[itgl72]

I'm getting a combination of different bad things on this PC lately. Vundo.CJ/CI - Windows32/Heur - BHO.GPT & Pop-Ups on my browser.

I tried to read the list of what to do before hand, and think I have done them but none the less I am still at a loss here.

My browser seems to just pop up NEW windows.

After logging into windows I get error boxes poping up saying:

THE SPECIFIC MODULE COULD NOT BE FOUND

c:\windows\system32\topapope.dll
c:\windows\system32\puvizuda.dll

(The above seem to be random file names than when it first started)

Here are sine if the warnings I am getting....

AVG Threat detected!
C:\windows\system32\suwidusu.dll
Threat Name: Trojan horse BHO.GPT
Detected on Open

Also found a Trojan Horse Vundo.BZ in the C:\system_volume_information\_restore(long number)\A0168627.dll

AVG Threat Detected!
C:\windows\system32\bakivige.dll
Threat Name: Trojan horse Vundo.CJ
Detected on Open



Spybot Search & Destroy
Finds Virtumonde.prx
Autorun Settings:
HKEY_LOCAL_MACHINE_SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CPM27116F56
IN REGISTRY:

VALUE: CPM27116f56
VALUE DATA: Rundll32.exe "c:\windows\system32\topapope.dll",a

HKEY_LOCAL_MACHINE_SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wohohubake
IN REGISTRY:

VALUE: wohohubake
VALUE DATA: Rundll32.exe "C:\WINDOWS\system32\puvizuda.dll",s


VundoFix.exe DID NOT FIND anything on its scan.







Here is my hijackthislog:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:33:15 PM, on 2008-12-14
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\nHancer\nHancerService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Logitech\Gaming Software\LWEMon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\nHancer\nHancer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\program files\steam\steam.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\AVG\AVG8\avgui.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.c...hp?hl=en&tab=wn
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {ca330dbe-a907-4c49-9475-46d9042dc8a2} - C:\WINDOWS\system32\zeraseba.dll (file missing)
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Start WingMan Profiler] C:\Program Files\Logitech\Gaming Software\LWEMon.exe /noui
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [wohohubake] Rundll32.exe "C:\WINDOWS\system32\lepujeji.dll",s
O4 - HKLM\..\Run: [24225cca] rundll32.exe "C:\WINDOWS\system32\madujeri.dll",b
O4 - HKLM\..\Run: [CPM27116f56] Rundll32.exe "C:\WINDOWS\system32\dotewawa.dll",a
O4 - HKCU\..\Run: [nHancer] "C:\Program Files\nHancer\nHancer.exe" /tray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\bonjour\mdnsnsp.dll' missing
O15 - Trusted Zone: www.gamls.com
O15 - Trusted Zone: http://atl.rexplorer.net
O15 - Trusted Zone: *.rexplorer.net
O16 - DPF: {0D6709DD-4ED8-40CA-B459-2757AEEF7BEE} (Dldrv2 Control) - http://download.giga...bject/Dldrv.ocx
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2564B8E6-7D84-11D4-A689-30475BC10000} - http://www.toolkitcm...tkweb/tkweb.cab
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://support.rexpl...l//iftwclix.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/b...lineScanner.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.co.../sysreqlab2.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...erInstaller.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamesp...nch/alaunch.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.su...ows-i586-jc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {F375116A-793C-11D2-BFE1-444553540001} (First American Res MapActiveX Control) - http://realist2.firs...r/mapviewer.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7BE7FCAD-85A0-4A39-AFB9-3EDC672EB886}: NameServer = 68.87.68.162,68.87.74.162
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\dotewawa.dll (file missing)
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\dotewawa.dll (file missing)
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: nHancer Support (nHancer) - KSE - Korndörfer Software Engineering - C:\Program Files\nHancer\nHancerService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9023 bytes

[Advertisements]

While waiting, I ran Malwarebytes' Anti-Malware, and Combofix.

Below are the logs for each, if it helps...







