Virus again or something.

[Dustin123]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:41:38 PM, on 11/23/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18319)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Fraps\fraps.exe
C:\Windows\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Windows\system32\conime.exe
C:\Program Files\Xfire\Xfire.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Windows\%windir%\WinVar32.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Dung\Documents\Downloads\Programs\HiJackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: 74.200.6.155 subagames.com
O1 - Hosts: 74.200.6.156 ace.subagames.com
O1 - Hosts: 74.200.6.240 clan.subagames.com
O1 - Hosts: 74.200.6.156 crossfire.subagames.com
O1 - Hosts: 208.68.89.101 dl1.subagames.com
O1 - Hosts: 74.200.6.219 dl11.subagames.com
O1 - Hosts: 74.200.6.207 dl12.subagames.com
O1 - Hosts: 208.68.89.102 dl2.subagames.com
O1 - Hosts: 38.107.190.21 dl21.subagames.com
O1 - Hosts: 38.107.190.22 dl22.subagames.com
O1 - Hosts: 38.107.190.23 dl23.subagames.com
O1 - Hosts: 38.107.190.24 dl24.subagames.com
O1 - Hosts: 208.68.89.103 dl3.subagames.com
O1 - Hosts: 208.68.89.104 dl4.subagames.com
O1 - Hosts: 208.68.89.105 dl5.subagames.com
O1 - Hosts: 208.68.89.106 dl6.subagames.com
O1 - Hosts: 74.200.6.240 launcher.subagames.com
O1 - Hosts: 74.200.6.155 mall.subagames.com
O1 - Hosts: 208.68.90.106 media.subagames.com
O1 - Hosts: 74.200.6.156 metin2.subagames.com
O1 - Hosts: 74.200.6.240 my.subagames.com
O1 - Hosts: 74.200.6.155 payment.subagames.com
O1 - Hosts: 74.200.6.238 pristonclan.subagames.com
O1 - Hosts: 74.200.6.156 pt1.subagames.com
O1 - Hosts: 74.200.6.240 tournament.subagames.com
O1 - Hosts: 74.200.6.155 Welcome to SubaGames.com
O1 - Hosts: 74.200.6.156 pt2.subagames.com
O1 - Hosts: 208.68.89.105 pt2patch.subagames.com
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Program Files\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\RivaTunerWrapper.exe" /S
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [RaidDrivers] C:\Windows\%windir%\WinVar32.exe
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [RaidDrivers] C:\Windows\%windir%\WinVar32.exe
O4 - HKLM\..\Policies\Explorer\Run: [Policies] C:\Windows\%windir%\WinVar32.exe
O4 - HKCU\..\Policies\Explorer\Run: [Policies] C:\Windows\%windir%\WinVar32.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Full access on his account.lnk = C:\WINDOWS\system32\shutdown.exe
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download Link Using Mega Manager... - C:\Program Files\Megaupload\Mega Manager\mm_file.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {4A85DBE0-BFB2-4119-8401-186A7C6EB653} - http://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/mjss/MJSS.cab109791.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\Windows\system32\GameMon.des.exe (file missing)
O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - C:\Program Files\OpenVPN\bin\openvpnserv.exe
O23 - Service: TeamViewer 4 (TeamViewer4) - TeamViewer GmbH - C:\Program Files\TeamViewer\Version4\TeamViewer_Service.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7230 bytes
Found about 3 infected in the Malware Byte's Scan. >_>

 

[Osiris]

Can I see malwarebytes log as well?

 

[Dustin123]

Can I see malwarebytes log as well?

Malwarebytes' Anti-Malware 1.39
Database version: 2536
Windows 6.0.6001 Service Pack 1

11/24/2009 12:33:08 AM
mbam-log-2009-11-24 (00-33-08).txt

Scan type: Quick Scan
Objects scanned: 84992
Time elapsed: 4 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{10e0obo6-5ux8-70e2-lt0b-tb0nq1340ix4} (Generic.Bot.H) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

My bad for not coding it, I ran combo fix because I was getting lazy. >_>

This one was before Combofix

Malwarebytes' Anti-Malware 1.39
Database version: 2536
Windows 6.0.6001 Service Pack 1

11/23/2009 1:35:28 PM
mbam-log-2009-11-23 (13-35-28).txt

Scan type: Quick Scan
Objects scanned: 85772
Time elapsed: 4 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{10e0obo6-5ux8-70e2-lt0b-tb0nq1340ix4} (Generic.Bot.H) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RaidDrivers (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RaidDrivers (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\%windir%\WinVar32.exe (Generic.Bot.H) -> Delete on reboot.
c:\Users\Dung\Desktop\AS-800x600.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

 

[Osiris]

post the combofix log and then run malwarebytes again so I can see if it comes up clean

 

[Dustin123]

Where is the Combo fix log located?

