Dear AfterDawn members,
I've been infected with a spyware, and as a result I have a blue display telling me that my pc is infected by a spyware and I have to install an antivirus or spyware remover to clean my computer.
Just to let you know that I run Hijackthis to do it scan and I removed some entries but still, I even proceeded to a scan with Malwarebytes under safemode, but it did not found anything.
I'm going to post my Hijackthis logs before and after I removed the entries so you can guide me if I did a mistake so i CAN BACK THEM UP.
Thanks, here are the logs

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 04:33:14, on 17/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Fichiers communs\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\lphc9orj0et4c.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Menara\dslmon.exe
C:\PROGRA~1\FICHIE~1\Nokia\MPAPI\MPAPI3s.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Fichiers communs\PCSuite\Services\ServiceLayer.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrateur\Bureau\HijackThis.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.ma/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://renew/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Menara
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O3 - Toolbar: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] "C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE" -startup
O4 - HKLM\..\Run: [UVS10 Preload] "C:\Program Files\Ulead Systems\Ulead VideoStudio 10\uvPL.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Ulead AutoDetector v2] "C:\Program Files\Fichiers communs\Ulead Systems\AutoDetector\monitor.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] "C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /SYNC
O4 - HKLM\..\Run: [PHIME2002A] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /IMEName
O4 - HKLM\..\Run: [lphc9orj0et4c] C:\WINDOWS\system32\lphc9orj0et4c.exe................................................................................................
O4 - HKLM\..\Run: [SMrhccorj0et4c] C:\Program Files\rhccorj0et4c\rhccorj0et4c.exe........................................................................................
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MediaDico] "C:\Program Files\Micro Application\12 DICOS Indispensables\LanceMediaDICO12.exe" Lancement
O4 - HKCU\..\Run: [PcSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\Menara\dslmon.exe
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Translate with &Babylon - res://C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsu...b?1211780689843
O17 - HKLM\System\CCS\Services\Tcpip\..\{9A5798D4-F1A5-493F-9FCB-B994F5604679}: NameServer = 212.217.0.13 212.217.1.17
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~2.0\adialhk.dll
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Fichiers communs\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Fichiers communs\PCSuite\Services\ServiceLayer.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Fichiers communs\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Moteur Webroot Spy Sweeper (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 8225 bytes

Second log (after I removed the entries, those I removed are followed by a dotted line.)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:57:59, on 17/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Fichiers communs\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Menara\dslmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Fichiers communs\PCSuite\Services\ServiceLayer.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Micro Application\12 DICOS Indispensables\MediaDICO12.EXE
C:\Program Files\Micro Application\12 DICOS Indispensables\Rac12.EXE
C:\Documents and Settings\Administrateur\Bureau\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.ma/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://renew/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Menara
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O3 - Toolbar: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] "C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE" -startup
O4 - HKLM\..\Run: [UVS10 Preload] "C:\Program Files\Ulead Systems\Ulead VideoStudio 10\uvPL.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Ulead AutoDetector v2] "C:\Program Files\Fichiers communs\Ulead Systems\AutoDetector\monitor.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] "C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /SYNC
O4 - HKLM\..\Run: [PHIME2002A] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /IMEName
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MediaDico] "C:\Program Files\Micro Application\12 DICOS Indispensables\LanceMediaDICO12.exe" Lancement
O4 - HKCU\..\Run: [PcSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\Menara\dslmon.exe
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Translate with &Babylon - res://C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsu...b?1211780689843
O17 - HKLM\System\CCS\Services\Tcpip\..\{9A5798D4-F1A5-493F-9FCB-B994F5604679}: NameServer = 212.217.0.13 212.217.1.17
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~2.0\adialhk.dll
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Fichiers communs\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Fichiers communs\PCSuite\Services\ServiceLayer.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Fichiers communs\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Moteur Webroot Spy Sweeper (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 8112 bytes

Hello shoujo,

My handle is 2oldGeek and I will help you to remove any infection(s) that you may have.

I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.

Please do not start another thread or topic, I will assist you at this thread until we solve your problems.

Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.

That said, All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.

You had the right idea by deleting the HJT lines you did. But, that only stops those files from starting at boot up. It doesn?t remove the files or the Trojan. The Vundo Trojan can bury itself deep into your operating system and can return.