Malwarebytes' Anti-Malware 1.31
Database version: 1500
Windows 5.1.2600 Service Pack 2

2008-12-15 1:11:39 AM
mbam-log-2008-12-15 (01-11-39).txt

Scan type: Full Scan (C:\|)
Objects scanned: 357794
Time elapsed: 54 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 5
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ca330dbe-a907-4c49-9475-46d9042dc8a2} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ca330dbe-a907-4c49-9475-46d9042dc8a2} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wohohubake (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\24225cca (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm27116f56 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\lepujeji.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.















COMBOFIX LOG



ComboFix 08-12-15.01 - BURNER 2008-12-15 17:24:11.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1552 [GMT -5:00]
Running from: c:\documents and settings\BURNER\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Downloaded Program Files\setup.inf
c:\windows\system32\irejudam.ini
c:\windows\system32\ojeboziy.ini
c:\windows\system32\tmp17.tmp
c:\windows\system32\tmp87.tmp
c:\windows\system32\tmp88.tmp
c:\windows\system32\usudiwus.ini

.
((((((((((((((((((((((((( Files Created from 2008-11-15 to 2008-12-15 )))))))))))))))))))))))))))))))
.

2008-12-15 17:28 . 2008-12-15 17:28 <DIR> d-------- c:\windows\LastGood
2008-12-14 12:30 . 2008-12-14 14:39 <DIR> d-------- c:\program files\EsetOnlineScanner
2008-12-11 15:46 . 2008-12-11 15:50 <DIR> d-------- c:\program files\rfactor2
2008-12-11 15:11 . 2008-12-11 15:11 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-11 15:11 . 2008-12-11 15:11 <DIR> d-------- c:\documents and settings\BURNER\Application Data\Malwarebytes
2008-12-11 15:11 . 2008-12-11 15:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-11 15:11 . 2008-12-03 19:58 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-11 15:11 . 2008-12-03 19:58 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-11 15:09 . 2008-12-11 15:10 <DIR> d-------- c:\program files\ERUNT
2008-12-11 13:41 . 2008-12-11 13:41 <DIR> d-------- C:\nazi_zombie_FRUmansion
2008-12-11 13:12 . 2008-12-11 13:12 43,457,096 --a------ C:\nazi_zombie_FRUmansion.rar
2008-12-09 15:59 . 2008-12-09 15:59 <DIR> d-------- C:\VundoFix Backups
2008-12-05 16:04 . 2008-12-09 16:37 327 --a------ c:\windows\wininit.ini
2008-12-05 15:35 . 2008-12-05 15:38 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-05 15:35 . 2008-12-05 16:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-05 14:57 . 2008-12-05 14:57 <DIR> d-------- c:\program files\Trend Micro
2008-12-03 17:51 . 2008-12-03 17:51 <DIR> d-------- c:\program files\AGEIA Technologies
2008-12-03 17:50 . 2008-12-03 17:50 <DIR> d-------- c:\windows\nview
2008-12-03 17:50 . 2008-11-12 13:45 453,152 --a------ c:\windows\system32\NVUNINST.EXE
2008-12-03 17:50 . 2008-11-12 14:54 453,152 --a------ c:\windows\system32\nvudisp.exe
2008-12-03 17:50 . 2008-12-15 18:54 201,519 --a------ c:\windows\system32\nvapps.xml
2008-12-03 17:50 . 2008-11-12 14:54 18,537 --a------ c:\windows\system32\nvdisp.nvu
2008-12-03 17:32 . 2008-12-03 17:32 <DIR> d-------- c:\documents and settings\Administrator
2008-12-03 17:23 . 2008-12-03 17:23 <DIR> d-------- c:\windows\RaidTool
2008-12-03 17:23 . 2008-12-03 17:23 <DIR> d-------- C:\RaidTool
2008-12-03 17:23 . 2007-11-19 11:28 1,966,080 --a------ c:\windows\system32\xRaidSetup.exe
2008-12-03 17:23 . 2008-03-19 10:54 151,552 --a------ c:\windows\system32\xRaidAPI.dll
2008-12-03 17:19 . 2008-12-03 17:19 <DIR> d-------- c:\program files\Marvell
2008-12-03 17:12 . 2008-12-03 17:12 <DIR> d-------- C:\Intel
2008-12-03 17:12 . 2007-07-26 16:15 53,248 --a------ c:\windows\system32\CSVer.dll
2008-12-03 14:18 . 2008-12-03 14:21 5,318 --a------ c:\windows\system32\huadio.tmp
2008-12-03 10:06 . 2008-12-03 10:06 <DIR> d-------- c:\program files\Belarc
2008-12-03 10:06 . 2008-02-27 12:49 3,840 --a------ c:\windows\system32\drivers\BANTExt.sys
2008-11-28 15:42 . 2008-11-28 15:48 0 --a------ C:\FileOut.Cns
2008-11-28 15:42 . 2008-11-28 15:48 0 --a------ C:\FileIn.Cns

