Uncertain issue-Vitumonde?

[4Troop]

HJT Log file;
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:51:14 PM, on 12/11/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvraidservice.exe
C:\WINDOWS\system32\atwtusb.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Logitech\LCD Manager\lcdmon.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDMedia.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\System32\wbem\unsecapp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Admin\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: (no name) - {ec40b48e-722d-49e3-ac48-7eb11ac399f6} - C:\WINDOWS\system32\mudagisi.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\System32\nvraidservice.exe
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Common Files\Logitech\LCD Manager\lcdmon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [fejitiluwa] Rundll32.exe "C:\WINDOWS\system32\gakilime.dll",s
O4 - HKLM\..\Run: [687a64ef] rundll32.exe "C:\WINDOWS\system32\begajetu.dll",b
O4 - HKLM\..\Run: [CPM6b495773] Rundll32.exe "c:\windows\system32\nogezote.dll",a
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\FilePlanet\Download Manager\dlm.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9} (Panasonic Network Camera) - http://219.117.194.183:84/SysCamInst.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab_srl.cab
O16 - DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} (KXHCM10 Control) - http://camera.oze-hinoemata.net/kxhcm10.ocx
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/ca..._2.3.7.109.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase6662.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1113620507093
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} (Battlefield Heroes Installer) - http://t1.battlefield-heroes.com/pat...estpatcher.cab
O16 - DPF: {87BE3784-6977-4E84-AA08-55A96B9CEAC5} (BL_Camera) - http://daichi-yokohama.homeip.net/bl_camera.ocx
O16 - DPF: {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C} (NeffyLauncherCtl Class) - http://dist.cdnetworks.co.kr/cdndist...fyLauncher.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/game...Plugin9USA.cab
O20 - AppInit_DLLs: c:\windows\system32\yiriyidi.dll c:\windows\system32\kokemabo.dll C:\WINDOWS\system32\rojisabo.dll c:\windows\system32\nogezote.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\nogezote.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\nogezote.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR1\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR1\RpcSandraSrv.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe

--
End of file - 9556 bytes

My son has enlisted my assistance for this trouble.
He said he tried several things to fix this trouble.
I worked with him and tried the following which is pretty much what he said he has also done.

Spybot has begun popping up System Starup global entrys.
Showing Value added changes with strange entries for Rundll32.exe
Been denying them and each time I scan with Spybot shows at least 2 entries for Vitumonde and in the last scan also seeing Vitumonde.prx
Fix these but they keep recurring.
We tried a Symantec Trojan.Vundo Removal Tool 1.5.1 utility suggested in another forum, but came back with nothing found.
Have also run AdAware, which didn't find anything of importance. It now also errors out each time its started since I installed the newest version.
McAfee wasn't updated since Aug 26 2008, DAT 5370, and fails when I attempt to update. It found nothing as well.
Now he's started getting pop-ups for various virus removers, never a good sign.

Any and all help would be appreciated.
Troop's Dad...

[ken545]

Hello 4Troop

Welcome to Safer Networking.

Please read Before You Post
That said, All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.
It is advisable that you back up your personal data before starting any clean up procedure.





Do this first...Important

Disable the TeaTimer, leave it disabled until we're done or it will prevent fixes from taking

• Run Spybot-S&D in Advanced Mode.
• If it is not already set to do this Go to the Mode menu select "Advanced Mode"
• On the left hand side, Click on Tools
• Then click on the Resident Icon in the List
• Uncheck "Resident TeaTimer" and OK any prompts.
• Restart your computer.<--You need to do this for it to take effect

Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.

O2 - BHO: (no name) - {ec40b48e-722d-49e3-ac48-7eb11ac399f6} - C:\WINDOWS\system32\mudagisi.dll

O4 - HKLM\..\Run: [fejitiluwa] Rundll32.exe "C:\WINDOWS\system32\gakilime.dll",s
O4 - HKLM\..\Run: [687a64ef] rundll32.exe "C:\WINDOWS\system32\begajetu.dll",b
O4 - HKLM\..\Run: [CPM6b495773] Rundll32.exe "c:\windows\system32\nogezote.dll",a

O20 - AppInit_DLLs: c:\windows\system32\yiriyidi.dll c:\windows\system32\kokemabo.dll C:\WINDOWS\system32\rojisabo.dll c:\windows\system32\nogezote.dll

O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\nogezote.dll

O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\nogezote.dll




Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.<-- Don't forget this
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy and Paste the entire report in your next reply along with a New Hijackthis log.

[4Troop]

Thanks for your time...

Malwarebytes' Anti-Malware 1.31
Database version: 1508
Windows 5.1.2600 Service Pack 3

12/16/2008 6:04:00 PM
mbam-log-2008-12-16 (18-04-00).txt

Scan type: Quick Scan
Objects scanned: 49397
Time elapsed: 4 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 5
Registry Keys Infected: 7
Registry Values Infected: 4
Registry Data Items Infected: 5
Folders Infected: 1
Files Infected: 15

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\nalayafi.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\telemize.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\vovuhinu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\vamegeye.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\wesokaru.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ec40b48e-722d-49e3-ac48-7eb11ac399f6} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec40b48e-722d-49e3-ac48-7eb11ac399f6} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{ec40b48e-722d-49e3-ac48-7eb11ac399f6} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\WebBuying (Adware.WebBuying) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm6b495773 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fejitiluwa (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\nalayafi.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\nalayafi.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\nalayafi.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\telemize.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\telemize.dll -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\o05PrEz (Trojan.Downloader) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\wesokaru.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\urakosew.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\telemize.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\vovuhinu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\vamegeye.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\nalayafi.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\gafilumu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nusoyeta.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\reguligu.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jajusema.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gogogahi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\zayiveva.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\zeyoheko.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fonoriga.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\0wMGiysg.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully.

