Hi all,

I have the Win32:TratBHO [trj] on my PC and after reading numerous posts i have downloaded HijackThis and copied and pasted the log file of HJT. Would someone be so kind as to advise on the next step.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:02:56, on 3/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
E:\Program Files\Alwil Software\Avast4\ashServ.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
E:\Program Files\Executive Software\DiskeeperLite\DKService.exe
E:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
E:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
E:\WINDOWS\system32\PnkBstrA.exe
E:\Program Files\CyberLink\Shared Files\RichVideo.exe
E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
E:\Program Files\Alwil Software\Avast4\ashWebSv.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\wscntfy.exe
E:\WINDOWS\system32\ctfmon.exe
E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
E:\Program Files\Philips\Aurilium Sound Agent 2\805cpl.exe
E:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Razer\Lachesis\razerhid.exe
E:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
E:\Program Files\PowerISO\PWRISOVM.EXE
E:\Program Files\Razer\Lachesis\OSD.exe
E:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
E:\Program Files\Razer\Lachesis\razertra.exe
E:\Program Files\Razer\Lachesis\razerofa.exe
E:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
E:\Program Files\Nero\Nero 7\InCD\InCD.exe
e:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
e:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
E:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
E:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
E:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
E:\WINDOWS\system32\notepad.exe
E:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2B0B59B4-55A3-4737-9FD5-B93C6430BF75} - E:\WINDOWS\system32\ffwcwcpt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - E:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {91223DE9-F8E6-4FFD-8889-BE6784C18696} - E:\WINDOWS\system32\pmnlihf.dll
O2 - BHO: (no name) - {B51BB1D8-CE54-44F8-B040-F9EE2C5D870B} - E:\WINDOWS\system32\vtsqq.dll
O2 - BHO: SBBho Class - {c9803b12-f0a0-11dc-95ff-0800200c9a66} - E:\WINDOWS\TinyBHO.dll
O4 - HKLM..\Run: [avast!] E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [QveCtl2Tray] E:\Program Files\Philips\Aurilium Sound Agent 2\805cpl.exe
O4 - HKLM..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM..\Run: [Launch LGDCore] “E:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe” /SHOWHIDE
O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM..\Run: [Lachesis] E:\Program Files\Razer\Lachesis\razerhid.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] “E:\Program Files\Java\jre1.6.0_05\bin\jusched.exe”
O4 - HKLM..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM..\Run: [PWRISOVM.EXE] E:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM..\Run: [QuickTime Task] “E:\Program Files\QuickTime\QTTask.exe” -atboottime
O4 - HKLM..\Run: [RemoteControl] “E:\Program Files\CyberLink\PowerDVD\PDVDServ.exe”
O4 - HKLM..\Run: [LanguageShortcut] “E:\Program Files\CyberLink\PowerDVD\Language\Language.exe”
O4 - HKLM..\Run: [NeroFilterCheck] E:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM..\Run: [SecurDisc] E:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
O4 - HKLM..\Run: [InCD] E:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM..\Run: [StartCCC] “e:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe”
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [!AVG Anti-Spyware] “E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized
O4 - HKCU..\Run: [Yahoo! Pager] “E:\Program Files\Yahoo!\Messenger\YahooMessenger.exe” -quiet
O4 - HKCU..\Run: [MsnMsgr] “E:\Program Files\Windows Live\Messenger\MsnMsgr.Exe” /background
O4 - HKCU..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [spyprodetector] F:\XP\spyware.process.detector.v3.10.DVT\spyware.process.detector.v3.10.DVT.rar\spydetector\spydetector.exe TRAY
O4 - HKCU..\RunOnce: [FlashPlayerUpdate] E:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe
O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User ‘NETWORK SERVICE’)
O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’)
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip..{CC0BBE7B-F5FD-4FE5-AB3F-F022DE134DC5}: NameServer = 194.168.4.100,194.168.8.100
O20 - Winlogon Notify: pmnlihf - E:\WINDOWS\SYSTEM32\pmnlihf.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - E:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - E:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - E:\Program Files\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - E:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: NBService - Nero AG - E:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - E:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PnkBstrA - Unknown owner - E:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - E:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - E:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - E:\Program Files\Spyware Doctor\swdsvc.exe

–
End of file - 8378 bytes

Best Regards,

Paj.