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-15 23:54 --------- d-----w c:\program files\Steam
2008-12-15 03:48 139,280 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2008-12-15 02:12 --------- d-----w c:\documents and settings\BURNER\Application Data\Free Download Manager
2008-12-11 19:35 --------- d-----w c:\documents and settings\BURNER\Application Data\FileZilla
2008-12-03 23:48 --------- d-----w c:\documents and settings\BURNER\Application Data\Autosim Analyzer
2008-12-03 22:53 --------- d-----w c:\documents and settings\All Users\Application Data\nHancer
2008-12-03 22:51 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-03 22:45 --------- d-----w c:\program files\DriverCleanerDotNET
2008-12-03 19:00 --------- d-----w c:\documents and settings\BURNER\Application Data\uTorrent
2008-12-02 18:32 --------- d-----w c:\program files\Electronic Arts
2008-12-01 22:23 --------- d-----w c:\program files\rFactor
2008-12-01 02:09 --------- d-----w c:\documents and settings\BURNER\Application Data\Red Alert 3
2008-11-26 21:30 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-12 19:54 6,188,320 ----a-w c:\windows\system32\drivers\nv4_mini.sys
2008-11-11 18:53 --------- d-----w c:\program files\Activision
2008-11-11 16:24 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-11 16:11 22,328 ----a-w c:\documents and settings\BURNER\Application Data\PnkBstrK.sys
2008-11-10 04:43 --------- d-----w c:\program files\ARCA Remax
2008-11-03 20:15 --------- d-----w c:\documents and settings\BURNER\Application Data\Publish Providers
2008-11-02 20:07 --------- d-----w c:\program files\ARCA Evolution
2008-11-01 23:21 --------- d-----w c:\program files\GameSpy
2008-11-01 20:07 --------- d-----w c:\program files\ZD Soft
2008-11-01 19:59 --------- d-----w c:\program files\Score4
2008-11-01 19:59 --------- d-----w c:\program files\GPLForever
2008-11-01 19:54 --------- d-----w c:\documents and settings\All Users\Application Data\Codemasters
2008-10-29 02:36 73,216 ----a-w c:\windows\ST6UNST.EXE
2008-10-29 02:36 286,720 ------w c:\windows\Setup1.exe
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-17 20:39 --------- d-----w c:\program files\ffdshow
2008-04-28 00:15 0 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLds.DAT
2004-08-10 03:30 40,960 ----a-w c:\program files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nHancer"="c:\program files\nHancer\nHancer.exe" [2007-10-31 1519616]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Steam"="c:\program files\steam\steam.exe" [2008-11-08 1410296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336]
"Start WingMan Profiler"="c:\program files\Logitech\Gaming Software\LWEMon.exe" [2008-04-04 88584]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]
"36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2007-11-19 1966080]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-11-12 13672448]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-11-12 86016]
"nwiz"="nwiz.exe" [2008-11-12 c:\windows\system32\nwiz.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= dvacm.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-03-12 12:49 153136 c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 00:56 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GBB36X Configure]
-r------- 2006-07-12 04:58 356352 c:\windows\system32\JMRaidTool.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2005-02-17 06:15 221184 c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-02-17 06:15 81920 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-04-27 10:25 257088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-09 17:53 153136 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-04-27 08:41 282624 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2004-06-28 20:29 32768 c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-03-14 02:43 83608 c:\program files\Java\jre1.6.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--a------ 2006-12-12 20:33 69632 c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 2006-12-12 20:33 16270848 c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
--a------ 2006-12-12 20:33 2879488 c:\windows\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\GIGABYTE\\@BIOS\\GWF32.EXE"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Program Files\\EA GAMES\\Command & Conquer The First Decade\\Command & Conquer™ Generals Zero Hour\\generals.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\GameSpy Arcade\\Aphex.exe"=
"c:\\Program Files\\Papyrus\\NASCAR Racing 2003 Season\\NR2003.exe"=
"c:\\Program Files\\Java\\jre1.6.0_01\\bin\\javaw.exe"=
"c:\\Program Files\\UltraVnc\\vncviewer.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\GIGABYTE\\ET5\\update.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\DropBox\\DropBox\\DropBox.exe"=
"c:\\Program Files\\ARCA Remax\\ARCA.exe"=
"c:\\Program Files\\Ubisoft\\IL-2 Sturmovik 1946\\il2fb.exe"=
"\\\\192.168.1.50\\d$\\IL2DedicatedServer\\il2server.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Adobe\\Adobe Dreamweaver CS3\\Dreamweaver2.exe"=
"c:\\Program Files\\rFactor\\rFactor.exe"=
"c:\\Program Files\\rFactor\\rFactor Dedicated.exe"=
"c:\\Program Files\\SimTools\\SimAdapter\\SimAdapter.exe"=
"c:\\Program Files\\SimTools\\SimView\\SimView.exe"=
"c:\\Program Files\\EA GAMES\\MOHAA\\MOHAA.exe"=
"c:\\Program Files\\GameSpy\\Comrade\\Comrade.exe"=
"c:\\Program Files\\ARCA Evolution\\ARCA.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"c:\\Program Files\\Electronic Arts\\Red Alert 3\\Data\\ra3_1.4.game"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Common Files\\Microsoft Shared\\VS7DEBUG\\MDM.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:TCP Port 135
"5000:TCP"= 5000:TCP:TCP Port 5000
"5001:TCP"= 5001:TCP:TCP Port 5001
"5002:TCP"= 5002:TCP:TCP Port 5002
"5003:TCP"= 5003:TCP:TCP Port 5003
"5004:TCP"= 5004:TCP:TCP Port 5004
"5005:TCP"= 5005:TCP:TCP Port 5005
"5006:TCP"= 5006:TCP:TCP Port 5006
"5007:TCP"= 5007:TCP:TCP Port 5007
"5008:TCP"= 5008:TCP:TCP Port 5008
"5009:TCP"= 5009:TCP:TCP Port 5009
"5010:TCP"= 5010:TCP:TCP Port 5010
"5011:TCP"= 5011:TCP:TCP Port 5011
"5012:TCP"= 5012:TCP:TCP Port 5012
"5013:TCP"= 5013:TCP:TCP Port 5013
"5014:TCP"= 5014:TCP:TCP Port 5014
"5015:TCP"= 5015:TCP:TCP Port 5015
"5016:TCP"= 5016:TCP:TCP Port 5016
"5017:TCP"= 5017:TCP:TCP Port 5017
"5018:TCP"= 5018:TCP:TCP Port 5018
"5019:TCP"= 5019:TCP:TCP Port 5019
"5020:TCP"= 5020:TCP:TCP Port 5020
"5900:TCP"= 5900:TCP:vnc5900
"5800:TCP"= 5800:TCP:vnc5800

