Services.exe and xpshield installer problem

Over the weekend I have done just about everything asked for in the tutorials.
I ran adaware, spybots, mcaffee stinger, housecall virus scan, malware bytes.
I still have the same darn problem.
The firewall is blocking it from connecting to the internet now.

A button appears with an x in a red shield like the microsoft button and says you have security issues. If you click to close the pop up window it opens a window saying something like it is connecting, before it would open two internet explorer then as I went through the virus removal programs my default browser Firefox and try to download www.xp-shield.cn I get another popup window about services.exe and explorer.exe popup (exporer has encounted a problem and needs to close. We are sorry for inconvenience)

Note: when I go into safe mode it does the same thing.

Here's my hijack this log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:54:08 AM, on 11/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\MozyHome\mozybackup.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PCPICSW\pcpicswin.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar.dll
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-1957994488-1563985344-725345543-1003\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User '?')
O4 - HKUS\S-1-5-21-1957994488-1563985344-725345543-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1172072787765
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1172072778953
O16 - DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} (Image Uploader Control) - https://web11.farvv.com/sn/ImageUploader4.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MozyHome Backup Service (mozybackup) - Unknown owner - C:\Program Files\MozyHome\mozybackup.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O24 - Desktop Component AutorunsDisabled: (no name) - (no file)

--
End of file - 4520 bytes

Thanks.

Hello!
My name is Sam and I will be helping you.

I will do my best to communicate clearly to you so that we can resolve your issues as quickly as possible. In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to fix your computer. Please communicate freely with me about how your computer is reacting and behaving as we work through this process.


Please download random's system information tool (RSIT) and save it to your desktop.

• Double click on RSIT.exe to run it.
• Click Continue at the disclaimer screen.
• Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

Hello Sam.

I tried to run RSIT however it gives me the following error:

AutoIt Error
big button with x Line -1:
Error: Incorrect number of parameters in function call

Ok, then we're going to need a bigger gun.


Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).
• Finally paste the contents of the Report.txt back here in your next reply.

Okay, here we go, here's the log.

I take it this picasa2 is not a legitimate program? I don't use picasa anyways. I've also seen googleupdater come across on the firewall. And all these tmp files I don't need is the malware in them?

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :



Files with Hidden Attributes :

Thu 10 Jan 2008 27,944,264 ...H. --- "C:\Program Files\Fish Tycoon\Fish Tycoon.exe"
Sun 9 Nov 2008 6,108,728 A..H. --- "C:\Program Files\Picasa2\setup.exe"
Wed 22 Oct 2008 949,072 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\advcheck.dll"
Mon 15 Sep 2008 1,562,960 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll"
Mon 7 Jul 2008 1,429,840 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 7 Jul 2008 4,891,472 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Tue 16 Sep 2008 1,833,296 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Wed 22 Oct 2008 962,896 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\Tools.dll"
Sun 1 Jul 2007 88 ..SHR --- "C:\WINDOWS\system32\C5501D18DC.sys"
Sun 1 Jun 2008 1,942 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Sat 9 Dec 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Tue 27 Feb 2007 401 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv19.bak"
Wed 21 Feb 2007 400 ..SH. --- "C:\Documents and Settings\All Users\DRM\v2ks.bla.bak"
Wed 21 Feb 2007 48 ..SH. --- "C:\Documents and Settings\All Users\DRM\v2ks.sec.bak"
Wed 21 Feb 2007 400 A.SH. --- "C:\Documents and Settings\All Users\DRM\v3ks.bla.bak"
Mon 22 Oct 2007 536,576 ...H. --- "C:\Documents and Settings\Real Estate\My Documents\~WRL2903.tmp"
Mon 7 Feb 2005 33,792 A..H. --- "C:\Documents and Settings\Sean\My Documents\~WRL0004.tmp"
Fri 8 Apr 2005 41,472 A..H. --- "C:\Documents and Settings\Sean\My Documents\~WRL2528.tmp"
Tue 10 Jun 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Tue 13 Aug 2002 33,792 A..H. --- "C:\Documents and Settings\Real Estate\My Documents\Real Estate\Forms\~WRL0004.tmp"
Wed 17 Sep 2008 31,232 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL0378.tmp"
Tue 11 Nov 2008 31,744 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL0519.tmp"
Sun 26 Aug 2007 30,208 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL0605.tmp"
Thu 2 Aug 2007 30,208 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL0663.tmp"
Sun 4 Nov 2007 32,256 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL1080.tmp"
Tue 29 Jan 2008 30,208 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL1428.tmp"
Sat 2 Feb 2008 30,208 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL2407.tmp"
Mon 17 Nov 2008 33,792 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL2497.tmp"
Mon 22 Oct 2007 30,208 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL2522.tmp"
Mon 15 Oct 2007 30,208 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL2592.tmp"
Sat 20 Oct 2007 30,208 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL2921.tmp"
Tue 11 Nov 2008 31,744 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL3180.tmp"
Tue 11 Nov 2008 31,744 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL3314.tmp"
Wed 1 Aug 2007 30,208 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL3609.tmp"
Fri 1 Feb 2008 30,208 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL3737.tmp"
Tue 24 Jun 2003 54,272 A..H. --- "C:\Documents and Settings\Real Estate\My Documents\Real Estate\Forms\EZ Contract\Contract Templates\Addendums Amend Extend\~WRL0002.tmp"

Finished!