Because after I ran combo fix it restarted my computer like it always did and this time I couldn't open any programs so i restarted my computer and lost the log. >___>

Nvm found.

ComboFix 09-11-22.08 - Dung 3/2009 Mon 13:56.1.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6001.1.949.82.1033.18.3070.1884 [GMT -8:00]
Running from: c:\users\Dung\Documents\Downloads\Programs\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Dung\AppData\Local\Microsoft\Windows\Temporary Internet Files\ijjistarter_verinfo.dat
c:\windows\system32\Drivers\fmhlzgw.sys
c:\windows\system32\Drivers\zldbshrp.sys

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_msogko
-------\Service_okgdpyar


(((((((((((((((((((((((((   Files Created from 2009-10-23 to 2009-11-23  )))))))))))))))))))))))))))))))
.

2009-11-23 22:05 . 2009-11-23 22:08	4096	d-----w-	c:\users\Dung\AppData\Local\temp
2009-11-23 22:05 . 2009-11-23 22:05	--------	d-----w-	c:\users\Default\AppData\Local\temp
2009-11-23 21:51 . 2009-11-23 21:51	49152	d-----w-	C:\32788R22FWJFW
2009-11-11 04:03 . 2009-08-14 13:53	2035712	----a-w-	c:\windows\system32\win32k.sys
2009-11-11 04:03 . 2009-08-10 13:05	351232	----a-w-	c:\windows\system32\WSDApi.dll
2009-11-09 23:51 . 2009-11-09 23:51	--------	d-----w-	c:\program files\Microsoft
2009-11-06 02:14 . 2009-11-06 02:14	41872	----a-w-	c:\windows\system32\xfcodec.dll
2009-10-31 01:57 . 2009-10-31 01:57	--------	d-----w-	c:\users\Dung\AppData\Roaming\CyberLink
2009-10-31 01:57 . 2009-10-31 01:57	--------	d-----w-	c:\programdata\CyberLink
2009-10-27 22:22 . 2009-09-10 15:21	310784	----a-w-	c:\windows\system32\unregmp2.exe
2009-10-27 22:22 . 2009-09-10 15:21	8147456	----a-w-	c:\windows\system32\wmploc.DLL

