-30 16:53 360832 64798ECFA43D78C7178375FCDD16D8C8 c:\windows\$NtUninstallKB951748$\tcpip.sys
    [-] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\SoftwareDistribution\Download\955997d3b16bb107db5044b5727c8498\tcpip.sys
    [7] 2008-06-20 10:44 360960 744E57C99232201AE98C49168B918F48 c:\windows\system32\dllcache\tcpip.sys
    [7] 2008-06-20 10:44 360960 744E57C99232201AE98C49168B918F48 c:\windows\system32\drivers\tcpip.sys

    [-] 2008-04-14 16:31 493568 6A5FE820683147636F66D2A731B7169B c:\windows\SoftwareDistribution\Download\955997d3b16bb107db5044b5727c8498\winlogon.exe
    [-] 2008-09-01 18:17 487936 14A9E504421271FD39D18871717173CE c:\windows\system32\winlogon.exe

    [-] 2008-04-13 19:20 182656 1DF7F42665C94B825322FAE71721130D c:\windows\SoftwareDistribution\Download\955997d3b16bb107db5044b5727c8498\ndis.sys
    [7] 2004-08-04 13:00 182912 558635D3AF1C7546D26067D5D9B6959E c:\windows\system32\drivers\ndis.sys

    [-] 2008-04-13 18:53 36608 3BB22519A194418D5FEC05D800A19AD0 c:\windows\SoftwareDistribution\Download\955997d3b16bb107db5044b5727c8498\ip6fw.sys
    [7] 2004-08-04 13:00 29056 4448006B6BC60E6C027932CFC38D6855 c:\windows\system32\drivers\ip6fw.sys

    [7] 2009-02-11 00:03 2065920 6F6A153EE2BB573B2CD13525FABDCA9D c:\windows\$hf_mig$\KB956572\SP3GDR\ntkrnlpa.exe
    [7] 2009-02-09 11:15 2066048 1C89B423D5C9A5D303723AD462CEC93D c:\windows\$hf_mig$\KB956572\SP3QFE\ntkrnlpa.exe
    [7] 2008-08-14 13:20 2065920 A915E8F1CA374043615A8AB0C88442CE c:\windows\$hf_mig$\KB956841\SP3GDR\ntkrnlpa.exe
    [7] 2008-08-15 00:24 2065920 2612BBB588E37A8CC5D9ED9B1BCFCB10 c:\windows\$hf_mig$\KB956841\SP3QFE\ntkrnlpa.exe
    [7] 2004-08-19 23:18 2056704 30DBA20BD38CD59EAD960EA18FDE7D2E c:\windows\$NtUninstallKB890859$\ntkrnlpa.exe
    [7] 2005-03-02 18:12 2056832 ACD412243D6652EF6B86F5671ABDB159 c:\windows\$NtUninstallKB929338$\ntkrnlpa.exe
    [7] 2006-12-19 18:44 2059264 D58300E07ED71404FD6486CAA1F7CE51 c:\windows\$NtUninstallKB931784$\ntkrnlpa.exe
    [7] 2008-08-14 13:37 2062848 DC4D1536D841AB9204C0EDF23BF68232 c:\windows\$NtUninstallKB956572$\ntkrnlpa.exe
    [7] 2007-02-28 16:06 2059264 64C4883EE32E79A63AA7A829E4A1C747 c:\windows\$NtUninstallKB956841$\ntkrnlpa.exe
    [7] 2009-02-09 11:40 2062848 2361FEE45AB08DC2F238A9E5426BC873 c:\windows\Driver Cache\i386\ntkrnlpa.exe
    [-] 2008-04-14 15:59 2065792 7808D5B49D30B5A0FD09C4420D97CAAB c:\windows\SoftwareDistribution\Download\955997d3b16bb107db5044b5727c8498\ntkrnlpa.exe
    [7] 2009-02-09 11:40 2062848 2361FEE45AB08DC2F238A9E5426BC873 c:\windows\system32\ntkrnlpa.exe
    [7] 2009-02-09 11:40 2062848 2361FEE45AB08DC2F238A9E5426BC873 c:\windows\system32\dllcache\ntkrnlpa.exe