Actually that log doesn't show any malware. Picasa is a photo viewing program from Google. It's not malicious is any way. The temp files that you see are all from word documents that were not saved before they were closed. They pose no threat at all, but they can all be deleted.

Let's see if we can get a log from this one.

• Please download OTViewIt by OldTimer to your desktop.
• Double click on the OTViewIt.exe icon on your desktop.
• Check the Scan All Users checkbox and leave Use Whitelist checked. Set the File Age to 30 days.
• Click on the Run Scan button. Two reports that are located in the same location as OTViewIt will open.OTViewIt.txt <-- Will be opened
  Extra.txt <-- Will be minimized

Copy and Paste the logs into your next reply.

No go - see snapshot of screen of error code as well as explorer.exe error I believe I mentioned before. Also something to note is when I run spybot an error comes up about halfway through and says something that spybot will need to rescan and reboot, if I click cancel it continues, it does this every time it encounters the virtumonde virus. I have to click no or cancel before it will continue with the scan.

Don't even try to run a scan with Spybot for now. It's not going to be helpful. It's just not powerful enough.



Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.


Make sure that you save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

ComboFix 08-11-27.03 - User 2008-11-27 15:08:12.2 - NTFSx86

Running from: c:\documents and settings\User\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\SysNotifier.exe
c:\windows\system32\hpowiax2.dll

.
((((((((((((((((((((((((( Files Created from 2008-10-27 to 2008-11-27 )))))))))))))))))))))))))))))))
.