Attached are the results of ComboFix:

ComboFix 08-03-25.4 - Carl 2008-03-26 18:35:38.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1523 [GMT 0:00]
Running from: E:\Documents and Settings\Carl\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-02-26 to 2008-03-26 )))))))))))))))))))))))))))))))
.

2008-03-26 17:43 . 2008-03-26 17:44 d-------- E:\Program Files\CleanUp!
2008-03-25 22:28 . 2008-03-25 22:28 d-------- E:\Documents and Settings\Carl\Application Data\Grisoft
2008-03-25 22:28 . 2007-05-30 12:10 10,872 --a------ E:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-03-25 22:27 . 2008-03-25 22:27 d-------- E:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-25 10:08 . 2008-03-25 10:08 53,312 --a------ E:\WINDOWS\system32\ffwcwcpt.dll
2008-03-25 10:05 . 2008-03-25 22:26 1,578,756 --ahs---- E:\WINDOWS\system32\tubygfvr.ini
2008-03-23 18:40 . 2008-03-23 18:40 d-------- E:\WINDOWS\system32\vdi
2008-03-23 18:40 . 2008-03-23 18:40 d-------- E:\WINDOWS\system32\mcs
2008-03-23 18:40 . 2008-03-23 18:40 d-------- E:\WINDOWS\system32\inp
2008-03-23 18:40 . 2008-03-23 18:40 d-------- E:\WINDOWS\system32\ce2
2008-03-23 18:40 . 2008-03-23 18:40 d-------- E:\WINDOWS\system32\aqVreo01
2008-03-21 15:42 . 2008-03-21 15:42 d-------- E:\Program Files\Yahoo Message Archive Decoder
2008-03-16 19:36 . 2008-03-16 19:36 268 --ah----- E:\sqmdata00.sqm
2008-03-16 19:36 . 2008-03-16 19:36 244 --ah----- E:\sqmnoopt00.sqm
2008-03-15 12:43 . 2008-03-15 12:43 32,768 --a------ E:\WINDOWS\system32\aqVreo01\aqVreo011065.exe
2008-03-14 17:43 . 2008-03-14 17:51 d-------- E:\Program Files\3Com
2008-03-14 17:43 . 1997-01-22 16:34 312,320 --a------ E:\WINDOWS\IsUninst.exe
2008-03-14 17:42 . 2008-03-14 17:42 d-------- E:\Documents and Settings\Carl\WINDOWS
2008-03-13 19:20 . 2008-03-13 19:20 204,800 --a------ E:\WINDOWS\TinyBHO.dll
2008-03-10 14:55 . 2008-03-10 14:55 d-------- E:\Program Files\Common Files\Adobe
2008-03-09 08:31 . 2008-03-09 08:37 376 --a------ E:\WINDOWS\ODBC.INI
2008-03-09 08:30 . 2004-03-22 23:17 24,816 --a------ E:\WINDOWS\system32\mdimon.dll
2008-03-09 08:29 . 2008-03-09 08:29 d-------- E:\Program Files\Common Files\L&H
2008-03-09 08:28 . 2008-03-09 08:28 d-------- E:\Program Files\Microsoft ActiveSync
2008-03-09 08:26 . 2008-03-09 08:26 d-------- E:\Program Files\Microsoft Works
2008-03-09 08:25 . 2008-03-09 08:28 d-------- E:\WINDOWS\SHELLNEW
2008-03-09 08:25 . 2008-03-09 08:25 d-------- E:\Program Files\Microsoft.NET
2008-03-02 12:00 . 2008-03-02 12:00 d-------- E:\Documents and Settings\All Users\Application Data\ATI
2008-03-02 11:56 . 2008-03-02 11:57 d-------- E:\Program Files\ATI Technologies