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-06-27 97928]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-06-27 231704]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2008-07-04 24652]
R3 bcgame;Nostromo HID Device Minidriver;c:\windows\system32\drivers\bcgame.sys [2003-07-24 22821]
R3 chdrvr01;CH Control Manager Driver 1;c:\windows\system32\DRIVERS\chdrvr01.sys [2007-07-10 215104]
R3 chdrvr02;CH Control Manager Driver 2;c:\windows\system32\DRIVERS\chdrvr02.sys [2007-07-10 3744]
R3 chdrvr03;CH Control Manager Driver 3;c:\windows\system32\DRIVERS\chdrvr03.sys [2007-07-10 9024]
R3 NPUSB;NPUSB;c:\windows\system32\DRIVERS\npusb.sys [2007-12-13 22816]
S3 huadio;huadio;\??\c:\windows\system32\huadio.tmp [2008-12-03 5318]
S3 SaiH0109;SaiH0109;c:\windows\system32\DRIVERS\SaiH0109.sys [2005-11-03 176640]
S3 SaiU0109;SaiU0109;c:\windows\system32\DRIVERS\SaiU0109.sys [2005-11-03 27264]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\Setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\Setup.exe
.
Contents of the 'Scheduled Tasks' folder

2008-11-21 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClick.exe []
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-AVG7_CC - c:\progra~1\Grisoft\AVG7\avgcc.exe
MSConfigStartUp-Start WingMan Profiler - c:\program files\Logitech\Profiler\lwemon.exe
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://news.google.com/nwshp?hl=en&tab=wn
uInternet Settings,ProxyOverride = *.local
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: www.gamls.com
Trusted Zone: *.rexplorer.net
TCP: {7BE7FCAD-85A0-4A39-AFB9-3EDC672EB886} = 68.87.68.162,68.87.74.162

O16 -: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

c:\windows\system32\TKUNINST.EXE - c:\windows\system32\TKWEB.OCX
O16 -: {2564B8E6-7D84-11D4-A689-30475BC10000}
hxxp://www.toolkitcma.com/tkweb/tkweb.cab
c:\windows\Downloaded Program Files\tkweb.inf

c:\windows\Downloaded Program Files\mapviewer.ocx - O16 -: {F375116A-793C-11D2-BFE1-444553540001}
hxxp://realist2.firstamres.com/mapviewer/mapviewer.cab
FF - ProfilePath - c:\documents and settings\BURNER\Application Data\Mozilla\Firefox\Profiles\7cplr6vc.default\
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-15 18:53:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\huadio]
"ImagePath"="\??\c:\windows\system32\huadio.tmp"
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\nHancer\nHancerService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-12-15 18:59:12 - machine was rebooted [BURNER]
ComboFix-quarantined-files.txt 2008-12-15 23:59:09

Pre-Run: 2,459,934,720 bytes free
Post-Run: 3,372,171,264 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

281 --- E O F --- 2008-11-19 01:41:30

[itgl72]

While waiting, I ran Malwarebytes' Anti-Malware, and Combofix.

Below are the logs for each, if it helps...







Malwarebytes' Anti-Malware 1.31
Database version: 1500
Windows 5.1.2600 Service Pack 2

2008-12-15 1:11:39 AM
mbam-log-2008-12-15 (01-11-39).txt

Scan type: Full Scan (C:\|)
Objects scanned: 357794
Time elapsed: 54 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 5
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ca330dbe-a907-4c49-9475-46d9042dc8a2} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ca330dbe-a907-4c49-9475-46d9042dc8a2} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wohohubake (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\24225cca (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm27116f56 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\lepujeji.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.















COMBOFIX LOG



ComboFix 08-12-15.01 - BURNER 2008-12-15 17:24:11.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1552 [GMT -5:00]
Running from: c:\documents and settings\BURNER\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Downloaded Program Files\setup.inf
c:\windows\system32\irejudam.ini
c:\windows\system32\ojeboziy.ini
c:\windows\system32\tmp17.tmp
c:\windows\system32\tmp87.tmp
c:\windows\system32\tmp88.tmp
c:\windows\system32\usudiwus.ini

.
((((((((((((((((((((((((( Files Created from 2008-11-15 to 2008-12-15 )))))))))))))))))))))))))))))))
.