2008-11-24 21:23 . 2008-11-24 21:25 94,107 --a------ c:\windows\hpqins05.dat
2008-11-24 21:11 . 2007-04-19 16:14 11,634 --------- c:\windows\hpomdl11.dat.temp
2008-11-24 20:33 . 2008-11-24 20:33 1,947 --a------ c:\windows\unins000.dat
2008-11-24 19:09 . 2008-11-24 19:09 <DIR> d-------- C:\rsit
2008-11-24 12:16 . 2008-11-24 12:17 692 --a------ c:\windows\hpntwksetup.ini
2008-11-24 12:14 . 2008-11-24 21:11 116,734 --------- c:\windows\hpoins11.dat.temp
2008-11-24 06:53 . 2008-11-24 06:53 <DIR> d-------- c:\program files\Trend Micro
2008-11-24 00:55 . 2008-11-24 00:55 <DIR> d-------- c:\program files\Sygate
2008-11-24 00:55 . 2004-10-15 18:32 83,096 --a------ c:\windows\system32\SSSensor.dll
2008-11-24 00:55 . 2004-10-15 18:17 60,496 --a------ c:\windows\system32\drivers\Teefer.sys
2008-11-24 00:55 . 2004-10-15 18:18 21,075 --a------ c:\windows\system32\drivers\wpsdrvnt.sys
2008-11-24 00:55 . 2004-10-15 18:32 14,568 --a------ c:\windows\system32\drivers\wg6n.sys
2008-11-24 00:55 . 2004-10-15 18:32 14,568 --a------ c:\windows\system32\drivers\wg5n.sys
2008-11-24 00:55 . 2004-10-15 18:32 14,568 --a------ c:\windows\system32\drivers\wg4n.sys
2008-11-24 00:55 . 2004-10-15 18:32 14,568 --a------ c:\windows\system32\drivers\wg3n.sys
2008-11-23 23:35 . 2008-11-23 23:35 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-23 23:35 . 2008-11-23 23:35 <DIR> d-------- c:\documents and settings\User\Application Data\Malwarebytes
2008-11-23 23:35 . 2008-11-23 23:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-23 23:35 . 2008-10-22 16:27 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-23 23:35 . 2008-10-22 16:27 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-23 11:06 . 2008-11-24 12:23 109 --a------ c:\windows\wininit.ini
2008-11-23 10:42 . 2008-11-23 11:09 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-23 10:42 . 2008-11-23 11:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-23 00:24 . 2008-11-23 00:24 <DIR> d-------- c:\windows\ERUNT
2008-11-23 00:21 . 2008-11-25 13:54 <DIR> d-------- C:\SDFix
2008-11-18 23:47 . 2008-11-18 23:47 <DIR> d-------- c:\program files\MozyHome
2008-11-18 23:47 . 2008-11-16 23:32 53,752 --a------ c:\windows\system32\drivers\mozy.sys
2008-11-18 16:10 . 2008-11-18 16:10 <DIR> d-------- c:\documents and settings\User\Application Data\IUpd721
2008-11-18 15:57 . 2008-11-18 15:57 153,484 --a------ c:\windows\system32\g62.exe
2008-11-18 15:56 . 2008-11-18 22:52 <DIR> d--hs---- c:\windows\V29ya3N0YXRpb24
2008-11-18 15:56 . 2008-11-18 22:52 <DIR> d-------- c:\windows\system32\vim
2008-11-18 15:56 . 2008-11-18 15:56 <DIR> d-------- c:\windows\system32\ip
2008-11-18 15:56 . 2008-11-18 15:57 <DIR> d-------- c:\windows\system32\hdx
2008-11-16 23:33 . 2008-11-23 00:11 9,724 --a------ c:\windows\mozy.flt
2008-11-16 23:33 . 2008-11-23 00:11 7,396 --a------ c:\windows\mozy.blk
2008-11-09 10:02 . 2008-11-26 16:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\Google Updater
2008-11-01 15:57 . 2008-11-01 15:57 <DIR> d-------- c:\program files\Photo Story 3 for Windows
2008-11-01 15:45 . 2008-11-01 15:45 <DIR> d-------- c:\program files\Norton PC Checkup
2008-11-01 15:45 . 2008-11-16 16:22 <DIR> d-------- c:\program files\Common Files\Symantec Shared
2008-11-01 15:20 . 2008-11-01 15:21 <DIR> d-------- c:\windows\system32\Adobe
2008-11-01 12:39 . 2008-11-01 12:39 0 --a------ c:\windows\hpqEmlSz.INI
2008-10-31 10:19 . 2008-10-31 10:19 <DIR> d-------- c:\documents and settings\Tasha\Application Data\HP
2008-10-30 19:54 . 2008-10-30 22:05 <DIR> d-------- c:\documents and settings\User\Application Data\HP
2008-10-30 19:52 . 2008-10-30 19:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\HP
2008-10-30 19:44 . 2008-10-30 19:44 <DIR> d-------- c:\program files\Common Files\Sonic Shared
2008-10-30 19:44 . 2008-10-30 19:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\Sonic
2008-10-30 19:39 . 2006-04-12 17:02 827,392 -ra------ c:\windows\system32\hpotiop2.dll
2008-10-30 19:39 . 2006-04-12 17:02 254,026 -ra------ c:\windows\system32\hpovst09.dll
2008-10-30 19:39 . 2006-01-04 02:12 77,824 -ra------ c:\windows\system32\HPZIDS01.dll
2008-10-30 19:39 . 2006-04-10 13:03 38,400 --a------ c:\windows\system32\hpz3l054.dll
2008-10-30 19:39 . 2001-08-17 13:53 6,784 --a------ c:\windows\system32\drivers\serscan.sys
2008-10-30 19:39 . 2001-08-17 13:53 6,784 --a--c--- c:\windows\system32\dllcache\serscan.sys
2008-10-30 19:39 . 2008-11-24 12:17 173 --a------ c:\windows\system32\AddPort.ini
2008-10-30 19:26 . 2008-11-24 12:19 <DIR> d-------- C:\TEMP
2008-10-30 19:24 . 2008-11-24 21:13 116,734 --a------ c:\windows\hpoins11.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-27 21:39 --------- d-----w c:\program files\Plaxo
2008-11-25 04:26 --------- d-----w c:\program files\HP
2008-11-24 13:53 --------- d-----w c:\program files\Computer Maintenance
2008-11-24 07:18 --------- d-----w c:\documents and settings\All Users\Application Data\RFA_Backups
2008-11-23 15:36 --------- d-----w c:\program files\Shockwave.com
2008-11-23 15:35 --------- d-----w c:\program files\Oberon Media
2008-11-13 19:28 --------- d-----w c:\documents and settings\Tasha\Application Data\IMVU
2008-11-09 18:04 --------- d-----w c:\program files\Picasa2
2008-11-09 17:02 --------- d-----w c:\program files\Google
2008-10-31 02:44 --------- d-----w c:\program files\Common Files\HP
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-22 22:11 --------- d-----w c:\program files\MSECache
2008-10-13 15:53 --------- d-----w c:\documents and settings\User\Application Data\Facebook
2008-10-10 00:35 --------- d-----w c:\documents and settings\Tasha\Application Data\DisplayTune
2008-10-07 01:49 --------- d-----w c:\documents and settings\User\Application Data\DisplayTune
2008-10-07 01:47 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-07 01:46 --------- d-----w c:\program files\Portrait Displays
2008-10-07 01:46 --------- d-----w c:\program files\Common Files\Portrait Displays
2008-10-07 01:46 --------- d-----w c:\program files\Acer Display
2008-10-07 01:45 --------- d-----w c:\program files\Common Files\InstallShield
2008-08-12 00:02 0 -c--a-w c:\program files\temp01
2008-07-20 23:03 23 -c--a-w c:\documents and settings\Sean\jagex_runescape_preferences.dat
2008-07-03 20:47 0 -c--a-w c:\documents and settings\User\jagex_runescape_preferences.dat
2007-07-31 19:04 630,784 -c--a-w c:\documents and settings\User\GoToAssist_chat2way__317_en.exe
2007-07-02 03:32 88 -csh--r c:\windows\system32\C5501D18DC.sys
2008-06-01 22:38 1,942 -csha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1CAD29DF-1D6D-41A2-8C55-EAA2C7EDCDEB}]
2008-11-19 23:40 299008 --a------ c:\program files\Internet Explorer\en-US\pm3nod.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy2]
@="{747E722C-CB46-4a9d-BDFE-192AAD5099B1}"
[HKEY_CLASSES_ROOT\CLSID\{747E722C-CB46-4a9d-BDFE-192AAD5099B1}]
2008-11-16 23:32 3044664 --a------ c:\program files\MozyHome\mozyshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy3]
@="{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}"
[HKEY_CLASSES_ROOT\CLSID\{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}]
2008-11-16 23:32 3044664 --a------ c:\program files\MozyHome\mozyshell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmcService"="c:\progra~1\Sygate\SPF\smc.exe" [2004-10-15 2577632]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]