*end of file*

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:10:32 PM, on 12/16/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\System32\nvraidservice.exe
C:\WINDOWS\system32\atwtusb.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Logitech\LCD Manager\lcdmon.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDMedia.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\System32\wbem\unsecapp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Admin\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\System32\nvraidservice.exe
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Common Files\Logitech\LCD Manager\lcdmon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\FilePlanet\Download Manager\dlm.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [fejitiluwa] Rundll32.exe "C:\WINDOWS\system32\vovuhinu.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [fejitiluwa] Rundll32.exe "C:\WINDOWS\system32\vovuhinu.dll",s (User 'NETWORK SERVICE')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9} (Panasonic Network Camera) - http://219.117.194.183:84/SysCamInst.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab_srl.cab
O16 - DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} (KXHCM10 Control) - http://camera.oze-hinoemata.net/kxhcm10.ocx
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/ca..._2.3.7.109.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase6662.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1113620507093
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} (Battlefield Heroes Installer) - http://t1.battlefield-heroes.com/pat...estpatcher.cab
O16 - DPF: {87BE3784-6977-4E84-AA08-55A96B9CEAC5} (BL_Camera) - http://daichi-yokohama.homeip.net/bl_camera.ocx
O16 - DPF: {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C} (NeffyLauncherCtl Class) - http://dist.cdnetworks.co.kr/cdndist...fyLauncher.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/game...Plugin9USA.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR1\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR1\RpcSandraSrv.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe

--
End of file - 8903 bytes

[ken545]

Hello,

A bit more to do as this garbage may have more entries and files we can't see.

Remove these with Hijackthis
O4 - HKUS\S-1-5-19\..\Run: [fejitiluwa] Rundll32.exe "C:\WINDOWS\system32\vovuhinu.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [fejitiluwa] Rundll32.exe "C:\WINDOWS\system32\vovuhinu.dll",s (User 'NETWORK SERVICE')



Please download ATF Cleaner by Atribune to your desktop.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility.



Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
• See this Link for programs that need to be disabled and instruction on how to disable them.
• Remember to re-enable them when we're done.
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

[4Troop]

Yes it is garbage, heaping piles of stinking ... You get the idea.

ComboFix 08-12-16.03 - Admin 2008-12-16 20:16:52.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2815.2344 [GMT -8:00]
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\Downloaded Program Files\setup.inf

----- BITS: Possible infected sites -----

hxxp://77.74.48.101
.
((((((((((((((((((((((((( Files Created from 2008-11-17 to 2008-12-17 )))))))))))))))))))))))))))))))
.

2008-12-16 18:32 . 2008-12-16 18:32 <DIR> d-------- c:\program files\SpywareBlaster
2008-12-16 18:32 . 2008-12-16 18:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\TEMP
2008-12-16 17:44 . 2008-12-16 17:44 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-16 17:44 . 2008-12-16 17:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-16 17:44 . 2008-12-16 17:44 <DIR> d-------- c:\documents and settings\Admin\Application Data\Malwarebytes
2008-12-16 17:44 . 2008-12-03 19:59 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-16 17:44 . 2008-12-03 19:59 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-11 18:04 . 2008-12-11 18:04 <DIR> d-------- c:\documents and settings\Admin\Application Data\McAfee
2008-12-09 03:53 . 2008-12-09 03:53 <DIR> d-------- C:\VundoFix Backups
2008-12-09 03:33 . 2008-12-09 03:34 <DIR> d-------- c:\program files\Windows Live Safety Center
2008-12-06 02:22 . 2008-12-06 02:22 <DIR> d-------- c:\documents and settings\Admin\Application Data\Spellborn Downloader
2008-11-30 05:55 . 2008-11-30 05:55 52,736 --a------ c:\windows\ipuninst.exe
2008-11-25 19:11 . 2008-11-25 19:11 <DIR> d-------- c:\documents and settings\Admin\Application Data\Toribash