2008-03-02 11:56 . 2008-01-22 14:42 593,920 --a------ E:\WINDOWS\system32\ati2sgag.exe
2008-03-02 11:56 . 2007-11-07 03:40 106,496 --a------ E:\WINDOWS\system32\atinppt2.ax
2008-03-02 10:27 . 2008-03-02 10:27 0 --a------ E:\WINDOWS\ativpsrm.bin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-25 22:52 --------- d-----w E:\Documents and Settings\Carl\Application Data\uTorrent
2008-03-25 18:31 22,328 ----a-w E:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-03-25 18:31 107,832 ----a-w E:\WINDOWS\system32\PnkBstrB.exe
2008-03-24 11:54 --------- d-----w E:\Program Files\Spyware Doctor
2008-03-23 08:54 --------- d-----w E:\Program Files\Java
2008-02-18 18:27 --------- d-----w E:\Program Files\dvdSanta
2008-02-16 08:51 --------- d-----w E:\Program Files\RconMax(MW)
2008-02-10 11:28 --------- d-----w E:\Program Files\MXpie Patch
2008-02-10 11:21 --------- d-----w E:\Program Files\WinMX
2008-02-07 19:32 --------- d-----w E:\Documents and Settings\Carl\Application Data\GTek
2008-02-07 19:32 --------- d-----w E:\Documents and Settings\All Users\Application Data\Gtek
2008-02-03 08:45 --------- d-----w E:\Documents and Settings\Carl\Application Data\Xfire
2008-02-02 23:48 --------- d-----w E:\Documents and Settings\Carl\Application Data\DivX
2008-02-02 23:48 --------- d-----w E:\Documents and Settings\Carl\Application Data\CyberLink
2008-02-02 23:48 --------- d-----w E:\Documents and Settings\All Users\Application Data\CyberLink
2008-02-02 23:39 --------- d-----w E:\Documents and Settings\All Users\Application Data\Ahead
2008-02-02 23:38 --------- d-----w E:\Program Files\Common Files\Ahead
2008-02-02 23:35 --------- d-----w E:\Documents and Settings\All Users\Application Data\Nero
2008-02-02 21:13 --------- d–h–w E:\Program Files\InstallShield Installation Information
2008-02-02 21:06 --------- d-----w E:\Program Files\CyberLink
2008-02-01 18:07 --------- d-----w E:\Program Files\NuGardt Software
2008-02-01 18:07 --------- d-----w E:\Program Files\BulletProofSoft.com
2008-02-01 17:58 --------- d-----w E:\Program Files\QuickTime
2008-02-01 17:58 --------- d-----w E:\Program Files\Apple Software Update
2008-02-01 17:58 --------- d-----w E:\Documents and Settings\All Users\Application Data\Apple Computer
2008-02-01 17:58 --------- d-----w E:\Documents and Settings\All Users\Application Data\Apple
2008-02-01 17:36 --------- d-----w E:\Program Files\Teamspeak2_RC2
2008-01-22 20:44 368,640 ----a-w E:\WINDOWS\system32\ATIDEMGX.dll
2008-01-22 20:43 272,384 ----a-w E:\WINDOWS\system32\ati2dvag.dll
2008-01-22 20:39 307,200 ----a-w E:\WINDOWS\system32\atiiiexx.dll