c:\documents and settings\Sean\Start Menu\Programs\Startup\
LimeWire On Startup.lnk.disabled [2008-06-03 1538]

c:\documents and settings\Tasha\Start Menu\Programs\Startup\
IMVU.lnk.disabled [2008-05-21 692]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pm3nod]
2008-11-19 23:40 299008 c:\program files\Internet Explorer\en-US\pm3nod.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=

.
Contents of the 'Scheduled Tasks' folder

2008-11-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-11-22 c:\windows\Tasks\WebReg officejet 6300 series.job
- c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2006-02-19 04:09]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\rqneh3a5.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxps://valuations.farvv.com/Login.aspx
FF -: plugin - c:\program files\Google\Google Updater\2.4.1399.3742\npCIDetect13.dll
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npmusicn.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npsnapfish.dll
FF -: plugin - c:\program files\Picasa2\npPicasa2.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-27 15:13:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\vsdatant]
"ImagePath"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1024)
c:\program files\Internet Explorer\en-US\pm3nod.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Sygate\SPF\Smc.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\MozyHome\mozybackup.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
.
**************************************************************************
.
Completion time: 2008-11-27 15:17:57 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-27 22:17:54
ComboFix2.txt 2008-11-23 08:14:29

Pre-Run: 12,069,654,528 bytes free
Post-Run: 12,056,375,296 bytes free

185 --- E O F --- 2008-11-23 22:08:07

Please visit the online Jotti Virus Scanner

• Click on button.
• Copy and paste the following filepath in the box:
  
  
  c:\program files\Internet Explorer\en-US\pm3nod.dll
  
  
  
• Click on the button.
  The scanner will check the file with various AV companies.
• Copy and paste the results box into a reply to this thread.

If Jotti's too busy, try here:
Go here: http://www.virustotal.com/en/virustotalf.html


=================


Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
c:\windows\system32\g62.exe

Dirlook::
c:\documents and settings\User\Application Data\IUpd721
c:\windows\V29ya3N0YXRpb24
c:\windows\system32\vim
c:\windows\system32\ip
c:\windows\system32\hdx

Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.



This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Results for jotti:

Service load: 0% 100%

File: pm3nod.dll
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: 3ee666556f267be6e77ee5528bafa3e9
Packers detected: -

Scanner results
Scan taken on 29 Nov 2008 21:35:43 (GMT)
A-Squared Found Trojan.Vundo.Gen.1!IK
AntiVir Found PHISH/Fraud.XPShield.O
ArcaVir Found nothing
Avast Found Win32:BHO-NB
AVG Antivirus Found Generic10.BGTR
BitDefender Found Trojan.Vundo.Gen.1
ClamAV Found nothing
CPsecure Found FraudTool.W32.XPShield.o
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found not-a-virus:FraudTool.Win32.XPShield.o
G DATA Found nothing
Ikarus Found Trojan.Vundo.Gen.1
Kaspersky Anti-Virus Found not-a-virus:FraudTool.Win32.XPShield.o
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found Generic
Sophos Antivirus Found Troj/Virtum-Gen
VirusBuster Found nothing
VBA32 Found nothing

Here are the results for the combofix:

ComboFix 08-11-27.03 - User 2008-11-29 14:44:06.3 - NTFSx86

Running from: c:\documents and settings\User\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\User\Desktop\cfscript.txt

FILE ::
c:\windows\system32\g62.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\SysNotifier.exe
c:\windows\system32\g62.exe

.
((((((((((((((((((((((((( Files Created from 2008-10-28 to 2008-11-29 )))))))))))))))))))))))))))))))
.