    [7] 2009-02-09 11:21 2188928 B69A94312795B0C82D8B1AFCE05DC6BB c:\windows\$hf_mig$\KB956572\SP3GDR\ntoskrnl.exe
    [7] 2009-02-11 00:13 2189056 AFF75869BDF0CA3F992411C2AC99EAE1 c:\windows\$hf_mig$\KB956572\SP3QFE\ntoskrnl.exe
    [7] 2008-08-14 13:20 2189056 207544C19E580507DBACCF24D736A459 c:\windows\$hf_mig$\KB956841\SP3GDR\ntoskrnl.exe
    [7] 2008-08-15 00:24 2189056 C9ED78E4D4A2CAABADE34BB2F9EF4855 c:\windows\$hf_mig$\KB956841\SP3QFE\ntoskrnl.exe
    [7] 2004-08-19 23:18 2180352 91AB628BD4FFD4401D30D4B47D7751D9 c:\windows\$NtUninstallKB890859$\ntoskrnl.exe
    [7] 2005-03-02 18:12 2179456 CA5B77F8ABC95792241156CA40F26D1D c:\windows\$NtUninstallKB929338$\ntoskrnl.exe
    [7] 2006-12-19 18:44 2181888 6101AD12C1065B0005C2A628ACEB8BC5 c:\windows\$NtUninstallKB931784$\ntoskrnl.exe
    [7] 2008-08-14 13:37 2185856 AACA3379053D2B8CA133E3ABFAB0B67A c:\windows\$NtUninstallKB956572$\ntoskrnl.exe
    [7] 2007-02-28 16:06 2182016 ADA79F365055EF3556912817BAD12EBB c:\windows\$NtUninstallKB956841$\ntoskrnl.exe
    [7] 2009-02-09 11:40 2185984 1DC100E63B2F12C222A07811F70A1ADC c:\windows\Driver Cache\i386\ntoskrnl.exe
    [-] 2008-04-14 15:59 2188928 6A85DFB1190736B507EEA978A8D4B357 c:\windows\SoftwareDistribution\Download\955997d3b16bb107db5044b5727c8498\ntoskrnl.exe
    [7] 2009-02-09 11:40 2185984 1DC100E63B2F12C222A07811F70A1ADC c:\windows\system32\ntoskrnl.exe
    [7] 2009-02-09 11:40 2185984 1DC100E63B2F12C222A07811F70A1ADC c:\windows\system32\dllcache\ntoskrnl.exe

    [7] 2007-06-13 13:22 977920 F7054A7191EE1E403020649AA40A23E0 c:\windows\explorer.exe
    [7] 2007-06-13 13:10 977920 50D8DB3BF83670339A8616EB5A75BF06 c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
    [7] 2004-08-04 13:00 976896 453888766DA789F18FBBF5B20E4BC17F c:\windows\$NtUninstallKB938828$\explorer.exe
    [-] 2008-04-14 16:30 978432 F7A2245D8BD832D1E7A01C26D5E6EFD0 c:\windows\SoftwareDistribution\Download\955997d3b16bb107db5044b5727c8498\explorer.exe
    [7] 2007-06-13 13:22 977920 F7054A7191EE1E403020649AA40A23E0 c:\windows\system32\dllcache\explorer.exe

    [7] 2009-02-09 11:21 110592 03BADD2C0EEC04B91ABBD4F570569DC5 c:\windows\$hf_mig$\KB956572\SP3GDR\services.exe
    [7] 2009-02-09 11:14 110592 577A24BF31050D354801BD9301CC7ACF c:\windows\$hf_mig$\KB956572\SP3QFE\services.exe
    [7] 2004-08-04 13:00 108032 90463A559A0D57B5D4B3E698E1BDDE92 c:\windows\$NtUninstallKB956572$\services.exe
    [-] 2008-04-14 16:30 108544 82FE81C7F30172A315AD70327B868436 c:\windows\SoftwareDistribution\Download\955997d3b16bb107db5044b5727c8498\services.exe
    [7] 2009-02-09 09:48 110592 D77B4FDB782EF7E4BB534C5C34431362 c:\windows\system32\services.exe
    [7] 2009-02-09 09:48 110592 D77B4FDB782EF7E4BB534C5C34431362 c:\windows\system32\dllcache\services.exe

    [-] 2008-04-14 16:30 13312 1E5F363F023BC4861F44BFCABF4CBEA1 c:\windows\SoftwareDistribution\Download\955997d3b16bb107db5044b5727c8498\lsass.exe
    [7] 2004-08-04 13:00 13312 4BCA771A81625259AFFAA218E0111D76 c:\windows\system32\lsass.exe