2008-12-15 17:28 . 2008-12-15 17:28 <DIR> d-------- c:\windows\LastGood
2008-12-14 12:30 . 2008-12-14 14:39 <DIR> d-------- c:\program files\EsetOnlineScanner
2008-12-11 15:46 . 2008-12-11 15:50 <DIR> d-------- c:\program files\rfactor2
2008-12-11 15:11 . 2008-12-11 15:11 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-11 15:11 . 2008-12-11 15:11 <DIR> d-------- c:\documents and settings\BURNER\Application Data\Malwarebytes
2008-12-11 15:11 . 2008-12-11 15:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-11 15:11 . 2008-12-03 19:58 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-11 15:11 . 2008-12-03 19:58 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-11 15:09 . 2008-12-11 15:10 <DIR> d-------- c:\program files\ERUNT
2008-12-11 13:41 . 2008-12-11 13:41 <DIR> d-------- C:\nazi_zombie_FRUmansion
2008-12-11 13:12 . 2008-12-11 13:12 43,457,096 --a------ C:\nazi_zombie_FRUmansion.rar
2008-12-09 15:59 . 2008-12-09 15:59 <DIR> d-------- C:\VundoFix Backups
2008-12-05 16:04 . 2008-12-09 16:37 327 --a------ c:\windows\wininit.ini
2008-12-05 15:35 . 2008-12-05 15:38 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-05 15:35 . 2008-12-05 16:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-05 14:57 . 2008-12-05 14:57 <DIR> d-------- c:\program files\Trend Micro
2008-12-03 17:51 . 2008-12-03 17:51 <DIR> d-------- c:\program files\AGEIA Technologies
2008-12-03 17:50 . 2008-12-03 17:50 <DIR> d-------- c:\windows\nview
2008-12-03 17:50 . 2008-11-12 13:45 453,152 --a------ c:\windows\system32\NVUNINST.EXE
2008-12-03 17:50 . 2008-11-12 14:54 453,152 --a------ c:\windows\system32\nvudisp.exe
2008-12-03 17:50 . 2008-12-15 18:54 201,519 --a------ c:\windows\system32\nvapps.xml
2008-12-03 17:50 . 2008-11-12 14:54 18,537 --a------ c:\windows\system32\nvdisp.nvu
2008-12-03 17:32 . 2008-12-03 17:32 <DIR> d-------- c:\documents and settings\Administrator
2008-12-03 17:23 . 2008-12-03 17:23 <DIR> d-------- c:\windows\RaidTool
2008-12-03 17:23 . 2008-12-03 17:23 <DIR> d-------- C:\RaidTool
2008-12-03 17:23 . 2007-11-19 11:28 1,966,080 --a------ c:\windows\system32\xRaidSetup.exe
2008-12-03 17:23 . 2008-03-19 10:54 151,552 --a------ c:\windows\system32\xRaidAPI.dll
2008-12-03 17:19 . 2008-12-03 17:19 <DIR> d-------- c:\program files\Marvell
2008-12-03 17:12 . 2008-12-03 17:12 <DIR> d-------- C:\Intel
2008-12-03 17:12 . 2007-07-26 16:15 53,248 --a------ c:\windows\system32\CSVer.dll
2008-12-03 14:18 . 2008-12-03 14:21 5,318 --a------ c:\windows\system32\huadio.tmp
2008-12-03 10:06 . 2008-12-03 10:06 <DIR> d-------- c:\program files\Belarc
2008-12-03 10:06 . 2008-02-27 12:49 3,840 --a------ c:\windows\system32\drivers\BANTExt.sys
2008-11-28 15:42 . 2008-11-28 15:48 0 --a------ C:\FileOut.Cns
2008-11-28 15:42 . 2008-11-28 15:48 0 --a------ C:\FileIn.Cns