2008-11-24 21:23 . 2008-11-24 21:25 94,107 --a------ c:\windows\hpqins05.dat
2008-11-24 21:11 . 2007-04-19 16:14 11,634 --------- c:\windows\hpomdl11.dat.temp
2008-11-24 20:33 . 2008-11-24 20:33 1,947 --a------ c:\windows\unins000.dat
2008-11-24 19:09 . 2008-11-24 19:09 <DIR> d-------- C:\rsit
2008-11-24 12:16 . 2008-11-24 12:17 692 --a------ c:\windows\hpntwksetup.ini
2008-11-24 12:14 . 2008-11-24 21:11 116,734 --------- c:\windows\hpoins11.dat.temp
2008-11-24 06:53 . 2008-11-24 06:53 <DIR> d-------- c:\program files\Trend Micro
2008-11-24 00:55 . 2008-11-24 00:55 <DIR> d-------- c:\program files\Sygate
2008-11-24 00:55 . 2004-10-15 18:32 83,096 --a------ c:\windows\system32\SSSensor.dll
2008-11-24 00:55 . 2004-10-15 18:17 60,496 --a------ c:\windows\system32\drivers\Teefer.sys
2008-11-24 00:55 . 2004-10-15 18:18 21,075 --a------ c:\windows\system32\drivers\wpsdrvnt.sys
2008-11-24 00:55 . 2004-10-15 18:32 14,568 --a------ c:\windows\system32\drivers\wg6n.sys
2008-11-24 00:55 . 2004-10-15 18:32 14,568 --a------ c:\windows\system32\drivers\wg5n.sys
2008-11-24 00:55 . 2004-10-15 18:32 14,568 --a------ c:\windows\system32\drivers\wg4n.sys
2008-11-24 00:55 . 2004-10-15 18:32 14,568 --a------ c:\windows\system32\drivers\wg3n.sys
2008-11-23 23:35 . 2008-11-23 23:35 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-23 23:35 . 2008-11-23 23:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-23 23:35 . 2008-10-22 16:27 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-23 23:35 . 2008-10-22 16:27 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-23 11:06 . 2008-11-24 12:23 109 --a------ c:\windows\wininit.ini
2008-11-23 10:42 . 2008-11-23 11:09 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-23 10:42 . 2008-11-23 11:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-23 00:24 . 2008-11-23 00:24 <DIR> d-------- c:\windows\ERUNT
2008-11-23 00:21 . 2008-11-25 13:54 <DIR> d-------- C:\SDFix
2008-11-18 23:47 . 2008-11-18 23:47 <DIR> d-------- c:\program files\MozyHome
2008-11-18 23:47 . 2008-11-16 23:32 53,752 --a------ c:\windows\system32\drivers\mozy.sys
2008-11-18 15:56 . 2008-11-18 22:52 <DIR> d--hs---- c:\windows\V29ya3N0YXRpb24
2008-11-18 15:56 . 2008-11-18 22:52 <DIR> d-------- c:\windows\system32\vim
2008-11-18 15:56 . 2008-11-18 15:56 <DIR> d-------- c:\windows\system32\ip
2008-11-18 15:56 . 2008-11-18 15:57 <DIR> d-------- c:\windows\system32\hdx
2008-11-16 23:33 . 2008-11-23 00:11 9,724 --a------ c:\windows\mozy.flt
2008-11-16 23:33 . 2008-11-23 00:11 7,396 --a------ c:\windows\mozy.blk
2008-11-09 10:02 . 2008-11-28 23:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\Google Updater
2008-11-01 15:57 . 2008-11-01 15:57 <DIR> d-------- c:\program files\Photo Story 3 for Windows
2008-11-01 15:45 . 2008-11-01 15:45 <DIR> d-------- c:\program files\Norton PC Checkup
2008-11-01 15:45 . 2008-11-16 16:22 <DIR> d-------- c:\program files\Common Files\Symantec Shared
2008-11-01 15:20 . 2008-11-01 15:21 <DIR> d-------- c:\windows\system32\Adobe
2008-11-01 12:39 . 2008-11-01 12:39 0 --a------ c:\windows\hpqEmlSz.INI
2008-10-30 19:52 . 2008-10-30 19:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\HP
2008-10-30 19:44 . 2008-10-30 19:44 <DIR> d-------- c:\program files\Common Files\Sonic Shared
2008-10-30 19:44 . 2008-10-30 19:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\Sonic
2008-10-30 19:39 . 2006-04-12 17:02 827,392 -ra------ c:\windows\system32\hpotiop2.dll
2008-10-30 19:39 . 2006-04-12 17:02 254,026 -ra------ c:\windows\system32\hpovst09.dll
2008-10-30 19:39 . 2006-01-04 02:12 77,824 -ra------ c:\windows\system32\HPZIDS01.dll
2008-10-30 19:39 . 2006-04-10 13:03 38,400 --a------ c:\windows\system32\hpz3l054.dll
2008-10-30 19:39 . 2001-08-17 13:53 6,784 --a------ c:\windows\system32\drivers\serscan.sys
2008-10-30 19:39 . 2001-08-17 13:53 6,784 --a--c--- c:\windows\system32\dllcache\serscan.sys
2008-10-30 19:39 . 2008-11-24 12:17 173 --a------ c:\windows\system32\AddPort.ini
2008-10-30 19:26 . 2008-11-24 12:19 <DIR> d-------- C:\TEMP
2008-10-30 19:24 . 2008-11-24 21:13 116,734 --a------ c:\windows\hpoins11.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-29 21:32 --------- d-----w c:\program files\Plaxo
2008-11-28 07:16 --------- d-----w c:\program files\PCPICSW
2008-11-25 04:26 --------- d-----w c:\program files\HP
2008-11-24 13:53 --------- d-----w c:\program files\Computer Maintenance
2008-11-24 07:18 --------- d-----w c:\documents and settings\All Users\Application Data\RFA_Backups
2008-11-23 15:36 --------- d-----w c:\program files\Shockwave.com
2008-11-23 15:35 --------- d-----w c:\program files\Oberon Media
2008-11-09 18:04 --------- d-----w c:\program files\Picasa2
2008-11-09 17:02 --------- d-----w c:\program files\Google
2008-10-31 02:44 --------- d-----w c:\program files\Common Files\HP
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-22 22:11 --------- d-----w c:\program files\MSECache
2008-10-16 21:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 21:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 21:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 21:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 21:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 21:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 21:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 21:08 34,328 -c--a-w c:\windows\system32\wups.dll
2008-10-16 21:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 21:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-07 01:47 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-07 01:46 62,009 ----a-w c:\windows\system32\wpfb_ati2dvag.dll
2008-10-07 01:46 --------- d-----w c:\program files\Portrait Displays
2008-10-07 01:46 --------- d-----w c:\program files\Common Files\Portrait Displays
2008-10-07 01:46 --------- d-----w c:\program files\Acer Display
2008-10-07 01:45 --------- d-----w c:\program files\Common Files\InstallShield
2008-09-30 23:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 11:57 1,846,016 ----a-w c:\windows\system32\win32k.sys
2008-09-04 16:42 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-08-30 03:06 1,350,664 ----a-w c:\windows\system32\msxml6.dll
2008-08-29 16:18 87,336 -c--a-w c:\windows\system32\dns-sd.exe
2008-08-29 15:53 61,440 -c--a-w c:\windows\system32\dnssd.dll
2008-08-12 00:02 0 -c--a-w c:\program files\temp01
2008-07-20 23:03 23 -c--a-w c:\documents and settings\Sean\jagex_runescape_preferences.dat
2008-07-03 20:47 0 -c--a-w c:\documents and settings\User\jagex_runescape_preferences.dat
2007-07-31 19:04 630,784 -c--a-w c:\documents and settings\User\GoToAssist_chat2way__317_en.exe
2003-07-31 09:53 147,456 -c--a-w c:\windows\inf\EL2K_XP.sys
2003-07-31 09:50 448,768 -c--a-w c:\windows\inf\EL2K_N64.sys
2003-07-31 09:43 147,456 -c--a-w c:\windows\inf\EL2K_2K.sys
2007-07-02 03:32 88 -csh--r c:\windows\system32\C5501D18DC.sys
2008-06-01 22:38 1,942 -csha-w c:\windows\system32\KGyGaAvL.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of c:\documents and settings\User\Application Data\IUpd721 ----