    [-] 2008-04-14 16:30 15360 4D9A9A3EBDD3193531B98FD96C2A9FB8 c:\windows\SoftwareDistribution\Download\955997d3b16bb107db5044b5727c8498\ctfmon.exe
    [7] 2004-08-04 13:00 15360 3BCEF6B66827EC0B9923D20E62D067BA c:\windows\system32\ctfmon.exe

    [7] 2005-06-11 00:17 57856 AD3D9D191AEA7B5445FE1D82FFBB4788 c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
    [7] 2004-08-04 13:00 57856 620B82889828FBE013AC6AD60F8E3FDB c:\windows\$NtUninstallKB896423$\spoolsv.exe
    [-] 2008-04-14 16:31 57856 6E4D4A38A64473B375A3E8C2DF621E5C c:\windows\SoftwareDistribution\Download\955997d3b16bb107db5044b5727c8498\spoolsv.exe
    [7] 2005-06-10 23:53 57856 DA81EC57ACD4CDC3D4C51CF3D409AF9F c:\windows\system32\spoolsv.exe

    [-] 2008-04-14 16:31 108032 F6066C005FAC8CAF210882563C92A093 c:\windows\SoftwareDistribution\Download\955997d3b16bb107db5044b5727c8498\wuauclt.exe
    [7] 2008-10-16 20:09 51224 E654B78D2F1D791B30D0ED9A8195EC22 c:\windows\system32\wuauclt.exe
    [7] 2008-10-16 20:09 51224 E654B78D2F1D791B30D0ED9A8195EC22 c:\windows\system32\dllcache\wuauclt.exe

    [-] 2008-04-14 16:31 25088 613D7C29C9E3E2375971DA7E42E4E330 c:\windows\SoftwareDistribution\Download\955997d3b16bb107db5044b5727c8498\userinit.exe
    [7] 2004-08-04 13:00 23552 F3A20A3C6A4DF7FE038F4CCA70080B10 c:\windows\system32\userinit.exe

    [-] 2008-04-14 16:30 286208 10F21A1477410AEF1322B9DD19784A9A c:\windows\SoftwareDistribution\Download\955997d3b16bb107db5044b5727c8498\termsrv.dll
    [7] 2004-08-04 13:00 286208 741E5693774F23F222887B9E4C6826E5 c:\windows\system32\termsrv.dll
    [7] 2004-08-04 13:00 286208 741E5693774F23F222887B9E4C6826E5 c:\windows\system32\dllcache\termsrv.dll

    [7] 2006-07-05 10:57 1151488 8DBDAFF18F4AB91F0EB6D02CAC9B461A c:\windows\$hf_mig$\KB917422\SP2QFE\kernel32.dll
    [7] 2007-04-16 16:09 1152512 6808E4CC97631FAD8D1EF5460FA7359F c:\windows\$hf_mig$\KB935839\SP2QFE\kernel32.dll
    [7] 2009-03-21 13:54 1155584 36A0F0BACE92C547B580DA2FAC821E01 c:\windows\$hf_mig$\KB959426\SP2QFE\kernel32.dll
    [7] 2009-03-21 14:06 1156096 5F545A19FED4464DA3BAA1DFB5134707 c:\windows\$hf_mig$\KB959426\SP3GDR\kernel32.dll
    [7] 2009-03-21 13:59 1158144 FB9C8D83863EB9442BDF54D58CBE19A5 c:\windows\$hf_mig$\KB959426\SP3QFE\kernel32.dll
    [7] 2004-08-04 13:00 1149952 B139A9AB57576616423DA80D61E21F0A c:\windows\$NtUninstallKB917422$\kernel32.dll
    [7] 2006-07-05 10:56 1150464 A31BD5DD405AABE87C47B1039DC71DAA c:\windows\$NtUninstallKB935839$\kernel32.dll
    [7] 2007-04-16 15:54 1150976 A9B6EC42C57403D69F26B99752FEA6AB c:\windows\$NtUninstallKB959426$\kernel32.dll
    [-] 2008-04-14 16:29 1156096 120A5EDA269BE21BCAEC0ECD53EC3FAE c:\windows\SoftwareDistribution\Download\955997d3b16bb107db5044b5727c8498\kernel32.dll
    [7] 2009-03-21 14:18 1152512 953499A3E341EDD741B00AFDE6492207 c:\windows\system32\kernel32.dll
    [7] 2009-03-21 14:18 1152512 953499A3E341EDD741B00AFDE6492207 c:\windows\system32\dllcache\kernel32.dll