2008-01-22 20:36 9,949,184 ----a-w E:\WINDOWS\system32\atioglx2.dll
2008-01-22 20:35 43,520 ----a-w E:\WINDOWS\system32\ati2edxx.dll
2008-01-22 20:35 26,112 ----a-w E:\WINDOWS\system32\Ati2mdxx.exe
2008-01-22 20:35 147,456 ----a-w E:\WINDOWS\system32\atipdlxx.dll
2008-01-22 20:35 122,880 ----a-w E:\WINDOWS\system32\Oemdspif.dll
2008-01-22 20:35 122,880 ----a-w E:\WINDOWS\system32\ati2evxx.dll
2008-01-22 20:34 512,000 ----a-w E:\WINDOWS\system32\ati2evxx.exe
2008-01-22 20:33 53,248 ----a-w E:\WINDOWS\system32\ATIDDC.DLL
2008-01-22 20:25 3,121,920 ----a-w E:\WINDOWS\system32\ati3duag.dll
2008-01-22 20:14 1,664,256 ----a-w E:\WINDOWS\system32\ativvaxx.dll
2008-01-22 20:04 46,080 ----a-w E:\WINDOWS\system32\amdpcom32.dll
2008-01-22 20:01 385,024 ----a-w E:\WINDOWS\system32\atikvmag.dll
2008-01-22 19:59 17,408 ----a-w E:\WINDOWS\system32\atitvo32.dll
2008-01-22 19:58 5,435,392 ----a-w E:\WINDOWS\system32\atioglxx.dll
2008-01-22 19:57 163,840 ----a-w E:\WINDOWS\system32\atiok3x2.dll
2008-01-22 19:53 503,808 ----a-w E:\WINDOWS\system32\ati2cqag.dll
2008-01-16 22:38 54,608 ----a-w E:\WINDOWS\system32\xfcodec.dll
2008-01-04 21:59 524,288 ----a-w E:\WINDOWS\system32\DivXsm.exe
2008-01-04 21:58 3,596,288 ----a-w E:\WINDOWS\system32\qt-dx331.dll
2008-01-04 21:58 200,704 ----a-w E:\WINDOWS\system32\ssldivx.dll
2008-01-04 21:58 129,784 ----a-w E:\WINDOWS\system32\pxafs.dll
2008-01-04 21:58 120,056 ----a-w E:\WINDOWS\system32\pxcpyi64.exe
2008-01-04 21:58 118,520 ----a-w E:\WINDOWS\system32\pxinsi64.exe
2008-01-04 21:58 1,044,480 ----a-w E:\WINDOWS\system32\libdivx.dll
2008-01-04 21:57 823,296 ----a-w E:\WINDOWS\system32\divx_xx0c.dll
2008-01-04 21:57 823,296 ----a-w E:\WINDOWS\system32\divx_xx07.dll
2008-01-04 21:57 81,920 ----a-w E:\WINDOWS\system32\dpl100.dll
2008-01-04 21:57 802,816 ----a-w E:\WINDOWS\system32\divx_xx11.dll
2008-01-04 21:57 682,496 ----a-w E:\WINDOWS\system32\DivX.dll
2008-01-04 21:57 593,920 ----a-w E:\WINDOWS\system32\dpuGUI11.dll
2008-01-04 21:57 57,344 ----a-w E:\WINDOWS\system32\dpv11.dll
2008-01-04 21:57 53,248 ----a-w E:\WINDOWS\system32\dpuGUI10.dll
2008-01-04 21:57 344,064 ----a-w E:\WINDOWS\system32\dpus11.dll
2008-01-04 21:57 294,912 ----a-w E:\WINDOWS\system32\dpu11.dll
2008-01-04 21:57 294,912 ----a-w E:\WINDOWS\system32\dpu10.dll
2008-01-04 21:57 196,608 ----a-w E:\WINDOWS\system32\dtu100.dll
2008-01-04 21:56 156,992 ----a-w E:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-01-04 21:56 12,288 ----a-w E:\WINDOWS\system32\DivXWMPExtType.dll
2007-11-23 19:55 22,328 ----a-w E:\Documents and Settings\Carl\Application Data\PnkBstrK.sys
.