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-17 02:44 --------- d-----w c:\program files\Java
2008-12-12 02:24 --------- d-----w c:\program files\Common Files\McAfee
2008-12-12 02:04 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2008-12-10 02:13 --------- d-----w c:\program files\Lavasoft
2008-12-10 02:12 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-10 02:12 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-05 05:01 140,216 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2008-12-05 04:59 201,352 ----a-w c:\windows\system32\PnkBstrB.exe
2008-11-30 13:51 --------- d-----w c:\documents and settings\Admin\Application Data\uTorrent
2008-11-30 06:18 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-14 09:32 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-09 09:41 --------- d-----w c:\documents and settings\Admin\Application Data\IGN_DLM
2008-11-06 23:52 --------- d-----w c:\documents and settings\All Users\Application Data\ATI
2008-11-06 23:50 --------- d-----w c:\program files\ATI Technologies
2008-11-05 06:10 --------- d-----w c:\documents and settings\All Users\Application Data\2DBoy
2008-10-29 00:20 682,280 ----a-w c:\windows\system32\pbsvc.exe
2008-10-29 00:20 66,872 ----a-w c:\windows\system32\PnkBstrA.exe
2008-10-29 00:20 22,328 ----a-w c:\documents and settings\Admin\Application Data\PnkBstrK.sys
2008-10-26 11:53 --------- d-----w c:\program files\SystemRequirementsLab
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-16 22:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 22:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 22:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 22:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 22:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 22:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 22:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-10 00:18 107,888 ----a-w c:\windows\system32\CmdLineExt.dll
2008-10-10 00:08 10,820 ----a-w c:\windows\system32\ealregsnapshot1.reg
2008-10-01 00:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-24 05:05 593,920 ------w c:\windows\system32\ati2sgag.exe
2008-09-24 02:18 425,984 ----a-w c:\windows\system32\ATIDEMGX.dll
2008-09-24 02:17 311,296 ----a-w c:\windows\system32\ati2dvag.dll
2008-09-24 02:09 10,772,480 ----a-w c:\windows\system32\atioglxx.dll
2008-09-24 02:07 188,416 ----a-w c:\windows\system32\atipdlxx.dll
2008-09-24 02:06 43,520 ----a-w c:\windows\system32\ati2edxx.dll
2008-09-24 02:06 26,112 ----a-w c:\windows\system32\Ati2mdxx.exe
2008-09-24 02:06 143,360 ----a-w c:\windows\system32\Oemdspif.dll
2008-09-24 02:06 143,360 ----a-w c:\windows\system32\ati2evxx.dll
2008-09-24 02:04 581,632 ----a-w c:\windows\system32\ati2evxx.exe
2008-09-24 02:03 53,248 ----a-w c:\windows\system32\ATIDDC.DLL
2008-09-24 01:56 307,200 ----a-w c:\windows\system32\atiiiexx.dll
2008-09-24 01:54 4,008,864 ----a-w c:\windows\system32\ati3duag.dll
2008-09-24 01:38 2,399,744 ----a-w c:\windows\system32\ativvaxx.dll
2008-09-24 01:24 48,640 ----a-w c:\windows\system32\amdpcom32.dll
2008-09-24 01:20 380,928 ----a-w c:\windows\system32\atikvmag.dll
2008-09-24 01:19 39,424 ----a-w c:\windows\system32\atiadlxx.dll
2008-09-24 01:18 253,952 ----a-w c:\windows\system32\atiok3x2.dll
2008-09-24 01:18 17,408 ----a-w c:\windows\system32\atitvo32.dll
2008-09-24 01:12 573,440 ----a-w c:\windows\system32\ati2cqag.dll
2006-05-15 23:27 1 ----a-w c:\documents and settings\Admin\SI.bin
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"igndlm.exe"="c:\program files\FilePlanet\Download Manager\dlm.exe" [2008-08-01 1103216]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-28 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVRaidService"="c:\windows\System32\nvraidservice.exe" [2005-01-11 84480]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2002-08-29 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 455168]
"Launch LCDMon"="c:\program files\Common Files\Logitech\LCD Manager\lcdmon.exe" [2007-04-26 774168]
"Launch LGDCore"="c:\program files\Common Files\Logitech\G-series Software\LGDCore.exe" [2007-04-26 1132056]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2007-08-13 111952]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-12-19 136768]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-01 61440]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"atwtusb"="atwtusb.exe" [2002-04-23 c:\windows\system32\atwtusb.exe]
"SoundMan"="SOUNDMAN.EXE" [2005-07-22 c:\windows\SOUNDMAN.EXE]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= DivXa32.acm
"vidc.iv32"= c:\windows\system32\ir32_32.dll
"vidc.iv31"= c:\windows\system32\ir32_32.dll
"VIDC.VP31"= vp31vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 16:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2005-11-28 03:02 155648 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"MSConfig"=c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Valve\\Steam\\Steam.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\fightback911@hotmail.com\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\fightback911@hotmail.com\\half-life\\hl.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\fightback911@hotmail.com\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\fightback911@hotmail.com\\half-life 2\\hl2.exe"=
"c:\\Program Files\\Ares\\Ares.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\fightback911@hotmail.com\\day of defeat source\\hl2.exe"=
"c:\\Program Files\\3dsmax6\\3dsmax.exe"=
"c:\\Program Files\\Shareaza\\Shareaza.exe"=
"c:\\UT2004\\System\\UT2004.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\fightback911@hotmail.com\\source sdk base\\hl2.exe"=
"c:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\fightback911@hotmail.com\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"d:\\Programs\\BFHeroes.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"d:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\fightback911@hotmail.com\\source sdk base 2007\\hl2.exe"=
"d:\\Programs\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\XR_3DA.exe"=
"d:\\Programs\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\dedicated\\XR_3DA.exe"=
"d:\\Program Files\\Deep Silver\\S.T.A.L.K.E.R. - Clear Sky\\bin\\xrEngine.exe"=
"d:\\Program Files\\Deep Silver\\S.T.A.L.K.E.R. - Clear Sky\\bin\\dedicated\\xrEngine.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\fightback911@hotmail.com\\synergy\\hl2.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\fightback911@hotmail.com\\age of chivalry\\hl2.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"53125:TCP"= 53125:TCP:PORT_53125

R2 ousbehci;OrangeWare USB Enhanced Host Controller Service;c:\windows\system32\Drivers\ousbehci.sys [2005-04-15 44928]
R3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;c:\windows\system32\DRIVERS\ousb2hub.sys [2005-04-15 55936]
S3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\DRIVERS\gan_adapter.sys [2006-08-28 10664]
S3 XDva011;XDva011;\??\c:\windows\system32\XDva011.sys []
S3 XDva026;XDva026;\??\c:\windows\system32\XDva026.sys []
S3 XDva028;XDva028;\??\c:\windows\system32\XDva028.sys []
S3 XDva034;XDva034;\??\c:\windows\system32\XDva034.sys []

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-12-12 c:\windows\Tasks\At1.job
- c:\windows\system32\0wMGiysg.exe []

2008-06-19 c:\windows\Tasks\At10.job
- c:\windows\system32\0wMGiysg.exe []

2008-06-19 c:\windows\Tasks\At11.job
- c:\windows\system32\0wMGiysg.exe []

2008-06-19 c:\windows\Tasks\At12.job
- c:\windows\system32\0wMGiysg.exe []

2008-06-19 c:\windows\Tasks\At13.job
- c:\windows\system32\0wMGiysg.exe []

2008-06-19 c:\windows\Tasks\At14.job
- c:\windows\system32\0wMGiysg.exe []

2008-06-19 c:\windows\Tasks\At15.job
- c:\windows\system32\0wMGiysg.exe []

2008-06-19 c:\windows\Tasks\At16.job
- c:\windows\system32\0wMGiysg.exe []

2008-11-07 c:\windows\Tasks\At17.job
- c:\windows\system32\0wMGiysg.exe []

2008-12-07 c:\windows\Tasks\At18.job
- c:\windows\system32\0wMGiysg.exe []

2008-12-17 c:\windows\Tasks\At19.job
- c:\windows\system32\0wMGiysg.exe []

2008-12-12 c:\windows\Tasks\At2.job
- c:\windows\system32\0wMGiysg.exe []

2008-12-17 c:\windows\Tasks\At20.job
- c:\windows\system32\0wMGiysg.exe []

2008-12-17 c:\windows\Tasks\At21.job
- c:\windows\system32\0wMGiysg.exe []

2008-12-12 c:\windows\Tasks\At22.job
- c:\windows\system32\0wMGiysg.exe []

2008-12-12 c:\windows\Tasks\At23.job
- c:\windows\system32\0wMGiysg.exe []

2008-12-12 c:\windows\Tasks\At24.job
- c:\windows\system32\0wMGiysg.exe []

2008-12-12 c:\windows\Tasks\At3.job
- c:\windows\system32\0wMGiysg.exe []

2008-12-10 c:\windows\Tasks\At4.job
- c:\windows\system32\0wMGiysg.exe []

2008-12-10 c:\windows\Tasks\At5.job
- c:\windows\system32\0wMGiysg.exe []

2008-12-10 c:\windows\Tasks\At6.job
- c:\windows\system32\0wMGiysg.exe []

2008-12-08 c:\windows\Tasks\At7.job
- c:\windows\system32\0wMGiysg.exe []