    [-] 2008-04-14 16:29 17408 4C8C732253319D8A57DDE322DF645A94 c:\windows\SoftwareDistribution\Download\955997d3b16bb107db5044b5727c8498\powrprof.dll
    [7] 2004-08-04 13:00 17408 7040C2BCA7D6EFEEB14A807EAD9449DB c:\windows\system32\powrprof.dll

    [-] 2008-04-14 16:29 110080 38E59EE3F1A58550510D5717C79FA933 c:\windows\SoftwareDistribution\Download\955997d3b16bb107db5044b5727c8498\imm32.dll
    [7] 2004-08-04 13:00 110080 A37DE5013935401F52A31D6C3982D6C2 c:\windows\system32\imm32.dll

    [-] 2008-04-14 16:29 1570816 7A24989B34376E34D30E0770D3E28CC5 c:\windows\SoftwareDistribution\Download\955997d3b16bb107db5044b5727c8498\sfcfiles.dll
    [7] 2004-08-04 13:00 1546752 1680AD7B6FBD7CE495188A8A4CA3758B c:\windows\system32\sfcfiles.dll

    [-] 2008-04-14 16:29 146944 AF4F72898D30FD81D45BD54681B1083C c:\windows\SoftwareDistribution\Download\955997d3b16bb107db5044b5727c8498\appmgmts.dll
    [7] 2004-08-04 13:00 146944 31F504D66AA1F02C50709CDF48F28976 c:\windows\system32\appmgmts.dll

    [-] 2008-04-14 15:56 23296 781A83EE8D53443539E54D4743437196 c:\windows\SoftwareDistribution\Download\955997d3b16bb107db5044b5727c8498\kbdclass.sys
    [7] 2004-08-03 16:40 23424 8CCDD51821BBACD3DBA1AFA5E7C4D756 c:\windows\system32\drivers\kbdclass.sys
    .
    ((((((((((((((((((((((((((((( SnapShot@2009-06-27_22.51.39 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2009-06-28 00:11 . 2009-06-28 00:11 16384 c:\windows\Temp\Perflib_Perfdata_190.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
    "ibmmessages"="c:\program files\IBM\Messages By IBM\ibmmessages.exe" [2004-08-05 442368]
    "Google Update"="c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-04-27 133104]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
    "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
    "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-12-13 155648]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-12-13 126976]
    "TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2004-02-04 897024]
    "TPHOTKEY"="c:\progra~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2005-03-03 94208]
    "ControlCenter"="c:\program files\IBM fingerprint software\ctlcntr.exe" [2005-03-29 283749]
    "EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2004-11-23 212992]
    "ibmmessages"="c:\program files\IBM\Messages By IBM\\ibmmessages.exe" [2004-08-05 442368]
    "IBMPRC"="c:\ibmtools\UTILS\ibmprc.exe" [2004-12-15 90112]
    "QCWLICON"="c:\program files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [2005-03-17 86016]
    "PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2005-01-20 135168]
    "IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]
    "MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
    "Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
    "LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2004-10-08 221184]
    "BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 368706]
    "nod32kui"="c:\program files\Eset\nod32kui.exe" [2006-09-23 917504]
    "lxdimon.exe"="c:\program files\Lexmark 3500-4500 Series\lxdimon.exe" [2007-07-16 434864]
    "lxdiamon"="c:\program files\Lexmark 3500-4500 Series\lxdiamon.exe" [2007-07-16 25264]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-27 148888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2005-10-18 278528]
    "TrackPointSrv"="tp4serv.exe" - c:\windows\system32\tp4serv.exe [2004-10-27 94208]
    "TpShocks"="TpShocks.exe" - c:\windows\system32\TpShocks.exe [2005-01-24 106496]
    "TP4EX"="tp4ex.exe" - c:\windows\system32\TP4EX.exe [2004-11-11 40960]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

    c:\documents and settings\All Users\「開始」功能表\程式集\啟動\
    Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2005-9-11 25214]
    BTTray.lnk - c:\program files\IBM\Bluetooth Software\BTTray.exe [2004-11-30 565309]
    Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-6-29 24576]
    Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2006-1-14 196608]
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-12 83360]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2008-12-22 17:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
    2005-03-29 06:43 108131 ----a-w- c:\program files\IBM fingerprint software\psfus.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina]
    2005-03-17 19:07 262144 ----a-w- c:\windows\system32\QConGina.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
    2004-08-12 12:11 24576 ----a-w- c:\windows\system32\tphklock.dll