–part 2–

------- Sigcheck -------

2007-11-27 18:08 502272 6225f14b8ce08ccba8b25ad27843c674 E:\WINDOWS\system32\winlogon.exe
.
((((((((((((((((((((((((((((( snapshot@2008-03-26_18.31.29.10 )))))))))))))))))))))))))))))))))))))))))
.

• 2008-03-26 17:09:09 58,596 ----a-w E:\WINDOWS\system32\perfc009.dat

• 2008-03-26 18:33:25 58,596 ----a-w E:\WINDOWS\system32\perfc009.dat

• 2008-03-26 17:09:09 392,296 ----a-w E:\WINDOWS\system32\perfh009.dat

• 2008-03-26 18:33:25 392,296 ----a-w E:\WINDOWS\system32\perfh009.dat
  .
  ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
  .
  .
  Note empty entries & legit default entries are not shown
  REGEDIT4

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{2B0B59B4-55A3-4737-9FD5-B93C6430BF75}]
2008-03-25 10:08 53312 --a------ E:\WINDOWS\system32\ffwcwcpt.dll

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{c9803b12-f0a0-11dc-95ff-0800200c9a66}]
2008-03-13 19:20 204800 --a------ E:\WINDOWS\TinyBHO.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“Yahoo! Pager”=“E:\Program Files\Yahoo!\Messenger\YahooMessenger.exe” [2007-08-30 17:43 4670704]
“MsnMsgr”=“E:\Program Files\Windows Live\Messenger\MsnMsgr.exe” [2007-10-18 11:34 5724184]
“ctfmon.exe”=“E:\WINDOWS\system32\ctfmon.exe” [2004-08-04 12:00 15360]
“spyprodetector”=“F:\XP\spyware.process.detector.v3.10.DVT\spyware.process.detector.v3.10.DVT.rar\spydetector\spydetector.exe” [2009-12-18 16:22 503808]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“avast!”=“E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-12-04 13:00 79224]
“QveCtl2Tray”=“E:\Program Files\Philips\Aurilium Sound Agent 2\805cpl.exe” [2003-07-08 15:35 704512]
“Kernel and Hardware Abstraction Layer”=“KHALMNPR.EXE” [2007-04-11 15:32 56080 E:\WINDOWS\KHALMNPR.Exe]
“Launch LGDCore”=“E:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe” [2006-07-23 01:22 1126400]
“Lachesis”=“E:\Program Files\Razer\Lachesis\razerhid.exe” [2007-09-12 11:52 172032]
“SunJavaUpdateSched”=“E:\Program Files\Java\jre1.6.0_05\bin\jusched.exe” [2008-02-22 04:25 144784]
“Cmaudio”=“cmicnfg.cpl”
“PWRISOVM.EXE”=“E:\Program Files\PowerISO\PWRISOVM.EXE” [2007-08-07 00:05 200704]
“QuickTime Task”=“E:\Program Files\QuickTime\QTTask.exe” [2008-01-10 15:27 385024]
“RemoteControl”=“E:\Program Files\CyberLink\PowerDVD\PDVDServ.exe” [2006-11-23 15:10 56928]
“LanguageShortcut”=“E:\Program Files\CyberLink\PowerDVD\Language\Language.exe” [2006-12-05 22:55 54832]
“NeroFilterCheck”=“E:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe” [2007-03-01 15:57 153136]
“SecurDisc”=“E:\Program Files\Nero\Nero 7\InCD\NBHGui.exe” [2007-05-15 15:55 1628208]
“InCD”=“E:\Program Files\Nero\Nero 7\InCD\InCD.exe” [2007-05-15 15:55 1057328]
“StartCCC”=“e:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe” [2006-11-10 12:35 90112]
“Adobe Reader Speed Launcher”=“E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe” [2008-01-11 22:16 39792]
“!AVG Anti-Spyware”=“E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” [2008-03-26 17:12 6731312]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“E:\WINDOWS\system32\CTFMON.EXE” [2004-08-04 12:00 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnlihf]
pmnlihf.dll

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“%windir%\system32\sessmgr.exe”=
“E:\WINDOWS\system32\PnkBstrA.exe”=
“E:\WINDOWS\system32\PnkBstrB.exe”=
“E:\Program Files\Yahoo!\Messenger\YahooMessenger.exe”=
“E:\Program Files\Yahoo!\Messenger\YServer.exe”=
“E:\WINDOWS\system32\dpvsetup.exe”=
“E:\WINDOWS\system32\rundll32.exe”=
“E:\Program Files\Teamspeak2_RC2\server_windows.exe”=
“E:\Program Files\uTorrent\uTorrent.exe”=
“E:\Program Files\Windows Live\Messenger\msnmsgr.exe”=
“E:\Program Files\Windows Live\Messenger\livecall.exe”=
“E:\Program Files\ModernRcon\PBUCON\pbucon.exe”=
“C:\Call of Duty 4 - Modern Warfare\mp_tool.exe”=
“E:\Program Files\Xfire\xfire.exe”=
“E:\Program Files\Teamspeak2_RC2\re\TeamSpeak.exe”=
“E:\Program Files\WinMX\WinMX.exe”=
“E:\Call of Duty 4 - Modern Warfare\iw3mp.exe”=
“E:\Program Files\3Com\3CServer.exe”=