2008-11-30 c:\windows\Tasks\At8.job
- c:\windows\system32\0wMGiysg.exe []

2008-06-19 c:\windows\Tasks\At9.job
- c:\windows\system32\0wMGiysg.exe []
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-RegistryMechanic - (no file)
MSConfigStartUp-CPM6b495773 - c:\windows\system32\kokemabo.dll
MSConfigStartUp-nTrayFw - c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe


.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

O16 -: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

c:\windows\Downloaded Program Files\ipv6cam.ocx - c:\windows\Downloaded Program Files\AudioClient.ocx
O16 -: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9}
hxxp://219.117.194.183:84/SysCamInst.cab
c:\windows\Downloaded Program Files\install.inf

c:\windows\Downloaded Program Files\sysreqlab3.dll - c:\windows\Downloaded Program Files\sysreqlab_srl.dll
O16 -: {1E54D648-B804-468d-BC78-4AFFED8E262E}
hxxp://www.srtest.com/srl_bin/sysreqlab_srl.cab
c:\windows\Downloaded Program Files\sysreqlab.osd

c:\windows\Downloaded Program Files\kxhcm10.ocx - O16 -: {2E28242B-A689-11D4-80F2-0040266CBB8D}
hxxp://camera.oze-hinoemata.net/kxhcm10.ocx

c:\windows\Downloaded Program Files\BFHPatcher.exe - c:\windows\Downloaded Program Files\westpatcher.dll
O16 -: {784797A8-342D-4072-9486-03C8D0F2F0A1}
hxxp://t1.battlefield-heroes.com/patcher/westpatcher.cab
c:\windows\Downloaded Program Files\westpatcher.inf

c:\windows\Downloaded Program Files\NeffyLauncher.dll - O16 -: {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C}
hxxp://dist.cdnetworks.co.kr/cdndist/neffynew/NeffyLauncher.cab
c:\windows\Downloaded Program Files\NeffyLauncher.inf
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-16 20:17:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(732)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2008-12-16 20:18:54
ComboFix-quarantined-files.txt 2008-12-17 04:18:24

Pre-Run: 61,089,484,800 bytes free
Post-Run: 61,114,925,056 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

277 --- E O F --- 2008-11-16 10:04:36

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:23:45 PM, on 12/16/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ati2sgag.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\WINDOWS\System32\nvraidservice.exe
C:\WINDOWS\system32\atwtusb.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Logitech\LCD Manager\lcdmon.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDMedia.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Admin\Desktop\HiJackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\System32\nvraidservice.exe
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Common Files\Logitech\LCD Manager\lcdmon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\FilePlanet\Download Manager\dlm.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9} (Panasonic Network Camera) - http://219.117.194.183:84/SysCamInst.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab_srl.cab
O16 - DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} (KXHCM10 Control) - http://camera.oze-hinoemata.net/kxhcm10.ocx
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/ca..._2.3.7.109.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase6662.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1113620507093
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} (Battlefield Heroes Installer) - http://t1.battlefield-heroes.com/pat...estpatcher.cab
O16 - DPF: {87BE3784-6977-4E84-AA08-55A96B9CEAC5} (BL_Camera) - http://daichi-yokohama.homeip.net/bl_camera.ocx
O16 - DPF: {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C} (NeffyLauncherCtl Class) - http://dist.cdnetworks.co.kr/cdndist...fyLauncher.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/game...Plugin9USA.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR1\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR1\RpcSandraSrv.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe

--
End of file - 8963 bytes

[4Troop]

Hello,

A bit more to do as this garbage may have more entries and files we can't see.

Remove these with Hijackthis
O4 - HKUS\S-1-5-19\..\Run: [fejitiluwa] Rundll32.exe "C:\WINDOWS\system32\vovuhinu.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [fejitiluwa] Rundll32.exe "C:\WINDOWS\system32\vovuhinu.dll",s (User 'NETWORK SERVICE')

Above where not found when I ran HJT

[ken545]

Good Morning,

A reboot of your system is needed to remove them, there gone now
O4 - HKUS\S-1-5-19\..\Run: [fejitiluwa] Rundll32.exe "C:\WINDOWS\system32\vovuhinu.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [fejitiluwa] Rundll32.exe "C:\WINDOWS\system32\vovuhinu.dll",s (User 'NETWORK SERVICE')


c:\\Program Files\\Shareaza
c:\\Program Files\\uTorrent
Limewire or any of the torrents.
A heads up for you, I don't see these programs installed but they where at one time and your firewall is allowing them to download anything they wish. P2P (File Sharing Programs ) have become the latest avenue of attack by malware writers, your downloading music or whatever files from and unknown source, its like playing Russian Roulette malware wise. Read this please.

We have noticed that many people seeking help from us are coming with infections contracted from the use of P2P programs.

Because of this, we changed our malware forum's policy on the use of P2P file sharing programs.

• If your helper detects the presence of such programs on your computer he/she will ask you to remove them. Help will be withdrawn should you not agree to their removal.
• If we clean your computer of infection, and you return to us a short time later with an infection contracted by the use of P2P programs, volunteer analysts will refuse their help.

We do not ask you to do this without reason.


P2P (File Sharing ) programs form a direct conduit onto your computer, their security measures are easily circumvented, and Malware writers are increasingly exploiting them to spread their wares onto your computer. Further to that, if your P2P program is not configured correctly you may be sharing more files than you realise. There have been cases where people's Passwords, Address Books and other personal, private, and financial details have been exposed to the file sharing network by a badly configured program.

Many of the programs come bundled with other unwanted programs, but even the ones free of any bundled software are not safe to use.

This article from InfoWorld illustrates the dangers of a poorly configured P2P program.
http://www.infoworld.com/article/07/09/06/...ID-theft_1.html

When you use them you are downloading software from an unknown source directly onto your computer, bypassing your Firewall and Anti-Virus software. Hardly surprising then that many of these Downloads are being targeted to carry infections. Downloading that music file or whatever from an unknown source is kind of like playing Russian Roulette malware wise .

Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File::

Code:

File::
c:\windows\system32\0wMGiysg.exe
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job 
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job

Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.




This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.




I need you to check this file for me please

You need to enable windows to Show All Files and Folders
Click Here for instructions

Go to VirusTotal and submit this file for analysis, just use the browse feature and then Send File, you will get a report back, post the report into this thread for me to see.

c:\windows\Downloaded Program Files\sysreqlab3.dll <--This one

[4Troop]

Good evening...