2008-11-18 16:10 1029 --a------ c:\documents and settings\User\Application Data\IUpd721\Logs\scns.log

---- Directory of c:\windows\system32\hdx ----


---- Directory of c:\windows\system32\ip ----

2008-11-17 16:39 190185 --a------ c:\windows\system32\ip\pxNT4I19.exe

---- Directory of c:\windows\system32\vim ----


---- Directory of c:\windows\V29ya3N0YXRpb24 ----



((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1CAD29DF-1D6D-41A2-8C55-EAA2C7EDCDEB}]
2008-11-19 23:40 299008 --a------ c:\program files\Internet Explorer\en-US\pm3nod.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy2]
@="{747E722C-CB46-4a9d-BDFE-192AAD5099B1}"
[HKEY_CLASSES_ROOT\CLSID\{747E722C-CB46-4a9d-BDFE-192AAD5099B1}]
2008-11-16 23:32 3044664 --a------ c:\program files\MozyHome\mozyshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy3]
@="{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}"
[HKEY_CLASSES_ROOT\CLSID\{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}]
2008-11-16 23:32 3044664 --a------ c:\program files\MozyHome\mozyshell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmcService"="c:\progra~1\Sygate\SPF\smc.exe" [2004-10-15 2577632]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pm3nod]
2008-11-19 23:40 299008 c:\program files\Internet Explorer\en-US\pm3nod.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=

.
Contents of the 'Scheduled Tasks' folder

2008-11-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-11-22 c:\windows\Tasks\WebReg officejet 6300 series.job
- c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2006-02-19 04:09]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-29 14:46:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet004\Services\vsdatant]
"ImagePath"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1024)
c:\program files\Internet Explorer\en-US\pm3nod.dll
c:\windows\system32\SSSensor.dll
.
Completion time: 2008-11-29 14:48:16
ComboFix-quarantined-files.txt 2008-11-29 21:47:36
ComboFix2.txt 2008-11-27 22:17:59
ComboFix3.txt 2008-11-23 08:14:29

Pre-Run: 12,092,321,792 bytes free
Post-Run: 12,074,549,248 bytes free

179 --- E O F --- 2008-11-23 22:08:07


THANKS!!!

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

Folder::
c:\documents and settings\User\Application Data\IUpd721
c:\windows\V29ya3N0YXRpb24
c:\windows\system32\vim
c:\windows\system32\ip
c:\windows\system32\hdx

File::
c:\program files\Internet Explorer\en-US\pm3nod.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1CAD29DF-1D6D-41A2-8C55-EAA2C7EDCDEB}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pm3nod]

Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.