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
“3389:TCP”= 3389:TCP:@xpsp2res.dll,-22009

R3 LachesisFltr;Lachesis Mouse Driver;E:\WINDOWS\system32\drivers\Lachesis.sys [2007-08-08 11:04]
R3 psa805;Aurilium Sound Agent 2 (WDM);E:\WINDOWS\system32\drivers\psa805.sys [2003-07-16 15:08]
R3 QsndEnum;QSound Virtual Audio Devices Bus Enumerator;E:\WINDOWS\system32\DRIVERS\QsndEnum.sys [2003-08-02 16:00]
S2 spydetector;spydetector;F:\XP\spyware.process.detector.v3.10.DVT\spyware.process.detector.v3.10.DVT.rar\spydetector\spydetector.sys
S3 iANSMiniport;Intel(R) Advanced Network Services Virtual Adapter;E:\WINDOWS\system32\DRIVERS\ianswxp.sys [2007-08-16 14:56]
S3 iANSProtocol;Intel(R) Advanced Network Services Protocol;E:\WINDOWS\system32\DRIVERS\ianswxp.sys [2007-08-16 14:56]
S3 N100;Compaq Ethernet or Fast Ethernet NIC Driver;E:\WINDOWS\system32\DRIVERS\n100325.sys [2001-08-17 12:11]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\Shell\AutoRun\command - I:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\K]
\Shell\AutoRun\command - K:\setup\rsrc\Autorun.exe
\Shell\dinstall\command - K:\Directx\dxsetup.exe

.
Contents of the ‘Scheduled Tasks’ folder
“2008-02-06 11:14:01 E:\WINDOWS\Tasks\AppleSoftwareUpdate.job”

• E:\Program Files\Apple Software Update\SoftwareUpdate.exe
  .

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-26 18:36:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully
hidden files: 0

.
Completion time: 2008-03-26 18:37:23
ComboFix-quarantined-files.txt 2008-03-26 18:37:20
ComboFix2.txt 2008-03-26 18:31:45

You don’t appear to have an active firewall, it should be capable of blocking unauthorised outbound Internet Connections. What is your firewall ?

Highly suspect only two hits on a google search. If this were a legit entry I would expect many more hits on the search and a clear link to what it is.

O20 - Winlogon Notify: pmnlihf - E:\WINDOWS\SYSTEM32\pmnlihf.dll
Unknown
O2 - BHO: (no name) - {91223DE9-F8E6-4FFD-8889-BE6784C18696} - E:\WINDOWS\system32\pmnlihf.dll

Suspect
O2 - BHO: (no name) - {B51BB1D8-CE54-44F8-B040-F9EE2C5D870B} - E:\WINDOWS\system32\vtsqq.dll - Also see, http://www.prevx.com/filenames/X244698389320429791-1681526216/VTSQQ.DLL.html

O2 - BHO: SBBho Class - {c9803b12-f0a0-11dc-95ff-0800200c9a66} - E:\WINDOWS\TinyBHO.dll - Also see, http://spywaredlls.prevx.com/RREDIJ44405848/TINYBHO.DLL.html

Suspect Virtumonde/Vundo
O2 - BHO: (no name) - {2B0B59B4-55A3-4737-9FD5-B93C6430BF75} - E:\WINDOWS\system32\ffwcwcpt.dll

Suspect rogue anti-spyware uninstall, see, http://www.2-spyware.com/review-spy-detector.html.
O4 - HKCU..\Run: [spyprodetector] F:\XP\spyware.process.detector.v3.10.DVT\spyware.process.detector.v3.10.DVT.rar\ spydetector\spydetector.exe TRAY

Run HJT again after you have run combofix to see if any of the above have been resolved.