In my after work stupor I neglected to disable VirusScan in my first ComboFix run. So there are two log files...
ComboFix 08-12-16.03 - Admin 2008-12-17 18:40:12.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2815.2309 [GMT -8:00]
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Admin\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


FILE ::
c:\windows\system32\0wMGiysg.exe
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job

.
((((((((((((((((((((((((( Files Created from 2008-11-18 to 2008-12-18 )))))))))))))))))))))))))))))))
.

2008-12-16 18:32 . 2008-12-16 18:32 <DIR> d-------- c:\program files\SpywareBlaster
2008-12-16 18:32 . 2008-12-16 18:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\TEMP
2008-12-16 17:44 . 2008-12-16 17:44 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-16 17:44 . 2008-12-16 17:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-16 17:44 . 2008-12-16 17:44 <DIR> d-------- c:\documents and settings\Admin\Application Data\Malwarebytes
2008-12-16 17:44 . 2008-12-03 19:59 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-16 17:44 . 2008-12-03 19:59 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-11 18:04 . 2008-12-11 18:04 <DIR> d-------- c:\documents and settings\Admin\Application Data\McAfee
2008-12-09 03:53 . 2008-12-09 03:53 <DIR> d-------- C:\VundoFix Backups
2008-12-09 03:33 . 2008-12-09 03:34 <DIR> d-------- c:\program files\Windows Live Safety Center
2008-12-06 02:22 . 2008-12-06 02:22 <DIR> d-------- c:\documents and settings\Admin\Application Data\Spellborn Downloader
2008-11-30 05:55 . 2008-11-30 05:55 52,736 --a------ c:\windows\ipuninst.exe
2008-11-25 19:11 . 2008-11-25 19:11 <DIR> d-------- c:\documents and settings\Admin\Application Data\Toribash

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-17 02:44 --------- d-----w c:\program files\Java
2008-12-12 02:24 --------- d-----w c:\program files\Common Files\McAfee
2008-12-12 02:04 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2008-12-10 02:13 --------- d-----w c:\program files\Lavasoft
2008-12-10 02:12 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-10 02:12 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-05 05:01 140,216 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2008-12-05 04:59 201,352 ----a-w c:\windows\system32\PnkBstrB.exe
2008-11-30 13:51 --------- d-----w c:\documents and settings\Admin\Application Data\uTorrent
2008-11-30 06:18 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-14 09:32 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-09 09:41 --------- d-----w c:\documents and settings\Admin\Application Data\IGN_DLM
2008-11-06 23:52 --------- d-----w c:\documents and settings\All Users\Application Data\ATI
2008-11-06 23:50 --------- d-----w c:\program files\ATI Technologies
2008-11-05 06:10 --------- d-----w c:\documents and settings\All Users\Application Data\2DBoy
2008-10-29 00:20 682,280 ----a-w c:\windows\system32\pbsvc.exe
2008-10-29 00:20 66,872 ----a-w c:\windows\system32\PnkBstrA.exe
2008-10-29 00:20 22,328 ----a-w c:\documents and settings\Admin\Application Data\PnkBstrK.sys
2008-10-26 11:53 --------- d-----w c:\program files\SystemRequirementsLab
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-16 22:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 22:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 22:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 22:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 22:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 22:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 22:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-10 00:18 107,888 ----a-w c:\windows\system32\CmdLineExt.dll
2008-10-10 00:08 10,820 ----a-w c:\windows\system32\ealregsnapshot1.reg
2008-10-01 00:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-24 05:05 593,920 ------w c:\windows\system32\ati2sgag.exe
2008-09-24 02:18 425,984 ----a-w c:\windows\system32\ATIDEMGX.dll
2008-09-24 02:17 311,296 ----a-w c:\windows\system32\ati2dvag.dll
2008-09-24 02:09 10,772,480 ----a-w c:\windows\system32\atioglxx.dll
2008-09-24 02:07 188,416 ----a-w c:\windows\system32\atipdlxx.dll
2008-09-24 02:06 43,520 ----a-w c:\windows\system32\ati2edxx.dll
2008-09-24 02:06 26,112 ----a-w c:\windows\system32\Ati2mdxx.exe
2008-09-24 02:06 143,360 ----a-w c:\windows\system32\Oemdspif.dll
2008-09-24 02:06 143,360 ----a-w c:\windows\system32\ati2evxx.dll
2008-09-24 02:04 581,632 ----a-w c:\windows\system32\ati2evxx.exe
2008-09-24 02:03 53,248 ----a-w c:\windows\system32\ATIDDC.DLL
2008-09-24 01:56 307,200 ----a-w c:\windows\system32\atiiiexx.dll
2008-09-24 01:54 4,008,864 ----a-w c:\windows\system32\ati3duag.dll
2008-09-24 01:38 2,399,744 ----a-w c:\windows\system32\ativvaxx.dll
2008-09-24 01:24 48,640 ----a-w c:\windows\system32\amdpcom32.dll
2008-09-24 01:20 380,928 ----a-w c:\windows\system32\atikvmag.dll
2008-09-24 01:19 39,424 ----a-w c:\windows\system32\atiadlxx.dll
2008-09-24 01:18 253,952 ----a-w c:\windows\system32\atiok3x2.dll
2008-09-24 01:18 17,408 ----a-w c:\windows\system32\atitvo32.dll
2008-09-24 01:12 573,440 ----a-w c:\windows\system32\ati2cqag.dll
2006-05-15 23:27 1 ----a-w c:\documents and settings\Admin\SI.bin
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"igndlm.exe"="c:\program files\FilePlanet\Download Manager\DLM.exe" [2008-08-01 1103216]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-28 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVRaidService"="c:\windows\System32\nvraidservice.exe" [2005-01-11 84480]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2002-08-29 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 455168]
"Launch LCDMon"="c:\program files\Common Files\Logitech\LCD Manager\lcdmon.exe" [2007-04-26 774168]
"Launch LGDCore"="c:\program files\Common Files\Logitech\G-series Software\LGDCore.exe" [2007-04-26 1132056]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2007-08-13 111952]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-12-19 136768]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-01 61440]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"atwtusb"="atwtusb.exe" [2002-04-23 c:\windows\system32\atwtusb.exe]
"SoundMan"="SOUNDMAN.EXE" [2005-07-22 c:\windows\SOUNDMAN.EXE]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= DivXa32.acm
"vidc.iv32"= c:\windows\system32\ir32_32.dll
"vidc.iv31"= c:\windows\system32\ir32_32.dll
"VIDC.VP31"= vp31vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 16:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2005-11-28 03:02 155648 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"MSConfig"=c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Valve\\Steam\\Steam.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\fightback911@hotmail.com\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\fightback911@hotmail.com\\half-life\\hl.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\fightback911@hotmail.com\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\fightback911@hotmail.com\\half-life 2\\hl2.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\fightback911@hotmail.com\\day of defeat source\\hl2.exe"=
"c:\\Program Files\\3dsmax6\\3dsmax.exe"=
"c:\\UT2004\\System\\UT2004.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\fightback911@hotmail.com\\source sdk base\\hl2.exe"=
"c:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\fightback911@hotmail.com\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"d:\\Programs\\BFHeroes.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"d:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\fightback911@hotmail.com\\source sdk base 2007\\hl2.exe"=
"d:\\Programs\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\XR_3DA.exe"=
"d:\\Programs\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\dedicated\\XR_3DA.exe"=
"d:\\Program Files\\Deep Silver\\S.T.A.L.K.E.R. - Clear Sky\\bin\\xrEngine.exe"=
"d:\\Program Files\\Deep Silver\\S.T.A.L.K.E.R. - Clear Sky\\bin\\dedicated\\xrEngine.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\fightback911@hotmail.com\\synergy\\hl2.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\fightback911@hotmail.com\\age of chivalry\\hl2.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"53125:TCP"= 53125:TCP:PORT_53125