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
    "c:\\WINDOWS\\system32\\dpvsetup.exe"=
    "c:\\Program Files\\FileZilla\\FileZilla.exe"=
    "c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
    "c:\\Program Files\\ImageJ\\jre\\bin\\javaw.exe"=
    "c:\\Program Files\\Lexmark 3500-4500 Series\\lxdiamon.exe"=
    "c:\\Program Files\\Lexmark 3500-4500 Series\\App4R.exe"=
    "c:\\Program Files\\Lexmark 3500-4500 Series\\lxdimon.exe"=
    "c:\\WINDOWS\\system32\\lxdicfg.exe"=
    "c:\\WINDOWS\\system32\\lxdicoms.exe"=
    "c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdipswx.exe"=
    "c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxditime.exe"=
    "c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdijswx.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "c:\\Documents and Settings\\user\\桌面\\Crazy_zh-tw_v2.exe"=
    "c:\\Documents and Settings\\user\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
    "c:\\Documents and Settings\\user\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=

    R0 d346bus;d346bus;c:\windows\system32\drivers\d346bus.sys [2005/9/11 上午 07:01 156800]
    R0 d346prt;d346prt;c:\windows\system32\drivers\d346prt.sys [2005/9/11 上午 07:01 5248]
    R0 Shockprf;Shockprf;c:\windows\system32\drivers\shockprf.sys [2005/6/29 上午 10:09 59776]
    R0 TPDiskPM;TPDiskPM;c:\windows\system32\drivers\TPDiskPM.sys [2005/6/29 上午 10:10 14208]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009/6/23 上午 11:01 9968]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009/6/23 上午 11:01 72944]
    R1 ShockMgr;ShockMgr;c:\windows\system32\drivers\ShockMgr.sys [2005/6/29 上午 10:09 4608]
    R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [2005/6/29 上午 10:37 4442]
    R2 ibmfilter;ibmfilter;c:\windows\system32\drivers\ibmfilter.sys [2004/12/15 下午 03:12 63616]
    R2 lxdi_device;lxdi_device;c:\windows\system32\lxdicoms.exe -service --> c:\windows\system32\lxdicoms.exe -service [?]
    R3 Tp4Track;IBM PS/2 TrackPoint Driver;c:\windows\system32\drivers\tp4track.sys [1979/12/31 上午 11:00 13904]
    R3 TPInput;TPInput;c:\windows\system32\drivers\TPInput.sys [2005/6/29 上午 10:10 6016]
    S2 lxdiCATSCustConnectService;lxdiCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdiserv.exe [2008/1/26 上午 11:56 99248]
    S3 QCNDISIF;QCNDISIF;c:\windows\system32\drivers\qcndisif.sys [2005/6/29 上午 10:31 12288]
    S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009/6/23 上午 11:01 7408]
    S3 vdiskbus;Virtual Disk Bus;c:\windows\system32\DRIVERS\vdiskbus.sys --> c:\windows\system32\DRIVERS\vdiskbus.sys [?]
    .
    Contents of the 'Scheduled Tasks' folder

    2009-06-27 c:\windows\Tasks\Connect Pack Update.job
    - c:\program files\Connectivity Package\UpdateCheck.exe [2005-09-29 01:39]

    2009-06-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1561072299-3821992076-2695497340-1006.job
    - c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-27 16:02]

    2009-06-28 c:\windows\Tasks\PMTask.job
    - c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2005-06-29 17:00]

    2009-06-28 c:\windows\Tasks\WGASetup.job
    - c:\windows\system32\KB905474\wgasetup.exe [2009-04-30 03:18]
    .
    .
    Supplementary Scan
    .
    uStart Page = hxxp://www.google.com/
    uInternet Settings,ProxyOverride = localhost
    IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: 傳送到 Bluetooth(&B) - c:\program files\IBM\Bluetooth Software\btsendto_ie_ctx.htm
    IE: 剪貼簿文字: 簡 > 繁
    IE: 剪貼簿文字: 繁 > 簡
    IE: 匯出至 Microsoft Excel(&X) - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
    IE: 網頁: [簡體] 顯示
    IE: 網頁: [繁體] 顯示
    TCP: {3A1064F0-2CD9-4FA5-B65A-AA59DBA6E463} = 140.113.1.1,140.113.6.2
    Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-06-27 21:40
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...
    scanning hidden autostart entries ...
    scanning hidden files ...
    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    LOCKED REGISTRY KEYS