This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.


===================


Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

• Make sure you are connected to the Internet.
• Double-click on Download_mbam-setup.exe to install the application.
• When the installation begins, follow the prompts and do not make any changes to default settings.
• When installation has finished, make sure you leave both of these checked:
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
• Then click Finish.
• MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
• On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
• Click OK to close the message box and continue with the removal process.
• Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
• Make sure that everything is checked, and click Remove Selected.
• When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

ComboFix 08-11-27.03 - User 2008-11-29 15:56:10.4 - NTFSx86

Running from: c:\documents and settings\User\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\User\Desktop\cfScript.txt

FILE ::
c:\program files\Internet Explorer\en-US\pm3nod.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\User\Application Data\IUpd721
c:\documents and settings\User\Application Data\IUpd721\Logs\scns.log
c:\program files\Internet Explorer\en-US\pm3nod.dll
c:\windows\system32\hdx
c:\windows\system32\ip
c:\windows\system32\ip\pxNT4I19.exe
c:\windows\system32\vim
c:\windows\V29ya3N0YXRpb24

.
((((((((((((((((((((((((( Files Created from 2008-10-28 to 2008-11-29 )))))))))))))))))))))))))))))))
.

2008-11-24 21:23 . 2008-11-24 21:25 94,107 --a------ c:\windows\hpqins05.dat
2008-11-24 21:11 . 2007-04-19 16:14 11,634 --------- c:\windows\hpomdl11.dat.temp
2008-11-24 20:33 . 2008-11-24 20:33 1,947 --a------ c:\windows\unins000.dat
2008-11-24 19:09 . 2008-11-24 19:09 <DIR> d-------- C:\rsit
2008-11-24 12:16 . 2008-11-24 12:17 692 --a------ c:\windows\hpntwksetup.ini
2008-11-24 12:14 . 2008-11-24 21:11 116,734 --------- c:\windows\hpoins11.dat.temp
2008-11-24 06:53 . 2008-11-24 06:53 <DIR> d-------- c:\program files\Trend Micro
2008-11-24 00:55 . 2008-11-24 00:55 <DIR> d-------- c:\program files\Sygate
2008-11-24 00:55 . 2004-10-15 18:32 83,096 --a------ c:\windows\system32\SSSensor.dll
2008-11-24 00:55 . 2004-10-15 18:17 60,496 --a------ c:\windows\system32\drivers\Teefer.sys
2008-11-24 00:55 . 2004-10-15 18:18 21,075 --a------ c:\windows\system32\drivers\wpsdrvnt.sys
2008-11-24 00:55 . 2004-10-15 18:32 14,568 --a------ c:\windows\system32\drivers\wg6n.sys
2008-11-24 00:55 . 2004-10-15 18:32 14,568 --a------ c:\windows\system32\drivers\wg5n.sys
2008-11-24 00:55 . 2004-10-15 18:32 14,568 --a------ c:\windows\system32\drivers\wg4n.sys
2008-11-24 00:55 . 2004-10-15 18:32 14,568 --a------ c:\windows\system32\drivers\wg3n.sys
2008-11-23 23:35 . 2008-11-23 23:35 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-23 23:35 . 2008-11-23 23:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-23 23:35 . 2008-10-22 16:27 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-23 23:35 . 2008-10-22 16:27 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-23 11:06 . 2008-11-24 12:23 109 --a------ c:\windows\wininit.ini
2008-11-23 10:42 . 2008-11-23 11:09 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-23 10:42 . 2008-11-23 11:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-23 00:24 . 2008-11-23 00:24 <DIR> d-------- c:\windows\ERUNT
2008-11-23 00:21 . 2008-11-25 13:54 <DIR> d-------- C:\SDFix
2008-11-18 23:47 . 2008-11-18 23:47 <DIR> d-------- c:\program files\MozyHome
2008-11-18 23:47 . 2008-11-16 23:32 53,752 --a------ c:\windows\system32\drivers\mozy.sys
2008-11-16 23:33 . 2008-11-23 00:11 9,724 --a------ c:\windows\mozy.flt
2008-11-16 23:33 . 2008-11-23 00:11 7,396 --a------ c:\windows\mozy.blk
2008-11-09 10:02 . 2008-11-28 23:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\Google Updater
2008-11-01 15:57 . 2008-11-01 15:57 <DIR> d-------- c:\program files\Photo Story 3 for Windows
2008-11-01 15:45 . 2008-11-01 15:45 <DIR> d-------- c:\program files\Norton PC Checkup
2008-11-01 15:45 . 2008-11-16 16:22 <DIR> d-------- c:\program files\Common Files\Symantec Shared
2008-11-01 15:20 . 2008-11-01 15:21 <DIR> d-------- c:\windows\system32\Adobe
2008-11-01 12:39 . 2008-11-01 12:39 0 --a------ c:\windows\hpqEmlSz.INI
2008-10-30 19:52 . 2008-10-30 19:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\HP
2008-10-30 19:44 . 2008-10-30 19:44 <DIR> d-------- c:\program files\Common Files\Sonic Shared
2008-10-30 19:44 . 2008-10-30 19:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\Sonic