R2 ousbehci;OrangeWare USB Enhanced Host Controller Service;c:\windows\system32\Drivers\ousbehci.sys [2005-04-15 44928]
R3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;c:\windows\system32\DRIVERS\ousb2hub.sys [2005-04-15 55936]
S3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\DRIVERS\gan_adapter.sys [2006-08-28 10664]
S3 XDva011;XDva011;\??\c:\windows\system32\XDva011.sys []
S3 XDva026;XDva026;\??\c:\windows\system32\XDva026.sys []
S3 XDva028;XDva028;\??\c:\windows\system32\XDva028.sys []
S3 XDva034;XDva034;\??\c:\windows\system32\XDva034.sys []
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

O16 -: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

c:\windows\Downloaded Program Files\ipv6cam.ocx - c:\windows\Downloaded Program Files\AudioClient.ocx
O16 -: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9}
hxxp://219.117.194.183:84/SysCamInst.cab
c:\windows\Downloaded Program Files\install.inf

c:\windows\Downloaded Program Files\sysreqlab3.dll - c:\windows\Downloaded Program Files\sysreqlab_srl.dll
O16 -: {1E54D648-B804-468d-BC78-4AFFED8E262E}
hxxp://www.srtest.com/srl_bin/sysreqlab_srl.cab
c:\windows\Downloaded Program Files\sysreqlab.osd

c:\windows\Downloaded Program Files\kxhcm10.ocx - O16 -: {2E28242B-A689-11D4-80F2-0040266CBB8D}
hxxp://camera.oze-hinoemata.net/kxhcm10.ocx

c:\windows\Downloaded Program Files\BFHPatcher.exe - c:\windows\Downloaded Program Files\westpatcher.dll
O16 -: {784797A8-342D-4072-9486-03C8D0F2F0A1}
hxxp://t1.battlefield-heroes.com/patcher/westpatcher.cab
c:\windows\Downloaded Program Files\westpatcher.inf

c:\windows\Downloaded Program Files\NeffyLauncher.dll - O16 -: {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C}
hxxp://dist.cdnetworks.co.kr/cdndist/neffynew/NeffyLauncher.cab
c:\windows\Downloaded Program Files\NeffyLauncher.inf
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-17 18:42:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(724)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2008-12-17 18:44:23
ComboFix-quarantined-files.txt 2008-12-18 02:43:27
ComboFix2.txt 2008-12-17 04:18:55

Pre-Run: 61,319,512,064 bytes free
Post-Run: 61,301,194,752 bytes free

260 --- E O F --- 2008-11-16 10:04:36

ComboFix 08-12-16.03 - Admin 2008-12-17 18:48:37.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2815.2328 [GMT -8:00]
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Admin\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\system32\0wMGiysg.exe
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job
.

((((((((((((((((((((((((( Files Created from 2008-11-18 to 2008-12-18 )))))))))))))))))))))))))))))))
.

2008-12-16 18:32 . 2008-12-16 18:32 <DIR> d-------- c:\program files\SpywareBlaster
2008-12-16 18:32 . 2008-12-16 18:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\TEMP
2008-12-16 17:44 . 2008-12-16 17:44 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-16 17:44 . 2008-12-16 17:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-16 17:44 . 2008-12-16 17:44 <DIR> d-------- c:\documents and settings\Admin\Application Data\Malwarebytes
2008-12-16 17:44 . 2008-12-03 19:59 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-16 17:44 . 2008-12-03 19:59 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-11 18:04 . 2008-12-11 18:04 <DIR> d-------- c:\documents and settings\Admin\Application Data\McAfee
2008-12-09 03:53 . 2008-12-09 03:53 <DIR> d-------- C:\VundoFix Backups
2008-12-09 03:33 . 2008-12-09 03:34 <DIR> d-------- c:\program files\Windows Live Safety Center
2008-12-06 02:22 . 2008-12-06 02:22 <DIR> d-------- c:\documents and settings\Admin\Application Data\Spellborn Downloader
2008-11-30 05:55 . 2008-11-30 05:55 52,736 --a------ c:\windows\ipuninst.exe
2008-11-25 19:11 . 2008-11-25 19:11 <DIR> d-------- c:\documents and settings\Admin\Application Data\Toribash