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-15 23:54 --------- d-----w c:\program files\Steam
2008-12-15 03:48 139,280 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2008-12-15 02:12 --------- d-----w c:\documents and settings\BURNER\Application Data\Free Download Manager
2008-12-11 19:35 --------- d-----w c:\documents and settings\BURNER\Application Data\FileZilla
2008-12-03 23:48 --------- d-----w c:\documents and settings\BURNER\Application Data\Autosim Analyzer
2008-12-03 22:53 --------- d-----w c:\documents and settings\All Users\Application Data\nHancer
2008-12-03 22:51 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-03 22:45 --------- d-----w c:\program files\DriverCleanerDotNET
2008-12-03 19:00 --------- d-----w c:\documents and settings\BURNER\Application Data\uTorrent
2008-12-02 18:32 --------- d-----w c:\program files\Electronic Arts
2008-12-01 22:23 --------- d-----w c:\program files\rFactor
2008-12-01 02:09 --------- d-----w c:\documents and settings\BURNER\Application Data\Red Alert 3
2008-11-26 21:30 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-12 19:54 6,188,320 ----a-w c:\windows\system32\drivers\nv4_mini.sys
2008-11-11 18:53 --------- d-----w c:\program files\Activision
2008-11-11 16:24 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-11 16:11 22,328 ----a-w c:\documents and settings\BURNER\Application Data\PnkBstrK.sys
2008-11-10 04:43 --------- d-----w c:\program files\ARCA Remax
2008-11-03 20:15 --------- d-----w c:\documents and settings\BURNER\Application Data\Publish Providers
2008-11-02 20:07 --------- d-----w c:\program files\ARCA Evolution
2008-11-01 23:21 --------- d-----w c:\program files\GameSpy
2008-11-01 20:07 --------- d-----w c:\program files\ZD Soft
2008-11-01 19:59 --------- d-----w c:\program files\Score4
2008-11-01 19:59 --------- d-----w c:\program files\GPLForever
2008-11-01 19:54 --------- d-----w c:\documents and settings\All Users\Application Data\Codemasters
2008-10-29 02:36 73,216 ----a-w c:\windows\ST6UNST.EXE
2008-10-29 02:36 286,720 ------w c:\windows\Setup1.exe
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-17 20:39 --------- d-----w c:\program files\ffdshow
2008-04-28 00:15 0 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLds.DAT
2004-08-10 03:30 40,960 ----a-w c:\program files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nHancer"="c:\program files\nHancer\nHancer.exe" [2007-10-31 1519616]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Steam"="c:\program files\steam\steam.exe" [2008-11-08 1410296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336]
"Start WingMan Profiler"="c:\program files\Logitech\Gaming Software\LWEMon.exe" [2008-04-04 88584]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]
"36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2007-11-19 1966080]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-11-12 13672448]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-11-12 86016]
"nwiz"="nwiz.exe" [2008-11-12 c:\windows\system32\nwiz.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= dvacm.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-03-12 12:49 153136 c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 00:56 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GBB36X Configure]