2008-10-30 19:39 . 2006-04-12 17:02 827,392 -ra------ c:\windows\system32\hpotiop2.dll
2008-10-30 19:39 . 2006-04-12 17:02 254,026 -ra------ c:\windows\system32\hpovst09.dll
2008-10-30 19:39 . 2006-01-04 02:12 77,824 -ra------ c:\windows\system32\HPZIDS01.dll
2008-10-30 19:39 . 2006-04-10 13:03 38,400 --a------ c:\windows\system32\hpz3l054.dll
2008-10-30 19:39 . 2001-08-17 13:53 6,784 --a------ c:\windows\system32\drivers\serscan.sys
2008-10-30 19:39 . 2001-08-17 13:53 6,784 --a--c--- c:\windows\system32\dllcache\serscan.sys
2008-10-30 19:39 . 2008-11-24 12:17 173 --a------ c:\windows\system32\AddPort.ini
2008-10-30 19:26 . 2008-11-24 12:19 <DIR> d-------- C:\TEMP
2008-10-30 19:24 . 2008-11-24 21:13 116,734 --a------ c:\windows\hpoins11.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-29 21:57 --------- d-----w c:\program files\Plaxo
2008-11-28 07:16 --------- d-----w c:\program files\PCPICSW
2008-11-25 04:26 --------- d-----w c:\program files\HP
2008-11-24 13:53 --------- d-----w c:\program files\Computer Maintenance
2008-11-24 07:18 --------- d-----w c:\documents and settings\All Users\Application Data\RFA_Backups
2008-11-23 15:36 --------- d-----w c:\program files\Shockwave.com
2008-11-23 15:35 --------- d-----w c:\program files\Oberon Media
2008-11-09 18:04 --------- d-----w c:\program files\Picasa2
2008-11-09 17:02 --------- d-----w c:\program files\Google
2008-10-31 02:44 --------- d-----w c:\program files\Common Files\HP
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-22 22:11 --------- d-----w c:\program files\MSECache
2008-10-07 01:47 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-07 01:46 --------- d-----w c:\program files\Portrait Displays
2008-10-07 01:46 --------- d-----w c:\program files\Common Files\Portrait Displays
2008-10-07 01:46 --------- d-----w c:\program files\Acer Display
2008-10-07 01:45 --------- d-----w c:\program files\Common Files\InstallShield
2008-08-12 00:02 0 -c--a-w c:\program files\temp01
2008-07-20 23:03 23 -c--a-w c:\documents and settings\Sean\jagex_runescape_preferences.dat
2008-07-03 20:47 0 -c--a-w c:\documents and settings\User\jagex_runescape_preferences.dat
2007-07-31 19:04 630,784 -c--a-w c:\documents and settings\User\GoToAssist_chat2way__317_en.exe
2007-07-02 03:32 88 -csh--r c:\windows\system32\C5501D18DC.sys
2008-06-01 22:38 1,942 -csha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2008-11-27_15.17.01.20 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-11-29 23:01:08 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_170.dat
+ 2008-11-29 23:01:10 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_1e4.dat
+ 2008-11-29 23:01:08 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_42c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy2]
@="{747E722C-CB46-4a9d-BDFE-192AAD5099B1}"
[HKEY_CLASSES_ROOT\CLSID\{747E722C-CB46-4a9d-BDFE-192AAD5099B1}]
2008-11-16 23:32 3044664 --a------ c:\program files\MozyHome\mozyshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy3]
@="{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}"
[HKEY_CLASSES_ROOT\CLSID\{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}]
2008-11-16 23:32 3044664 --a------ c:\program files\MozyHome\mozyshell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmcService"="c:\progra~1\Sygate\SPF\smc.exe" [2004-10-15 2577632]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=

.
Contents of the 'Scheduled Tasks' folder

2008-11-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-11-22 c:\windows\Tasks\WebReg officejet 6300 series.job
- c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2006-02-19 04:09]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-29 16:05:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\vsdatant]
"ImagePath"=""
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Sygate\SPF\Smc.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\MozyHome\mozybackup.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
.
**************************************************************************
.
Completion time: 2008-11-29 16:08:26 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-29 23:08:08
ComboFix2.txt 2008-11-29 21:48:18
ComboFix3.txt 2008-11-27 22:17:59
ComboFix4.txt 2008-11-23 08:14:29

Pre-Run: 12,094,595,072 bytes free
Post-Run: 12,076,871,680 bytes free

166 --- E O F --- 2008-11-23 22:08:07

Malwarebytes' Anti-Malware 1.30
Database version: 1419
Windows 5.1.2600 Service Pack 2

11/29/2008 4:24:54 PM
mbam-log-2008-11-29 (16-24-54).txt

Scan type: Quick Scan
Objects scanned: 80377
Time elapsed: 8 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Looking much better. How is your computer behaving now?