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-23 22:08 . 2009-08-02 04:04	28672	----a-w-	c:\users\Dung\AppData\Roaming\IDM\NP_IDM5.dll
2009-11-23 22:08 . 2009-08-02 04:04	28672	----a-w-	c:\users\Dung\AppData\Roaming\IDM\NP_IDM4.dll
2009-11-23 22:08 . 2009-08-02 04:04	4096	d-----w-	c:\users\Dung\AppData\Roaming\IDM
2009-11-23 22:08 . 2009-08-02 04:04	28672	----a-w-	c:\users\Dung\AppData\Roaming\IDM\NP_IDM3.dll
2009-11-23 22:08 . 2009-08-02 04:04	28672	----a-w-	c:\users\Dung\AppData\Roaming\IDM\NP_IDM2.dll
2009-11-23 22:08 . 2009-08-02 04:04	28672	----a-w-	c:\users\Dung\AppData\Roaming\IDM\NP_IDM1.dll
2009-11-23 22:08 . 2009-09-19 02:44	25600	----a-w-	c:\windows\system32\wcdrtc32.dll
2009-11-23 22:08 . 2009-08-02 04:04	--------	d-----w-	c:\users\Dung\AppData\Roaming\DMCache
2009-11-23 22:07 . 2009-07-18 19:18	4096	d-----w-	c:\programdata\Xfire
2009-11-23 22:07 . 2009-07-18 19:18	8192	d-----w-	c:\program files\Xfire
2009-11-23 22:04 . 2005-04-08 02:16	14688	---ha-w-	c:\users\Dung\AppData\Roaming\logs.dat
2009-11-23 20:47 . 2009-10-12 22:09	4096	d-----w-	c:\program files\Lineage II
2009-11-23 07:47 . 2009-07-29 23:25	4096	d-----w-	c:\users\Dung\AppData\Roaming\vlc
2009-11-12 01:18 . 2009-07-18 19:18	--------	d-----w-	c:\users\Dung\AppData\Roaming\Xfire
2009-11-11 11:20 . 2006-11-02 11:18	4096	d-----w-	c:\program files\Windows Mail
2009-11-11 11:04 . 2009-06-14 01:31	16384	d-----w-	c:\programdata\Microsoft Help
2009-11-11 00:21 . 2009-06-13 22:09	99864	----a-w-	c:\users\Dung\AppData\Local\GDIPFONTCACHEV1.DAT
2009-11-10 11:05 . 2009-06-14 01:34	4096	d-----w-	c:\program files\Microsoft Works
2009-11-03 04:42 . 2009-10-03 05:24	195456	------w-	c:\windows\system32\MpSigStub.exe
2009-10-28 10:16 . 2009-08-23 23:07	4096	d-----w-	c:\users\Dung\AppData\Roaming\mIRC
2009-10-22 22:46 . 2009-09-22 22:14	4096	d-----w-	c:\program files\mIRC
2009-10-22 01:12 . 2009-07-30 04:18	220926964	----a-w-	c:\users\Dung\AppData\Roaming\ijjigame\U_GUNZ_setup.exe
2009-10-22 00:42 . 2009-07-30 04:16	4096	d--h--w-	c:\users\Dung\AppData\Roaming\ijjigame
2009-10-17 19:41 . 2009-10-13 10:23	7484	----a-w-	c:\users\Dung\AppData\Local\d3d9caps.dat
2009-10-17 19:31 . 2009-10-17 19:31	8192	d-----w-	c:\program files\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition
2009-10-12 22:09 . 2009-06-13 22:37	4096	d--h--w-	c:\program files\InstallShield Installation Information
2009-10-11 23:08 . 2009-10-11 23:08	--------	d-----w-	c:\program files\SystemRequirementsLab
2009-10-11 23:08 . 2009-10-11 23:08	4096	d-----w-	c:\users\Dung\AppData\Roaming\SystemRequirementsLab
2009-10-11 23:08 . 2009-10-11 23:08	138240	----a-w-	c:\users\Dung\AppData\Roaming\SystemRequirementsLab\SRLProxy_srl_4_1_13_0_d.dll
2009-10-11 23:08 . 2009-10-11 23:08	138240	----a-w-	c:\users\Dung\AppData\Roaming\SystemRequirementsLab\SRLProxy_srl_4_1_13_0_c.dll
2009-10-11 23:08 . 2009-10-11 23:08	138240	----a-w-	c:\users\Dung\AppData\Roaming\SystemRequirementsLab\SRLProxy_srl_4_1_13_0_b.dll
2009-10-11 23:08 . 2009-10-11 23:08	138240	----a-w-	c:\users\Dung\AppData\Roaming\SystemRequirementsLab\SRLProxy_srl_4_1_13_0_a.dll
2009-10-11 19:00 . 2009-10-11 19:01	411368	----a-w-	c:\windows\system32\deploytk.dll
2009-10-11 19:00 . 2009-10-11 19:00	--------	d-----w-	c:\program files\Java
2009-10-04 23:22 . 2009-10-04 23:22	187504	----a-w-	c:\users\Dung\AppData\Roaming\IDM\DwnlData\Dung\STG-20GunZ-20Beta-20v3.2_522\STG-20GunZ-20Beta-20v3.2.exe
2009-09-29 05:41 . 2009-09-29 05:31	4096	d-----w-	c:\program files\AC Tool
2009-09-14 09:44 . 2009-10-16 05:39	144896	----a-w-	c:\windows\system32\drivers\srv2.sys
2009-09-10 17:30 . 2009-10-16 05:40	213504	----a-w-	c:\windows\system32\msv1_0.dll
2009-09-04 12:24 . 2009-10-16 05:39	61440	----a-w-	c:\windows\system32\msasn1.dll
2009-09-01 05:40 . 2009-09-01 05:40	22000	----a-w-	c:\windows\system32\drivers\Neo_0111.sys
2009-09-01 05:39 . 2009-09-01 05:39	81920	----a-w-	c:\windows\system32\vpncmd.exe
2009-08-31 13:55 . 2009-10-16 05:40	293376	----a-w-	c:\windows\system32\psisdecd.dll
2009-08-31 13:55 . 2009-10-16 05:40	428544	----a-w-	c:\windows\system32\EncDec.dll
2009-08-28 12:39 . 2009-09-02 21:29	28672	----a-w-	c:\windows\system32\Apphlpdm.dll
2009-08-28 10:15 . 2009-09-02 21:29	4240384	----a-w-	c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-27 13:32 . 2009-10-22 06:29	833024	----a-w-	c:\windows\system32\wininet.dll
2009-08-27 13:29 . 2009-10-22 06:29	78336	----a-w-	c:\windows\system32\ieencode.dll
2009-08-27 10:58 . 2009-10-22 06:29	26624	----a-w-	c:\windows\system32\ieUnatt.exe
2009-08-26 00:04 . 2009-08-26 00:04	75264	----a-w-	c:\windows\system32\uc_holybeast_launching.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-27 3883856]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-07-09 49968]
"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2009-05-28 2815408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"RivaTunerStartupDaemon"="c:\program files\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\RivaTunerWrapper.exe" [2009-08-22 45056]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]