First, let?s do a little Pre-Cleaning and Post some Logs so we can see what?s going on?

Please download ATF Cleaner by Atribune & save it to your desktop. DO NOT use yet.

Please download and install SUPERAntiSpyware Free

? Double-click SUPERAntiSypware.exe and use the default settings for installation.
? An icon will be created on your desktop. Double-click that icon to launch the program.
? If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.)
? Under the "Configuration and Preferences", click the Preferences... button.
? Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
? Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
o Close browsers before scanning.
o Scan for tracking cookies.
o Terminate memory threats before quarantining.
? Click the "Close" button to leave the control center screen and exit the program.
? Do not run a scan just yet.


Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.

? Under Main "Select Files to Delete" choose: Select All.
? Click the Empty Selected button.
? If you use Firefox browser click Firefox at the top and choose: Select All
? Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
? If you use Opera browser click Opera at the top and choose: Select All
? Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
? Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".


Scan with SUPERAntiSpyware as follows:

? Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
? On the left, make sure you check C:\Fixed Drive.
? On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
? After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
? Make sure everything has a checkmark next to it and click "Next".
? A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
? If asked if you want to reboot, click "Yes" and reboot normally.

Reboot to Normal Mode

? To retrieve the removal information after reboot, launch SUPERAntispyware again.
o Click Preferences, then click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
o Please copy and paste the Scan Log results in your next reply.
? Click Close to exit the program.


This will hit Vundo where it lives?.

Download ComboFix from Here to your Desktop.
? Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Be sure to disable your Kaspersky Internet Security and Webroot Spy Sweeper
? Double click combofix.exe and follow the prompts.
? When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall.

Extra-Note: Please, DO NOT use ComboFix on your own. It is a very powerful tool designed to deal with sophisticated infections and if something goes wrong or you use it incorrectly, you could possibly lose the use of your computer. It is ONLY meant to be used under the direct supervision of a malware removal specialist.


Make a fresh HijackThis Log

? From the desktop open Hijackthis.
? Click on the Do a system scan and save a log file button
? Hijackthis will scan and then a log will open in notepad.
? Copy and then paste the entire contents of the log in your post.
Do not have Hijackthis fix anything yet. Most of what it finds will be harmless or even required




Please post the HijackThis log, SUPERAntiSpyware Log and Combofix log in your next reply.



2OG

Dear Afterdawn members,

Please.. Can u help me too.. i have also a problem same as that... i try to follow all the directions u said about that vudo thing but i stock in the last part that "Hijackthis should not fix the problem yet.."

here's my Hijackthis log file;

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:46:36 PM, on 1/4/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defa...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defa...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [FixCamera] C:\WINDOWS\FixCamera.exe
O4 - HKLM\..\Run: [tsnp325] C:\WINDOWS\tsnp325.exe
O4 - HKLM\..\Run: [snp325] C:\WINDOWS\vsnp325.exe
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 5883 bytes



And here's my [b]Combofix [/b]log file;

ComboFix 09-01-02.01 - bachok 2009-01-04 21:17:13.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.255.88 [GMT 8:00]
Running from: c:\documents and settings\bachok\Desktop\ComboFix.exe
AV: ESET NOD32 antivirus system 2.70 *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-12-04 to 2009-01-04 )))))))))))))))))))))))))))))))
.