-r------- 2006-07-12 04:58 356352 c:\windows\system32\JMRaidTool.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2005-02-17 06:15 221184 c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-02-17 06:15 81920 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-04-27 10:25 257088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-09 17:53 153136 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-04-27 08:41 282624 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2004-06-28 20:29 32768 c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-03-14 02:43 83608 c:\program files\Java\jre1.6.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--a------ 2006-12-12 20:33 69632 c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 2006-12-12 20:33 16270848 c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
--a------ 2006-12-12 20:33 2879488 c:\windows\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\GIGABYTE\\@BIOS\\GWF32.EXE"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Program Files\\EA GAMES\\Command & Conquer The First Decade\\Command & Conquer™ Generals Zero Hour\\generals.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\GameSpy Arcade\\Aphex.exe"=
"c:\\Program Files\\Papyrus\\NASCAR Racing 2003 Season\\NR2003.exe"=
"c:\\Program Files\\Java\\jre1.6.0_01\\bin\\javaw.exe"=
"c:\\Program Files\\UltraVnc\\vncviewer.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\GIGABYTE\\ET5\\update.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\DropBox\\DropBox\\DropBox.exe"=
"c:\\Program Files\\ARCA Remax\\ARCA.exe"=
"c:\\Program Files\\Ubisoft\\IL-2 Sturmovik 1946\\il2fb.exe"=
"\\\\192.168.1.50\\d$\\IL2DedicatedServer\\il2server.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Adobe\\Adobe Dreamweaver CS3\\Dreamweaver2.exe"=
"c:\\Program Files\\rFactor\\rFactor.exe"=
"c:\\Program Files\\rFactor\\rFactor Dedicated.exe"=
"c:\\Program Files\\SimTools\\SimAdapter\\SimAdapter.exe"=
"c:\\Program Files\\SimTools\\SimView\\SimView.exe"=
"c:\\Program Files\\EA GAMES\\MOHAA\\MOHAA.exe"=
"c:\\Program Files\\GameSpy\\Comrade\\Comrade.exe"=
"c:\\Program Files\\ARCA Evolution\\ARCA.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"c:\\Program Files\\Electronic Arts\\Red Alert 3\\Data\\ra3_1.4.game"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Common Files\\Microsoft Shared\\VS7DEBUG\\MDM.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:TCP Port 135
"5000:TCP"= 5000:TCP:TCP Port 5000
"5001:TCP"= 5001:TCP:TCP Port 5001
"5002:TCP"= 5002:TCP:TCP Port 5002
"5003:TCP"= 5003:TCP:TCP Port 5003
"5004:TCP"= 5004:TCP:TCP Port 5004
"5005:TCP"= 5005:TCP:TCP Port 5005
"5006:TCP"= 5006:TCP:TCP Port 5006
"5007:TCP"= 5007:TCP:TCP Port 5007
"5008:TCP"= 5008:TCP:TCP Port 5008
"5009:TCP"= 5009:TCP:TCP Port 5009
"5010:TCP"= 5010:TCP:TCP Port 5010
"5011:TCP"= 5011:TCP:TCP Port 5011
"5012:TCP"= 5012:TCP:TCP Port 5012
"5013:TCP"= 5013:TCP:TCP Port 5013
"5014:TCP"= 5014:TCP:TCP Port 5014
"5015:TCP"= 5015:TCP:TCP Port 5015
"5016:TCP"= 5016:TCP:TCP Port 5016
"5017:TCP"= 5017:TCP:TCP Port 5017
"5018:TCP"= 5018:TCP:TCP Port 5018
"5019:TCP"= 5019:TCP:TCP Port 5019
"5020:TCP"= 5020:TCP:TCP Port 5020
"5900:TCP"= 5900:TCP:vnc5900
"5800:TCP"= 5800:TCP:vnc5800