Hi David,

At this moment the only firewall i have active is windows firewall.

as David mentioned, you should fix these items with HJT

O2 - BHO: (no name) - {2B0B59B4-55A3-4737-9FD5-B93C6430BF75} - E:\WINDOWS\system32\ffwcwcpt.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {91223DE9-F8E6-4FFD-8889-BE6784C18696} - E:\WINDOWS\system32\pmnlihf.dll
O2 - BHO: (no name) - {B51BB1D8-CE54-44F8-B040-F9EE2C5D870B} - E:\WINDOWS\system32\vtsqq.dll
O2 - BHO: SBBho Class - {c9803b12-f0a0-11dc-95ff-0800200c9a66} - E:\WINDOWS\TinyBHO.dll
O20 - Winlogon Notify: pmnlihf - E:\WINDOWS\SYSTEM32\pmnlihf.dll

With something like Vundo on your system you ned a firewall that monitors outbound connections as as fast as you are removing it more could be being downloaded.

Whilst the windows XP firewall is usually good at keeping your ports stealthed (hidden) it provides no outbound protection and you should consider a third party firewall.
Any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (sensitive or otherwise, user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential.

• There are many freeware firewalls such as, Comodo, PCTools Firewall Plus, Jetico, etc. - Zone Alarm free works fine with avast and has a reasonably friendly user interface, however, the free version is becoming bloated with trial ware and is also crippled as far as outbound protection goes In the Program Control, configuration area, the slider will only goes as far as Medium protection, if you want more you have to buy the Pro version.
  See A Forum discussion on free firewalls http://forum.avast.com/index.php?topic=30808.0
  See http://www.matousec.com/projects/windows-personal-firewall-analysis/leak-tests-results.php.

Hi. please follow the advice given above regarding spyprodetector and the firewall.

Then

Open HJT, run a system scan only, check mark these lines if present

O2 - BHO: (no name) - {2B0B59B4-55A3-4737-9FD5-B93C6430BF75} - E:\WINDOWS\system32\ffwcwcpt.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {91223DE9-F8E6-4FFD-8889-BE6784C18696} - E:\WINDOWS\system32\pmnlihf.dll
O2 - BHO: (no name) - {B51BB1D8-CE54-44F8-B040-F9EE2C5D870B} - E:\WINDOWS\system32\vtsqq.dll
O2 - BHO: SBBho Class - {c9803b12-f0a0-11dc-95ff-0800200c9a66} - E:\WINDOWS\TinyBHO.dll
O20 - Winlogon Notify: pmnlihf - E:\WINDOWS\SYSTEM32\pmnlihf.dll

Close all other browsers/windows, click fix, close HJT.

[]Please, never rename Combofix unless instructed.
[]Close any open browsers.
[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

[*]Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause “unpredictable results”.
[*]Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don’t know how to disable it, please ask.

Open a new Notepad session (Do not use a Word Processor or WordPad). Click “Format” and be certain that Word Wrap is not enabled.

Copy and paste all the text in the quote box below into Notepad.

Click File, Save as…, and set the location to your Desktop, and enter (including quotation marks) as the filename: “CFscript.txt” . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.

File:: E:\WINDOWS\TinyBHO.dll E:\WINDOWS\system32\ffwcwcpt.dll E:\WINDOWS\system32\pmnlihf.dll E:\WINDOWS\system32\vtsqq.dll E:\WINDOWS\system32\aqVreo01\aqVreo011065.exe E:\WINDOWS\system32\tubygfvr.ini

Folder::
E:\WINDOWS\system32\vdi
E:\WINDOWS\system32\mcs
E:\WINDOWS\system32\inp
E:\WINDOWS\system32\ce2
E:\WINDOWS\system32\aqVreo01

This will start ComboFix again.Close all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HJT log.

Note: Do not mouseclick combofix’s window while it’s running. That may cause it to stall