2009-01-04 19:42 . 2009-01-04 19:42 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-01-04 19:42 . 2009-01-04 19:42 <DIR> d-------- c:\documents and settings\bachok\Application Data\SUPERAntiSpyware.com
2009-01-04 19:42 . 2009-01-04 19:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-01-04 19:41 . 2009-01-04 19:41 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-01-03 18:12 . 2004-08-04 00:56 159,232 --a------ c:\windows\system32\ptpusd.dll
2009-01-03 18:12 . 2004-08-03 22:58 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2009-01-03 18:12 . 2004-08-03 22:58 15,104 --a--c--- c:\windows\system32\dllcache\usbscan.sys
2009-01-03 18:12 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll
2009-01-03 11:23 . 2009-01-03 11:24 <DIR> d-------- c:\program files\Ultra Mobile 3GP Video Converter
2009-01-03 11:23 . 2002-10-05 07:04 921,600 --a------ c:\windows\system32\vorbisenc.dll
2009-01-03 11:23 . 2004-01-11 08:02 258,048 --a------ c:\windows\system32\GplMpgDec.ax
2009-01-03 11:23 . 2002-10-07 02:42 237,568 --a------ c:\windows\system32\OggDS.dll
2009-01-03 11:23 . 2002-10-05 07:04 188,416 --a------ c:\windows\system32\vorbis.dll
2009-01-03 11:23 . 2007-04-12 14:19 129,024 --a------ c:\windows\system32\AVERM.dll
2009-01-03 11:23 . 2002-10-05 07:04 45,056 --a------ c:\windows\system32\ogg.dll
2009-01-03 11:23 . 2006-09-26 13:57 28,672 --a------ c:\windows\system32\AVEQT.dll
2009-01-02 14:05 . 2009-01-02 14:05 <DIR> d-------- c:\documents and settings\bachok\Application Data\Nokia Multimedia Player
2008-12-31 17:12 . 2009-01-04 19:34 207 --a------ c:\windows\system32\test.aok
2008-12-31 08:05 . 2009-01-02 10:48 921,624 --a------ C:\img2-001.raw
2008-12-26 20:01 . 2009-01-02 13:11 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-12-26 20:00 . 2008-12-26 20:00 <DIR> d-------- c:\program files\Games
2008-12-24 11:04 . 2008-12-24 11:32 <DIR> d-------- c:\documents and settings\bachok\Application Data\vlc
2008-12-23 10:44 . 2004-08-04 20:00 221,184 --a------ c:\windows\system32\wmpns.dll
2008-12-23 10:27 . 2008-12-23 10:27 <DIR> d--hs---- c:\documents and settings\bachok\Phone Browser
2008-12-23 10:23 . 2008-12-23 10:25 <DIR> d-------- c:\documents and settings\bachok\Application Data\Nokia
2008-12-23 10:23 . 2008-12-23 10:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Suite
2008-12-23 10:22 . 2008-12-23 10:22 <DIR> d-------- c:\program files\DIFX
2008-12-23 10:22 . 2008-12-23 10:22 <DIR> d-------- c:\program files\Common Files\PCSuite
2008-12-23 10:22 . 2008-12-23 10:22 <DIR> d-------- c:\program files\Common Files\Nokia
2008-12-23 10:22 . 2008-12-23 11:23 <DIR> d-------- c:\documents and settings\bachok\Application Data\PC Suite
2008-12-23 10:21 . 2008-12-23 10:23 <DIR> d----c--- c:\windows\system32\DRVSTORE
2008-12-23 10:21 . 2008-12-23 10:21 <DIR> d-------- c:\program files\PC Connectivity Solution
2008-12-23 10:21 . 2008-12-23 10:22 <DIR> d-------- c:\program files\Nokia
2008-12-23 10:21 . 2007-02-22 11:15 137,216 --a------ c:\windows\system32\drivers\nmwcd.sys
2008-12-23 10:21 . 2007-02-22 11:15 90,624 --a------ c:\windows\system32\nmwcdcls.dll
2008-12-23 10:21 . 2007-02-22 11:15 65,536 --a------ c:\windows\system32\nmwcdcocls.dll
2008-12-23 10:21 . 2007-02-22 11:15 12,288 --a------ c:\windows\system32\drivers\nmwcdcm.sys
2008-12-23 10:21 . 2007-02-22 11:15 12,288 --a------ c:\windows\system32\drivers\nmwcdcj.sys
2008-12-23 10:21 . 2007-02-22 11:15 8,320 --a------ c:\windows\system32\drivers\nmwcdc.sys
2008-12-23 10:20 . 2008-12-23 10:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\Installations
2008-12-23 09:12 . 2008-12-23 09:12 <DIR> d-------- c:\windows\Sun
2008-12-22 14:58 . 2008-12-22 14:58 <DIR> d-------- c:\documents and settings\bachok\Application Data\InterTrust
2008-12-22 14:00 . 2008-12-22 14:00 <DIR> d-------- c:\documents and settings\bachok\Application Data\InstallShield
2008-12-22 13:52 . 2008-12-22 13:52 <DIR> d-------- c:\documents and settings\bachok\Application Data\Yahoo!
2008-12-22 13:01 . 2009-01-04 21:05 <DIR> d-------- c:\documents and settings\bachok\Application Data\LimeWire