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-06-27 97928]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-06-27 231704]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2008-07-04 24652]
R3 bcgame;Nostromo HID Device Minidriver;c:\windows\system32\drivers\bcgame.sys [2003-07-24 22821]
R3 chdrvr01;CH Control Manager Driver 1;c:\windows\system32\DRIVERS\chdrvr01.sys [2007-07-10 215104]
R3 chdrvr02;CH Control Manager Driver 2;c:\windows\system32\DRIVERS\chdrvr02.sys [2007-07-10 3744]
R3 chdrvr03;CH Control Manager Driver 3;c:\windows\system32\DRIVERS\chdrvr03.sys [2007-07-10 9024]
R3 NPUSB;NPUSB;c:\windows\system32\DRIVERS\npusb.sys [2007-12-13 22816]
S3 huadio;huadio;\??\c:\windows\system32\huadio.tmp [2008-12-03 5318]
S3 SaiH0109;SaiH0109;c:\windows\system32\DRIVERS\SaiH0109.sys [2005-11-03 176640]
S3 SaiU0109;SaiU0109;c:\windows\system32\DRIVERS\SaiU0109.sys [2005-11-03 27264]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\Setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\Setup.exe
.
Contents of the 'Scheduled Tasks' folder

2008-11-21 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClick.exe []
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-AVG7_CC - c:\progra~1\Grisoft\AVG7\avgcc.exe
MSConfigStartUp-Start WingMan Profiler - c:\program files\Logitech\Profiler\lwemon.exe
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://news.google.com/nwshp?hl=en&tab=wn
uInternet Settings,ProxyOverride = *.local
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: www.gamls.com
Trusted Zone: *.rexplorer.net
TCP: {7BE7FCAD-85A0-4A39-AFB9-3EDC672EB886} = 68.87.68.162,68.87.74.162

O16 -: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

c:\windows\system32\TKUNINST.EXE - c:\windows\system32\TKWEB.OCX
O16 -: {2564B8E6-7D84-11D4-A689-30475BC10000}
hxxp://www.toolkitcma.com/tkweb/tkweb.cab
c:\windows\Downloaded Program Files\tkweb.inf

c:\windows\Downloaded Program Files\mapviewer.ocx - O16 -: {F375116A-793C-11D2-BFE1-444553540001}
hxxp://realist2.firstamres.com/mapviewer/mapviewer.cab
FF - ProfilePath - c:\documents and settings\BURNER\Application Data\Mozilla\Firefox\Profiles\7cplr6vc.default\
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-15 18:53:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\huadio]
"ImagePath"="\??\c:\windows\system32\huadio.tmp"
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\nHancer\nHancerService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-12-15 18:59:12 - machine was rebooted [BURNER]
ComboFix-quarantined-files.txt 2008-12-15 23:59:09

Pre-Run: 2,459,934,720 bytes free
Post-Run: 3,372,171,264 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

281 --- E O F --- 2008-11-19 01:41:30