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-17 02:44 --------- d-----w c:\program files\Java
2008-12-12 02:24 --------- d-----w c:\program files\Common Files\McAfee
2008-12-12 02:04 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2008-12-10 02:13 --------- d-----w c:\program files\Lavasoft
2008-12-10 02:12 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-10 02:12 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-05 05:01 140,216 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2008-12-05 04:59 201,352 ----a-w c:\windows\system32\PnkBstrB.exe
2008-11-30 13:51 --------- d-----w c:\documents and settings\Admin\Application Data\uTorrent
2008-11-30 06:18 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-14 09:32 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-09 09:41 --------- d-----w c:\documents and settings\Admin\Application Data\IGN_DLM
2008-11-06 23:52 --------- d-----w c:\documents and settings\All Users\Application Data\ATI
2008-11-06 23:50 --------- d-----w c:\program files\ATI Technologies
2008-11-05 06:10 --------- d-----w c:\documents and settings\All Users\Application Data\2DBoy
2008-10-29 00:20 682,280 ----a-w c:\windows\system32\pbsvc.exe
2008-10-29 00:20 66,872 ----a-w c:\windows\system32\PnkBstrA.exe
2008-10-29 00:20 22,328 ----a-w c:\documents and settings\Admin\Application Data\PnkBstrK.sys
2008-10-26 11:53 --------- d-----w c:\program files\SystemRequirementsLab
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-16 22:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 22:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 22:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 22:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 22:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 22:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 22:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-10 00:18 107,888 ----a-w c:\windows\system32\CmdLineExt.dll
2008-10-10 00:08 10,820 ----a-w c:\windows\system32\ealregsnapshot1.reg
2008-10-01 00:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-24 05:05 593,920 ------w c:\windows\system32\ati2sgag.exe
2008-09-24 02:18 425,984 ----a-w c:\windows\system32\ATIDEMGX.dll
2008-09-24 02:17 311,296 ----a-w c:\windows\system32\ati2dvag.dll
2008-09-24 02:09 10,772,480 ----a-w c:\windows\system32\atioglxx.dll
2008-09-24 02:07 188,416 ----a-w c:\windows\system32\atipdlxx.dll
2008-09-24 02:06 43,520 ----a-w c:\windows\system32\ati2edxx.dll
2008-09-24 02:06 26,112 ----a-w c:\windows\system32\Ati2mdxx.exe
2008-09-24 02:06 143,360 ----a-w c:\windows\system32\Oemdspif.dll
2008-09-24 02:06 143,360 ----a-w c:\windows\system32\ati2evxx.dll
2008-09-24 02:04 581,632 ----a-w c:\windows\system32\ati2evxx.exe
2008-09-24 02:03 53,248 ----a-w c:\windows\system32\ATIDDC.DLL
2008-09-24 01:56 307,200 ----a-w c:\windows\system32\atiiiexx.dll
2008-09-24 01:54 4,008,864 ----a-w c:\windows\system32\ati3duag.dll
2008-09-24 01:38 2,399,744 ----a-w c:\windows\system32\ativvaxx.dll
2008-09-24 01:24 48,640 ----a-w c:\windows\system32\amdpcom32.dll
2008-09-24 01:20 380,928 ----a-w c:\windows\system32\atikvmag.dll
2008-09-24 01:19 39,424 ----a-w c:\windows\system32\atiadlxx.dll
2008-09-24 01:18 253,952 ----a-w c:\windows\system32\atiok3x2.dll
2008-09-24 01:18 17,408 ----a-w c:\windows\system32\atitvo32.dll
2008-09-24 01:12 573,440 ----a-w c:\windows\system32\ati2cqag.dll
2006-05-15 23:27 1 ----a-w c:\documents and settings\Admin\SI.bin
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"igndlm.exe"="c:\program files\FilePlanet\Download Manager\DLM.exe" [2008-08-01 1103216]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-28 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVRaidService"="c:\windows\System32\nvraidservice.exe" [2005-01-11 84480]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2002-08-29 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 455168]
"Launch LCDMon"="c:\program files\Common Files\Logitech\LCD Manager\lcdmon.exe" [2007-04-26 774168]
"Launch LGDCore"="c:\program files\Common Files\Logitech\G-series Software\LGDCore.exe" [2007-04-26 1132056]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2007-08-13 111952]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-12-19 136768]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-01 61440]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"atwtusb"="atwtusb.exe" [2002-04-23 c:\windows\system32\atwtusb.exe]
"SoundMan"="SOUNDMAN.EXE" [2005-07-22 c:\windows\SOUNDMAN.EXE]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= DivXa32.acm
"vidc.iv32"= c:\windows\system32\ir32_32.dll
"vidc.iv31"= c:\windows\system32\ir32_32.dll
"VIDC.VP31"= vp31vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 16:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2005-11-28 03:02 155648 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"MSConfig"=c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Valve\\Steam\\Steam.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\fightback911@hotmail.com\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\fightback911@hotmail.com\\half-life\\hl.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\fightback911@hotmail.com\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\fightback911@hotmail.com\\half-life 2\\hl2.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\fightback911@hotmail.com\\day of defeat source\\hl2.exe"=
"c:\\Program Files\\3dsmax6\\3dsmax.exe"=
"c:\\UT2004\\System\\UT2004.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\fightback911@hotmail.com\\source sdk base\\hl2.exe"=
"c:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\fightback911@hotmail.com\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"d:\\Programs\\BFHeroes.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"d:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\fightback911@hotmail.com\\source sdk base 2007\\hl2.exe"=
"d:\\Programs\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\XR_3DA.exe"=
"d:\\Programs\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\dedicated\\XR_3DA.exe"=
"d:\\Program Files\\Deep Silver\\S.T.A.L.K.E.R. - Clear Sky\\bin\\xrEngine.exe"=
"d:\\Program Files\\Deep Silver\\S.T.A.L.K.E.R. - Clear Sky\\bin\\dedicated\\xrEngine.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\fightback911@hotmail.com\\synergy\\hl2.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\fightback911@hotmail.com\\age of chivalry\\hl2.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"53125:TCP"= 53125:TCP:PORT_53125

R2 ousbehci;OrangeWare USB Enhanced Host Controller Service;c:\windows\system32\Drivers\ousbehci.sys [2005-04-15 44928]
R3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;c:\windows\system32\DRIVERS\ousb2hub.sys [2005-04-15 55936]
S3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\DRIVERS\gan_adapter.sys [2006-08-28 10664]
S3 XDva011;XDva011;\??\c:\windows\system32\XDva011.sys []
S3 XDva026;XDva026;\??\c:\windows\system32\XDva026.sys []
S3 XDva028;XDva028;\??\c:\windows\system32\XDva028.sys []
S3 XDva034;XDva034;\??\c:\windows\system32\XDva034.sys []
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