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-04 11:07 --------- d-----w c:\documents and settings\bachok\Application Data\uTorrent
2008-12-23 02:27 --------- d-----w c:\program files\Eset
2008-12-22 22:31 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2008-12-22 08:37 --------- d-----w c:\documents and settings\All Users\Application Data\Trymedia
2008-12-22 08:31 --------- d-----w c:\program files\Yahoo! Games
2008-12-22 08:24 --------- d-----w c:\program files\Common Files\Adobe
2008-12-22 06:55 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-22 06:45 --------- d-----w c:\program files\MSBuild
2008-12-22 06:45 --------- d-----w c:\program files\Microsoft Works
2008-12-22 06:08 --------- d-----w c:\program files\Canon
2008-12-22 06:08 --------- d-----w c:\documents and settings\All Users\Application Data\CanonIJPLM
2008-12-22 06:05 --------- d--h--w c:\documents and settings\All Users\Application Data\CanonBJ
2008-12-22 06:04 --------- d--h--w c:\program files\CanonBJ
2008-12-22 06:00 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-22 06:00 --------- d-----w c:\program files\Common Files\snp325
2008-12-22 05:52 --------- d-----w c:\program files\Yahoo!
2008-12-22 05:52 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! Companion
2008-12-22 05:36 512,096 ----a-w c:\windows\system32\drivers\amon.sys
2008-12-22 05:36 298,104 ----a-w c:\windows\system32\imon.dll
2008-12-22 05:36 15,424 ----a-w c:\windows\system32\drivers\nod32drv.sys
2008-12-22 05:00 410,984 ----a-w c:\windows\system32\deploytk.dll
2008-12-22 05:00 --------- d-----w c:\program files\Java
2008-12-22 04:25 --------- d-----w c:\program files\LimeWire
2008-12-22 04:23 --------- d-----w c:\program files\VIA Technologies, Inc
2008-12-22 04:19 499,712 ----a-w c:\windows\system32\msvcp71.dll
2008-12-22 04:19 348,160 ----a-w c:\windows\system32\msvcr71.dll
2008-12-22 04:19 --------- d-----w c:\program files\Real
2008-12-22 04:19 --------- d-----w c:\program files\Common Files\xing shared
2008-12-22 04:19 --------- d-----w c:\program files\Common Files\Real
2008-12-22 04:15 --------- d-----w c:\program files\uTorrent
2008-12-22 04:14 --------- d-----w c:\program files\VideoLAN
2008-12-22 04:03 --------- d-----w c:\program files\microsoft frontpage
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}]
2008-07-28 18:47 160496 --a------ c:\progra~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-11-05 4347120]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-12-22 185872]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-22 136600]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2008-12-22 949376]
"FixCamera"="c:\windows\FixCamera.exe" [2007-07-11 20480]
"tsnp325"="c:\windows\tsnp325.exe" [2007-04-21 270336]
"snp325"="c:\windows\vsnp325.exe" [2007-05-10 835584]
"Easy-PrintToolBox"="c:\program files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE" [2006-10-17 398944]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-06-18 271360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 1241088]

c:\documents and settings\bachok\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2008-09-19 147456]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2008-12-22 15424]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-12-22 55024]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-22 7408]
S3 SNP325;USB PC Camera (SNPSTD325);c:\windows\system32\drivers\snp325.sys [2008-12-22 10394624]

*Newly Created Service* - PROCEXP90
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\windows\system32\imon.dll
FF - ProfilePath - c:\documents and settings\bachok\Application Data\Mozilla\Firefox\Profiles\7zxcx5k2.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\program files\Mozilla Firefox\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\program files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-04 21:18:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(636)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'lsass.exe'(692)
c:\windows\system32\imon.dll
.
Completion time: 2009-01-04 21:20:42
ComboFix-quarantined-files.txt 2009-01-04 13:20:19

Pre-Run: 32,488,402,944 bytes free
Post-Run: 32,485,195,776 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

175