c:\users\Dung\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Full access on his account.lnk - c:\windows\system32\shutdown.exe [2008-1-20 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer2"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001

R2 TeamViewer4;TeamViewer 4;c:\program files\TeamViewer\Version4\TeamViewer_Service.exe [6/24/2009 11:22 PM 185640]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [7/19/2009 8:08 AM 24652]
R3 Envy24HFS;ICE Envy24 Family Audio Controller WDM;c:\windows\System32\drivers\Envy24HF.sys [6/4/2008 4:29 PM 673600]
R3 EuMusDesignVirtualAudioCableWdm;Virtual Audio Cable (WDM);c:\windows\System32\drivers\vrtaucbl.sys [7/23/2009 7:37 PM 31616]
R3 Neo_Cookiebot;VPN Client Device Driver - Cookiebot;c:\windows\System32\drivers\Neo_0111.sys [8/31/2009 9:40 PM 22000]
R3 tap0801;TAP-Win32 Adapter V8;c:\windows\System32\drivers\tap0801.sys [10/1/2006 3:37 AM 26624]
S0 NVStrap;NVStrap;c:\windows\System32\drivers\NVStrap.sys [10/17/2009 12:05 PM 4224]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10E0OBO6-5UX8-70E2-LT0B-TB0NQ1340IX4}]
c:\windows\%windir%\WinVar32.exe
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.com/
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm
IE: Download Link Using Mega Manager... - c:\program files\Megaupload\Mega Manager\mm_file.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Dung\AppData\Roaming\Mozilla\Firefox\Profiles\arev8p64.default\
FF - prefs.js: browser.startup.homepage - hxxp://yahoo.com/
FF - component: c:\users\Dung\AppData\Roaming\IDM\idmmzcc3\components\idmmzcc.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiautoinstallpluginff.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiFFPlugin1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Opera\program\plugins\NP_IDM1.dll
FF - plugin: c:\program files\Opera\program\plugins\NP_IDM2.dll
FF - plugin: c:\program files\Opera\program\plugins\NP_IDM3.dll
FF - plugin: c:\program files\Opera\program\plugins\NP_IDM4.dll
FF - plugin: c:\program files\Opera\program\plugins\NP_IDM5.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\programdata\NexonUS\NGM\npNxGameUS.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-RaidDrivers - c:\windows\c:\windows\WinVar32.exe
HKLM-Run-RaidDrivers - c:\windows\c:\windows\WinVar32.exe
HKLM-Explorer_Run-Policies - c:\windows\c:\windows\WinVar32.exe
HKCU-Explorer_Run-Policies - c:\windows\c:\windows\WinVar32.exe
AddRemove-Uniblue DriverScanner 2009 - c:\programdata\{D5ABFFAD-D592-4F98-B02B-587125B4801F}\DriverScanner_Setup.exe
AddRemove-{C427E746-4EC9-4E3C-AACB-C6BB1F714D7F} - c:\programdata\{D5ABFFAD-D592-4F98-B02B-587125B4801F}\DriverScanner_Setup.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-23 14:08
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ... 