O16 -: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

c:\windows\Downloaded Program Files\ipv6cam.ocx - c:\windows\Downloaded Program Files\AudioClient.ocx
O16 -: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9}
hxxp://219.117.194.183:84/SysCamInst.cab
c:\windows\Downloaded Program Files\install.inf

c:\windows\Downloaded Program Files\sysreqlab3.dll - c:\windows\Downloaded Program Files\sysreqlab_srl.dll
O16 -: {1E54D648-B804-468d-BC78-4AFFED8E262E}
hxxp://www.srtest.com/srl_bin/sysreqlab_srl.cab
c:\windows\Downloaded Program Files\sysreqlab.osd

c:\windows\Downloaded Program Files\kxhcm10.ocx - O16 -: {2E28242B-A689-11D4-80F2-0040266CBB8D}
hxxp://camera.oze-hinoemata.net/kxhcm10.ocx

c:\windows\Downloaded Program Files\BFHPatcher.exe - c:\windows\Downloaded Program Files\westpatcher.dll
O16 -: {784797A8-342D-4072-9486-03C8D0F2F0A1}
hxxp://t1.battlefield-heroes.com/patcher/westpatcher.cab
c:\windows\Downloaded Program Files\westpatcher.inf

c:\windows\Downloaded Program Files\NeffyLauncher.dll - O16 -: {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C}
hxxp://dist.cdnetworks.co.kr/cdndist/neffynew/NeffyLauncher.cab
c:\windows\Downloaded Program Files\NeffyLauncher.inf
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-17 18:49:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(724)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2008-12-17 18:50:29
ComboFix-quarantined-files.txt 2008-12-18 02:49:59
ComboFix2.txt 2008-12-18 02:44:25
ComboFix3.txt 2008-12-17 04:18:55

Pre-Run: 61,287,419,904 bytes free
Post-Run: 61,267,431,424 bytes free

233 --- E O F --- 2008-11-16 10:04:36

HJT
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:55:14 PM, on 12/17/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvraidservice.exe
C:\WINDOWS\system32\atwtusb.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Logitech\LCD Manager\lcdmon.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDMedia.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\system32\ati2sgag.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\UAService7.exe
C:\Documents and Settings\Admin\Desktop\HiJackThis.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\System32\nvraidservice.exe
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Common Files\Logitech\LCD Manager\lcdmon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\FilePlanet\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9} (Panasonic Network Camera) - http://219.117.194.183:84/SysCamInst.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab_srl.cab
O16 - DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} (KXHCM10 Control) - http://camera.oze-hinoemata.net/kxhcm10.ocx
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/ca..._2.3.7.109.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase6662.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1113620507093
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} (Battlefield Heroes Installer) - http://t1.battlefield-heroes.com/pat...estpatcher.cab
O16 - DPF: {87BE3784-6977-4E84-AA08-55A96B9CEAC5} (BL_Camera) - http://daichi-yokohama.homeip.net/bl_camera.ocx
O16 - DPF: {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C} (NeffyLauncherCtl Class) - http://dist.cdnetworks.co.kr/cdndist...fyLauncher.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/game...Plugin9USA.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR1\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR1\RpcSandraSrv.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe

--
End of file - 8845 bytes

As far as the c:\windows\Downloaded Program Files\sysreqlab3.dll
It isn't shown. There are three Program Files shown as System Requirements Lab, two with Status of Installed one shown as Damaged. The most recently accessed one (12/17/2008) also the most recently created (5/18/2007) is what is shown damaged. Did a search and sysreqlab3.dll is not found. Wanted to send a screen shot but don't have a program installed on this machine to do one.

[ken545]

Hello,

sysreqlab3.dll <-- Did some more snooping on this file and it appears ok.

You did just fine and your logs look good

How are things running now??

[4Troop]

Haven't been getting popups but still seems to have lags where the system just freezes for a few moments. Updated and ran SyBot and found the following;
Hint of the Day: Click the bar at the right of this to see more information! ()


Virtumonde: [SBI $1E12D746] User settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1645522239-287218729-839522115-1003\Software\Microsoft\fias4013


--- Spybot - Search & Destroy version: 1.6.0 (build: 20080729) ---

2008-08-14 blindman.exe (1.0.0.8)
2008-01-28 SDDelFile.exe (1.0.2.4)
2008-08-14 SDFiles.exe (1.6.0.4)
2008-08-14 SDMain.exe (1.0.0.6)
2008-08-14 SDShred.exe (1.0.2.3)
2008-08-14 SDUpdate.exe (1.6.0.9)
2008-08-14 SDWinSec.exe (1.0.0.12)
2008-07-30 SpybotSD.exe (1.6.0.31)
2008-09-16 TeaTimer.exe (1.6.3.25)
2005-10-11 unins000.exe (51.41.0.0)
2008-08-31 unins001.exe (51.49.0.0)
2008-08-14 Update.exe (1.6.0.7)
2008-10-22 advcheck.dll (1.6.2.13)
2007-04-02 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2008-06-14 DelZip179.dll (1.79.11.1)
2008-09-15 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2008-10-22 Tools.dll (2.1.6.8)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2008-11-04 Includes\Adware.sbi (*)
2008-12-09 Includes\AdwareC.sbi (*)
2008-06-03 Includes\Cookies.sbi (*)
2008-09-02 Includes\Dialer.sbi (*)
2008-09-09 Includes\DialerC.sbi (*)
2008-07-23 Includes\HeavyDuty.sbi (*)
2008-11-18 Includes\Hijackers.sbi (*)
2008-12-16 Includes\HijackersC.sbi (*)
2008-12-09 Includes\Keyloggers.sbi (*)
2008-12-16 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2008-11-18 Includes\Malware.sbi (*)
2008-12-16 Includes\MalwareC.sbi (*)
2008-12-16 Includes\PUPS.sbi (*)
2008-12-16 Includes\PUPSC.sbi (*)
2007-11-07 Includes\Revision.sbi (*)
2008-06-17 Includes\Security.sbi (*)
2008-12-16 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2008-12-10 Includes\Spyware.sbi (*)
2008-12-10 Includes\SpywareC.sbi (*)
2008-06-03 Includes\Tracks.uti
2008-11-04 Includes\Trojans.sbi (*)
2008-12-16 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

Did the fix. TeaTimer is still disabled.
I'll reboot and run it again and see if it recurs.

I also installed SpywareBlaster and enabled all protection.
I'd like to do something to clean/compact the registry when this is all done with as well.