    [HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*CQè­¸\CLSID]
    @=&quot;{809B6661-94C4-49E6-B6EC-3F0F862215AA}"

    [HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*CQè­¸\CurVer]
    @=&quot;BDATuner.元件.1"

    [HKEY_LOCAL_MACHINE\software\Clients\StartMenuInternet\G*o*o*g*l*e* *p?hV\Capabilities]
    "ApplicationName"="Google 瀏覽器"
    "ApplicationIcon"="c:\\Documents and Settings\\user\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe,0"
    "ApplicationDescription"="Google 瀏覽器"

    [HKEY_LOCAL_MACHINE\software\Clients\StartMenuInternet\G*o*o*g*l*e* *p?hV\Capabilities\FileAssociations]
    "crx"="ChromeExt"
    ".xhtml"="ChromeHTML"
    ".xht"="ChromeHTML"
    ".shtml"="ChromeHTML"
    ".html"="ChromeHTML"
    ".htm"="ChromeHTML"

    [HKEY_LOCAL_MACHINE\software\Clients\StartMenuInternet\G*o*o*g*l*e* *p?hV\Capabilities\StartMenu]
    "StartMenuInternet"="Google 瀏覽器"

    [HKEY_LOCAL_MACHINE\software\Clients\StartMenuInternet\G*o*o*g*l*e* *p?hV\Capabilities\URLAssociations]
    "https"="ChromeHTML"
    "http"="ChromeHTML"
    "ftp"="ChromeHTML"

    [HKEY_LOCAL_MACHINE\software\Clients\StartMenuInternet\G*o*o*g*l*e* *p?hV\DefaultIcon]
    @=&quot;c:\\Documents and Settings\\user\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe,0"

    [HKEY_LOCAL_MACHINE\software\Clients\StartMenuInternet\G*o*o*g*l*e* *p?hV\InstallInfo]
    "IconsVisible"=dword:00000001
    "ShowIconsCommand"="\"c:\\Documents and Settings\\user\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe\" --show-icons"
    "HideIconsCommand"="\"c:\\Documents and Settings\\user\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe\" --hide-icons"
    "ReinstallCommand"="\"c:\\Documents and Settings\\user\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe\" --make-default-browser"

    [HKEY_LOCAL_MACHINE\software\Clients\StartMenuInternet\G*o*o*g*l*e* *p?hV\shell\open\command]
    @=&quot;\"c:\\Documents and Settings\\user\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe\""
    .
    DLLs Loaded Under Running Processes

    - - - - - - - > 'winlogon.exe'(744)
    c:\program files\SUPERAntiSpyware\SASWINLO.dll
    c:\program files\IBM fingerprint software\psfus.dll
    c:\program files\Common Files\Virtual Token\psutil.dll
    c:\windows\system32\tphklock.dll
    c:\windows\system32\igfxsrvc.dll
    c:\windows\system32\hccutils.DLL
    .
    Completion time: 2009-06-28 21:48
    ComboFix-quarantined-files.txt 2009-06-28 02:46
    ComboFix2.txt 2009-06-27 23:04
    ComboFix3.txt 2009-06-27 12:18

    Pre-Run: 27,390,836,736 bytes free
    Post-Run: 27,370,520,576 bytes free

    394 --- E O F --- 2009-06-16 12:56
  • chiazchiaz
    edited June 2009
    chance, how is your PC running now?

    Also do you have a Windows CD at hand?
  • chance
    edited June 2009
    NOD32 is still popping up the "threat detected" window every time I do some thing with my computer.

    Yes, I have a windows CD.
  • chiazchiaz
    edited June 2009
    Once you have gotten hold of that, go to the Run box on the Start Menu and type in:

    sfc /scannow (Note that there is a space between sfc and /scannow)

    This command will immediately initiate the Windows File Protection service to scan all protected files and verify their integrity, replacing any files with which it finds a problem.


    In all likelihood you will be prompted to insert the Windows CD. Follow all the on-screen instructions.



    After you have done that, post a new ComboFix log, as well as let me know how things went.
  • KatanaKatana
    edited July 2009
    Inactive
    Whilst we appreciate that you may be busy, it has been 5 days or more since we heard from you. This topic is now closed.

    Infections can change and fresh instructions will now need to be given. If you wish to reopen your topic, please send a Private Message (PM) to Trogan with a link to your thread.

    If you are not the user who started this thread, you must start your own Thread instead :)
This discussion has been closed.