scanning hidden files ...  


c:\users\Dung\AppData\Roaming\Microsoft\Windows\Cookies\dung@live[1].txt

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SexyReplay]
"ImagePath"="\??\c:\users\Dung\Desktop\SexyKO\Inc\b.b"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3786946776-3867874152-3609406911-1000_Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
@Allowed: (Read) (RestrictedCode)
"scansk"=hex(0):bf,37,5f,3d,29,8d,84,1b,32,66,ee,e3,c4,24,d7,78,a4,b3,6d,6b,de,
   5e,cf,58,21,4e,d4,b0,15,72,ed,d8,d7,b1,c4,70,f8,a7,d4,38,00,00,00,00,00,00,\

[HKEY_USERS\S-1-5-21-3786946776-3867874152-3609406911-1000_Classes\CLSID\{d181d7d9-d866-439a-b738-7fbe1af6225b}]
@Denied: (Full) (Everyone)
@Allowed: (Read) (RestrictedCode)
"Model"=dword:000000f3
"Therad"=dword:0000001f
"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,
   38,95,44,f8,0b,f2,c4,7d,43,2e,bd,6b,26,b2,2d,7c,5d,5c,20,f4,ca,7c,9d,80,10,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(3456)
c:\windows\system32\wcdrtc32.dll
c:\program files\Internet Download Manager\idmmkb.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\AUDIODG.EXE
c:\program files\Nero\Nero 7\InCD\InCDsrv.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\WUDFHost.exe
c:\program files\AIM6\aolsoftware.exe
c:\program files\Internet Download Manager\IEMonitor.exe
c:\program files\Windows Live\Contacts\wlcomm.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2009-11-23 14:15 - machine was rebooted
ComboFix-quarantined-files.txt  2009-11-23 22:15

Pre-Run: 300,837,445,632 bytes free
Post-Run: 301,415,784,448 bytes free

- - End Of File - - 7F054E70B5A3ADE0A9E24E0C538AA8C7

2009-11-23 22:14:52 . 2009-11-23 22:14:52            1,940 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\AddRemove-{C427E746-4EC9-4E3C-AACB-C6BB1F714D7F}.reg.dat
2009-11-23 22:14:52 . 2009-11-23 22:14:52            1,430 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\AddRemove-Uniblue DriverScanner 2009.reg.dat
2009-11-23 22:14:30 . 2009-11-23 22:14:30              178 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\HKCU-Explorer_Run-Policies.reg.dat
2009-11-23 22:14:30 . 2009-11-23 22:14:30              179 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\HKLM-Explorer_Run-Policies.reg.dat
2009-11-23 22:14:29 . 2009-11-23 22:14:29              161 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-RaidDrivers.reg.dat
2009-11-23 22:14:28 . 2009-11-23 22:14:28              160 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-RaidDrivers.reg.dat
2009-11-23 22:04:39 . 2009-11-23 22:04:39              992 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\Service_okgdpyar.reg.dat
2009-11-23 22:04:39 . 2009-11-23 22:04:39              998 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\Service_msogko.reg.dat
2009-11-23 22:03:15 . 2009-11-23 22:03:15            7,170 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2009-11-23 21:51:50 . 2009-11-23 21:56:17               62 ----a-w-  C:\Qoobox\Quarantine\catchme.log
2009-11-23 21:39:51 . 2009-11-23 21:39:51           61,440 ----a-w-  C:\Qoobox\Quarantine\C\Windows\System32\drivers\zldbshrp.sys.vir
2009-11-23 21:35:32 . 2009-11-23 21:35:32           61,440 ----a-w-  C:\Qoobox\Quarantine\C\Windows\System32\drivers\fmhlzgw.sys.vir
2009-07-30 04:16:43 . 2009-08-02 18:33:01                9 ----a-w-  C:\Qoobox\Quarantine\C\Users\Dung\AppData\Local\Microsoft\Windows\Temporary Internet Files\ijjistarter_verinfo.dat.vir

 

[Osiris]

Go ahead and run combofix again and post its log. I need to see if it will find the same infection again